El Viernes pasado se anunciaron, en la lista de seguridad de debian, actualizaciones para el kernel, que solucionaba varias vulnerabilidades.


    Chris Evans discovered a situation in which a child process can
    send an arbitrary signal to its parent.


    Roland McGrath discovered an issue on amd64 kernels that allows
    local users to circumvent system call audit configurations which
    filter based on the syscall numbers or argument details.


    Roland McGrath discovered an issue on amd64 kernels with
    CONFIG_SECCOMP enabled. By making a specially crafted syscall,
    local users can bypass access restrictions.


    Jiri Olsa discovered that a local user can cause a denial of
    service (system hang) using a SHM_INFO shmctl call on kernels
    compiled with CONFIG_SHMEM disabled. This issue does not affect
    prebuilt Debian kernels.


    Mikulas Patocka reported an issue in the console subsystem that
    allows a local user to cause memory corruption by selecting a
    small number of 3-byte UTF-8 characters.


    Igor Zhbanov reported that nfsd was not properly dropping
    CAP_MKNOD, allowing users to create device nodes on file systems
    exported with root_squash.


    Dan Carpenter reported a coding issue in the selinux subsystem
    that allows local users to bypass certain networking checks when
    running with compat_net=1.


    Shaohua Li reported an issue in the AGP subsystem they may allow
    local users to read sensitive kernel memory due to a leak of
    uninitialized memory.


    Benjamin Gilbert reported a local denial of service vulnerability
    in the KVM VMX implementation that allows local users to trigger
    an oops.


    Thomas Pollet reported an overflow in the af_rose implementation
    that allows remote attackers to retrieve uninitialized kernel
    memory that may contain sensitive data.


    Oleg Nesterov discovered an issue in the exit_notify function that
    allows local users to send an arbitrary signal to a process by
    running a program that modifies the exit_signal field and then
    uses an exec system call to launch a setuid application.


    Daniel Hokka Zakrisson discovered that a kill(-1) is permitted to
    reach processes outside of the current process namespace.


    Pavan Naregundi reported an issue in the CIFS filesystem code that
    allows remote users to overwrite memory via a long
    nativeFileSystem field in a Tree Connect response during mount.

Se publicaron dos exploits para explotar vulnerabildades de escalacion de provilegios local. Estos exploits se aprovechan de la funcion ptrace_attach() para ejecutar un codigo arbitrario que nos permita ejecutar una shell del tipo /bin/sh como root.
El primer exploit es el shoryuken, lo probé en distintas versiones del kernel de debian y archlinux, pudiendo ser explotada solo la version 2.6.26-1-686 de Debian 5.0, de forma aleatoria, es decir, hay veces que ejecuto el exploit y funciona y otras veces no. El segundo script fue probado por su autor en la version del kernel 2.6.29rc1 de Gentoo.
Estos exploits funcionan bajo situaciones especificas y no todos los sistemas son vulnerables.