Bug#308757: marked as done (CAN-2005-1263: Linux kernel ELF core dump privilege elevation)
Your message dated Thu, 19 May 2005 06:47:46 -0400
with message-id <E1DYiZ8-0006pn-00@newraff.debian.org>
and subject line Bug#308757: fixed in kernel-source-2.4.27 2.4.27-10
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 May 2005 07:13:51 +0000
>From muehlenhoff@univention.de Thu May 12 00:13:51 2005
Return-path: <muehlenhoff@univention.de>
Received: from moutng.kundenserver.de [212.227.126.171]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DW7tG-00038Y-00; Thu, 12 May 2005 00:13:51 -0700
Received: from bitz8.bitz.briteline.de [195.90.9.8] (helo=anton)
by mrelayeu.kundenserver.de with ESMTP (Nemesis),
id 0MKwh2-1DW7tF2ND5-0005RO; Thu, 12 May 2005 09:13:49 +0200
Received: by anton (Postfix, from userid 2028)
id 18A8AB72BC; Thu, 12 May 2005 09:13:49 +0200 (CEST)
Content-Type: multipart/mixed; boundary="===============0278309518=="
MIME-Version: 1.0
From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-1263: Linux kernel ELF core dump privilege elevation
X-Mailer: reportbug 2.26.1.1.200308291454
Date: Thu, 12 May 2005 09:13:48 +0200
Message-Id: <[🔎] 20050512071349.18A8AB72BC@anton>
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:4ad79d65ac46f2345c6ef2e856c1d9ef
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============0278309518==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: kernel-source-2.4.27
Version: unavailable; reported 2005-05-12
Severity: grave
Tags: security patch
Paul Starzetz has found another flaw in the Linux kernel that can be exploited
to gain extended local privileges. Please see his detailed advisory at
http://isec.pl/vulnerabilities/isec-0023-coredump.txt
Greg Kroah-Hartman has posted a patch for 2.6, which should apply to 2.4 as
well. It's attached.
Cheers,
Moritz
-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro
--===============0278309518==
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="/home/jmm/CAN-2005-1263-kernel-local-privilege-escalation.patch"
Subject: possibly fix Linux kernel ELF core dump privilege elevation
As noted by Paul Starzetz
references CAN-something-I-need-to-go-look-up...
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/binfmt_elf.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
--- gregkh-2.6.orig/fs/binfmt_elf.c 2005-05-11 00:03:45.000000000 -0700
+++ gregkh-2.6/fs/binfmt_elf.c 2005-05-11 00:09:17.000000000 -0700
@@ -251,1 +251,1 @@
}
/* Populate argv and envp */
- p = current->mm->arg_start;
+ p = current->mm->arg_end = current->mm->arg_start;
while (argc-- > 0) {
size_t len;
__put_user((elf_addr_t)p, argv++);
@@ -1301,4 +1301,4 @@
static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
struct mm_struct *mm)
{
- int i, len;
+ unsigned int i, len;
/* first copy the parameters from user space */
memset(psinfo, 0, sizeof(struct elf_prpsinfo));
--===============0278309518==--
---------------------------------------
Received: (at 308757-close) by bugs.debian.org; 19 May 2005 10:50:32 +0000
>From katie@ftp-master.debian.org Thu May 19 03:50:32 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DYibo-0006uV-00; Thu, 19 May 2005 03:50:32 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DYiZ8-0006pn-00; Thu, 19 May 2005 06:47:46 -0400
From: Simon Horman <horms@debian.org>
To: 308757-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#308757: fixed in kernel-source-2.4.27 2.4.27-10
Message-Id: <E1DYiZ8-0006pn-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Thu, 19 May 2005 06:47:46 -0400
Delivered-To: 308757-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 3
Source: kernel-source-2.4.27
Source-Version: 2.4.27-10
We believe that the bug you reported is fixed in the latest version of
kernel-source-2.4.27, which is due to be installed in the Debian FTP archive:
kernel-doc-2.4.27_2.4.27-10_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-doc-2.4.27_2.4.27-10_all.deb
kernel-patch-debian-2.4.27_2.4.27-10_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-patch-debian-2.4.27_2.4.27-10_all.deb
kernel-source-2.4.27_2.4.27-10.diff.gz
to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10.diff.gz
kernel-source-2.4.27_2.4.27-10.dsc
to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10.dsc
kernel-source-2.4.27_2.4.27-10_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10_all.deb
kernel-tree-2.4.27_2.4.27-10_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-tree-2.4.27_2.4.27-10_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 308757@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated kernel-source-2.4.27 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 16 May 2005 14:48:47 +0900
Source: kernel-source-2.4.27
Binary: kernel-tree-2.4.27 kernel-source-2.4.27 kernel-patch-debian-2.4.27 kernel-doc-2.4.27
Architecture: source all
Version: 2.4.27-10
Distribution: unstable
Urgency: low
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description:
kernel-doc-2.4.27 - Linux kernel specific documentation for version 2.4.27
kernel-patch-debian-2.4.27 - Debian patches to Linux 2.4.27
kernel-source-2.4.27 - Linux kernel source for version 2.4.27 with Debian patches
kernel-tree-2.4.27 - Linux kernel source tree for building Debian kernel images
Closes: 302704 302705 302864 305655 308757
Changes:
kernel-source-2.4.27 (2.4.27-10) unstable; urgency=low
.
