Bug#308634: kernel-source-2.6.8: A locally exploitable flaw to gain root.

To: Samuli Suominen <sasuomin@uusikaupunki.fi>, 308634@bugs.debian.org, Andres Salomon <dilinger@athenacr.com>, Justin Pryzby <justinpryzby@users.sourceforge.net>, 308724@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#308634: kernel-source-2.6.8: A locally exploitable flaw to gain root.
From: Horms <horms@debian.org>
Date: Thu, 12 May 2005 16:00:46 +0900
Message-id: <[🔎] 20050512070044.GY21624@verge.net.au>
Reply-to: Horms <horms@debian.org>, 308634@bugs.debian.org
In-reply-to: <[🔎] E1DW22o-0003qf-00@cyberia.stlawu.edu> <[🔎] pan.2005.05.11.19.08.37.537853@athenacr.com> <[🔎] 200505111637.j4BGbtC05902@uusikaupunki.fi>
References: <[🔎] E1DW22o-0003qf-00@cyberia.stlawu.edu> <200505111637.j4BGbtC05902__16850.7850882181$1115829991$gmane$org@uusikaupunki.fi> <[🔎] pan.2005.05.11.19.08.37.537853@athenacr.com> <[🔎] 200505111637.j4BGbtC05902@uusikaupunki.fi>

merge 308724 308634
thanks

On Wed, May 11, 2005 at 07:40:15PM +0300, Samuli Suominen wrote:
> Package: kernel-source-2.6.8
> Severity: grave
> Justification: user security hole
> 
> 
> A locally exploitable flaw has been found in the Linux ELF binary format
> loader's core dump  function  that  allows  local  users  to  gain  root
> privileges and also execute arbitrary code at kernel privilege level.
> 
> Version:   2.2 up to and including 2.2.27-rc2, 2.4 up to and including
>            2.4.31-pre1, 2.6 up to and including 2.6.12-rc4
> 
> Exploit, and futher information: http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt
> 
> -- System Information:
> Debian Release: 3.1
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: i386 (i686)
> Kernel: Linux 2.6.12-rc4-optimized
> Locale: LANG=fi_FI@euro, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15)

On Wed, May 11, 2005 at 03:08:38PM -0400, Andres Salomon wrote:
> On Wed, 11 May 2005 19:40:15 +0300, Samuli Suominen wrote:
> 
> > Package: kernel-source-2.6.8
> > Severity: grave
> > Justification: user security hole
> > 
> > 
> > A locally exploitable flaw has been found in the Linux ELF binary format
> > loader's core dump  function  that  allows  local  users  to  gain  root
> > privileges and also execute arbitrary code at kernel privilege level.
> > 
> > Version:   2.2 up to and including 2.2.27-rc2, 2.4 up to and including
> >            2.4.31-pre1, 2.6 up to and including 2.6.12-rc4
> > 
> > Exploit, and futher information: http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt
> > 
> 
> Rumor has it, this is CAN-2005-1263.
> I'll commit the patch
> (http://mouth.voxel.net/~dilinger/core_dump_vul.patch) to svn once I'm
> someplace that I can actually log in..

On Wed, May 11, 2005 at 08:59:18PM -0400, Justin Pryzby wrote:
> Package: kernel-source-2.6.8
> Severity: grave
> Tags: security patch
> Justification: user security hole
> 
> http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.9
> 
> The relevent changes for this CAN appear to be solely in
> ./fs/binfmt_elf.c.
> 
> There is also a memset in ./drivers/char/drm/drm_ioctl.c which should
> probably be added, among lots of other should-be-fixed things.


I am going to work on getting this fix into 2.6.8 and 2.4.27.

-- 
Horms

Reply to:

References:
- Bug#308724: CAN-2005-1263: "ELF core dump privilege elevation"
  - From: Justin Pryzby <justinpryzby@users.sf.net>
- Bug#308634: kernel-source-2.6.8: A locally exploitable flaw to gain root.
  - From: Andres Salomon <dilinger@athenacr.com>
- Bug#308634: kernel-source-2.6.8: A locally exploitable flaw to gain root.
  - From: Samuli Suominen <sasuomin@uusikaupunki.fi>

Prev by Date: Re: Kernel Security Updates for Sarge
Next by Date: Bug#308757: CAN-2005-1263: Linux kernel ELF core dump privilege elevation
Previous by thread: Bug#308634: kernel-source-2.6.8: A locally exploitable flaw to gain root.
Next by thread: Bug#308724: Bug#308634: kernel-source-2.6.8: A locally exploitable flaw to gain root.
Index(es):
- Date
- Thread