Not sure we got this one fixed. Filing restricted for now (private mail). Al Viro discovered an exploitable hole in sysctl unregistration affecting 2.4 and 2.6 kernels. "You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then wait for interface to go away, try to grab as much memory as possible in hope to hit the (kfreed) ctl_table. Then fill it with pointers to your function. Then do read from file you've opened and if you are lucky, you'll get it called as ->proc_handler() in kernel mode." So this is at least an Oops and possibly more. It does depend on an interface going away though, so less of a security risk than it would otherwise be.
in Ubuntu's USN-219-1 : Al Viro discovered a race condition in the /proc file handler of network devices. A local attacker could exploit this by opening any file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that interface was shut down. Under certain circumstances this could lead to a kernel crash or even arbitrary code execution with full kernel privileges. (CVE-2005-2709)
Adding maintiners: mips-sources-2.4.13: Kumba rsbac-sources: kang sh-sources: sh-herd
All fixed, closing bug.