* 155_net-bluetooth-signdness-fix.diff:
[Security] Fix signedness problem at socket creation in bluetooth
which can lead to local root exploit. See CAN-2005-0750
(Simon Horman) (closes: Bug#302704)
.
* 156_fs-ext2-info-leak.diff:
[Security] Fix information leak in ext2 which leads to
a local information leak. See CAN-2005-0400
(Simon Horman)
.
* 157_fs-isofs-range-check-1.diff, 157_fs-isofs-range-check-2.diff,
157_fs-isofs-range-check-3.diff:
[Security] Fix range checking in isofs which leads to a local crash
and arbitary code execution. See CAN-2005-0815
(Simon Horman) (closes: #302864)
.
* 158_fs-binfmt_elf-dos.diff:
Potential DOS in load_elf_library. See CAN-2005-0749
(Simon Horman) (closes: #302705)
.
* 159_fs-cramfs-stat.diff
Fix to stat output for cramfs
(Simon Horman)
.
* 160_drivers-net-sis900-oops.diff
sis900 kernel oops fix
(Simon Horman)
.
* 161_drivers-net-amd8111e-irq.diff
AMD8111e driver was releasing an irq in some error situations
(Simon Horman)
.
* 162_drivers-net-via-rhine-irq.diff
VIA Rhine driver was releasing an irq in some error situations
(Simon Horman)
.
* 165_VM_IO.diff added, 140_VM_IO.diff removed:
[CAN-2004-1057] Updated fix for DoS from accessing freed kernel pages.
The previous fix seems to have cuased some problems and this
is the one that is upstream.
(Simon Horman, Dann Frazier)
.
* 164_net-ipv4-icmp-quench.diff:
[CAN-2004-0790] Just silently ignore ICMP Source Quench messages.
(Simon Horman) (closes: #305655)
.
* 165_arch-ia64-kernel-missing-sysctl.diff:
[CAN-2005-0137] Add missing sysctl slot for ia64 resolving
local DoS. (Simon Horman)
.
* fs-binfmt_elf-dump-privelage.diff:
Linux kernel ELF core dump privilege elevation
See CAN-2005-1263. (closes: #308757). (Simon Horman)
Files:
59d9aeb90e71e4b6369a6b4986da690b 888 devel optional kernel-source-2.4.27_2.4.27-10.dsc
0ccc5c9df0130e5da099cd1a7c8a7f64 688010 devel optional kernel-source-2.4.27_2.4.27-10.diff.gz
157b883cbfb91812912c16728eb61fa0 633228 devel optional kernel-patch-debian-2.4.27_2.4.27-10_all.deb
9478d7f77b06c30454ef7864d9487fd4 3576196 doc optional kernel-doc-2.4.27_2.4.27-10_all.deb
3ae3d29a6b8a3de23a860627f3b440c3 31022934 devel optional kernel-source-2.4.27_2.4.27-10_all.deb
15394d1f0d96b07955178f05296929e0 23348 devel optional kernel-tree-2.4.27_2.4.27-10_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCjGuZdu+M6Iexz7URAnSkAJ9SWaRWL1fYfJzpqtV+TXQ3LhkidgCgynIE
FHrCSlUvvU/NhZxzmELwM+0=
=kbKC
-----END PGP SIGNATURE-----
Reply to: