Re: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability

To: Micah <micah@riseup.net>
Cc: debian-kernel@lists.debian.org
Subject: Re: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
From: Horms <horms@debian.org>
Date: Mon, 22 Aug 2005 15:55:47 +0900
Message-id: <[🔎] 20050822065545.GG21749@verge.net.au>
Mail-followup-to: Micah <micah@riseup.net>, debian-kernel@lists.debian.org
In-reply-to: <[🔎] 43089636.8030706@riseup.net>
References: <[🔎] 43089636.8030706@riseup.net>

On Sun, Aug 21, 2005 at 09:56:54AM -0500, Micah wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hey all,
> 
> CAN-2005-2555[1] reads:
> 
> Linux kernel 2.6.x does not properly restrict socket policy access to
> users with the CAP_NET_ADMIN capability, which could allow local users
> to conduct unauthorized activities via (1) ipv4/ip_sockglue.c and (2)
> ipv6/ipv6_sockglue.c.
> 
> A flaw was discovered where xfrm_user_policy was not protected by
> CAP_NET_ADMIN. A local unprivileged user could use this flaw to bypass
> or create IPSEC policies.  This is not believed to allow privilege
> escalation, but could lead to a denial of service (since there is no
> upper bounds on creating policies).
> 
> This issue doesn't affect 2.4, unless there was a backport of this
> functionality.
> 
> There appears to be fixes[2],[3],[4] available.
> 
> 1.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2555
> 2.http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2
> 3.http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975
> 4.http://linux.bkbits.net:8080/linux-2.6/cset@42f783aesxFQlEEg0e9GPi4oeVDHbA
> 
> Micah

Hi Micah,

Thanks as always.

I have added [X] to SVN.
- In the linux-2.6 directory in trunk
  *This should appear in linux-2.6  2.6.12-6 in unstable.
- In the linux-2.6-devel (perhaps renamed linux-2.6-experimental by now)
  directory
- The sarge-security 2.6.8 branch
  * It should appear in kernel-source-2.6.8 2.6.8-16sarge2 in sarge-security
    (still working on how the security and kernel team can do this)
- The sarge 2.6.8 branch
- The sarge-security 2.4.27 branch
  * It should appear in kernel-source-2.4.27 2.4.27-10sarge2 in sarge-security
    (again, still working on how the security and kernel team can do this)
- The 2.4.27 directory in trunk
  * This should appear as kernel-source-2.4.27 2.6.12-12 in unstable

Man, thats too many branches to be adding stuff to.
Need to do something about that.

[X] http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2;hp=534afb90a9cd0b9643f62d660c164e1d924f39cf

-- 
Horms

Reply to:

Follow-Ups:
- Re: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
  - From: Micah <micah@riseup.net>

References:
- CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
  - From: Micah <micah@riseup.net>

Prev by Date: Bug#323999: Dangling Symlink in /lib/modules/2.6.8-2-386/source in kernel-image-2.6.8-16
Next by Date: Bug#283919: Wrong solution!
Previous by thread: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
Next by thread: Re: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
Index(es):
- Date
- Thread