Bug#308634: kernel-source-2.6.8: A locally exploitable flaw to gain root.
merge 308724 308634
thanks
On Wed, May 11, 2005 at 07:40:15PM +0300, Samuli Suominen wrote:
> Package: kernel-source-2.6.8
> Severity: grave
> Justification: user security hole
>
>
> A locally exploitable flaw has been found in the Linux ELF binary format
> loader's core dump function that allows local users to gain root
> privileges and also execute arbitrary code at kernel privilege level.
>
> Version: 2.2 up to and including 2.2.27-rc2, 2.4 up to and including
> 2.4.31-pre1, 2.6 up to and including 2.6.12-rc4
>
> Exploit, and futher information: http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt
>
> -- System Information:
> Debian Release: 3.1
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: i386 (i686)
> Kernel: Linux 2.6.12-rc4-optimized
> Locale: LANG=fi_FI@euro, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15)
On Wed, May 11, 2005 at 03:08:38PM -0400, Andres Salomon wrote:
> On Wed, 11 May 2005 19:40:15 +0300, Samuli Suominen wrote:
>
> > Package: kernel-source-2.6.8
> > Severity: grave
> > Justification: user security hole
> >
> >
> > A locally exploitable flaw has been found in the Linux ELF binary format
> > loader's core dump function that allows local users to gain root
> > privileges and also execute arbitrary code at kernel privilege level.
> >
> > Version: 2.2 up to and including 2.2.27-rc2, 2.4 up to and including
> > 2.4.31-pre1, 2.6 up to and including 2.6.12-rc4
> >
> > Exploit, and futher information: http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt
> >
>
> Rumor has it, this is CAN-2005-1263.
> I'll commit the patch
> (http://mouth.voxel.net/~dilinger/core_dump_vul.patch) to svn once I'm
> someplace that I can actually log in..
On Wed, May 11, 2005 at 08:59:18PM -0400, Justin Pryzby wrote:
> Package: kernel-source-2.6.8
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.9
>
> The relevent changes for this CAN appear to be solely in
> ./fs/binfmt_elf.c.
>
> There is also a memset in ./drivers/char/drm/drm_ioctl.c which should
> probably be added, among lots of other should-be-fixed things.
I am going to work on getting this fix into 2.6.8 and 2.4.27.
--
Horms
Reply to: