[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#289155: marked as done (CAN-2004-1235: uselib() privilege escalation)

Your message dated Sat, 08 Jan 2005 06:48:41 -0500
with message-id <E1CnF5F-0007km-00@newraff.debian.org>
and subject line Bug#289155: fixed in kernel-source-2.6.9 2.6.9-5
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Jan 2005 14:41:07 +0000
>From jmm@inutil.org Fri Jan 07 06:41:07 2005
Return-path: <jmm@inutil.org>
Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CmvIZ-0007RW-00; Fri, 07 Jan 2005 06:41:07 -0800
Received: from wlan-client-025.informatik.uni-bremen.de ([134.102.116.26] helo=localhost.localdomain)
	by vserver151.vserver151.serverflex.de with asmtp (TLS-1.0:RSA_ARCFOUR_SHA:16)
	(Exim 4.34)
	id 1CmvIX-0007Sb-Lt
	for submit@bugs.debian.org; Fri, 07 Jan 2005 15:41:05 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.34)
	id 1CmvIU-0001lw-3s; Fri, 07 Jan 2005 15:41:02 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2004-1235: uselib() privilege escalation
X-Mailer: reportbug 3.5
Date: Fri, 07 Jan 2005 15:41:01 +0100
Message-Id: <[🔎] E1CmvIU-0001lw-3s@localhost.localdomain>
X-SA-Exim-Connect-IP: 134.102.116.26
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	RCVD_IN_DSBL autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: kernel-source-2.6.8
Version: 2.6.8
Severity: grave
Tags: security
Justification: user security hole

Paul Starzetz from iSec Security Research has discovered a local root exploit in
the Linux kernel:
> Locally exploitable  flaws have  been  found in  the  Linux
> binary format loaders' uselib() functions that allow  local
> users to gain root privileges.

The full advisory text: http://isec.pl/vulnerabilities/isec-0021-uselib.txt

I haven't found a patch for 2.6 yet, a patch for 2.4 is available in
the 2.4 Bitkeeper branch.

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.9-1-386
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages kernel-source-2.6.8 depends on:
ii  binutils                      2.15-5     The GNU assembler, linker and bina
ii  bzip2                         1.0.2-2    high-quality block-sorting file co
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities

---------------------------------------
Received: (at 289155-close) by bugs.debian.org; 8 Jan 2005 11:52:00 +0000
>From katie@ftp-master.debian.org Sat Jan 08 03:52:00 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CnF8R-0007j9-00; Sat, 08 Jan 2005 03:51:59 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1CnF5F-0007km-00; Sat, 08 Jan 2005 06:48:41 -0500
From: Andres Salomon <dilinger@voxel.net>
To: 289155-close@bugs.debian.org
X-Katie: $Revision: 1.54 $
Subject: Bug#289155: fixed in kernel-source-2.6.9 2.6.9-5
Message-Id: <E1CnF5F-0007km-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sat, 08 Jan 2005 06:48:41 -0500
Delivered-To: 289155-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: kernel-source-2.6.9
Source-Version: 2.6.9-5

We believe that the bug you reported is fixed in the latest version of
kernel-source-2.6.9, which is due to be installed in the Debian FTP archive:

kernel-doc-2.6.9_2.6.9-5_all.deb
  to pool/main/k/kernel-source-2.6.9/kernel-doc-2.6.9_2.6.9-5_all.deb
kernel-patch-debian-2.6.9_2.6.9-5_all.deb
  to pool/main/k/kernel-source-2.6.9/kernel-patch-debian-2.6.9_2.6.9-5_all.deb
kernel-source-2.6.9_2.6.9-5.diff.gz
  to pool/main/k/kernel-source-2.6.9/kernel-source-2.6.9_2.6.9-5.diff.gz
kernel-source-2.6.9_2.6.9-5.dsc
  to pool/main/k/kernel-source-2.6.9/kernel-source-2.6.9_2.6.9-5.dsc
kernel-source-2.6.9_2.6.9-5_all.deb
  to pool/main/k/kernel-source-2.6.9/kernel-source-2.6.9_2.6.9-5_all.deb
kernel-tree-2.6.9_2.6.9-5_all.deb
  to pool/main/k/kernel-source-2.6.9/kernel-tree-2.6.9_2.6.9-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 289155@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Salomon <dilinger@voxel.net> (supplier of updated kernel-source-2.6.9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 08 Jan 2005 05:17:38 -0500
Source: kernel-source-2.6.9
Binary: kernel-source-2.6.9 kernel-tree-2.6.9 kernel-patch-debian-2.6.9 kernel-doc-2.6.9
Architecture: source all
Version: 2.6.9-5
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Andres Salomon <dilinger@voxel.net>
Description: 
 kernel-doc-2.6.9 - Linux kernel specific documentation for version 2.6.9
 kernel-patch-debian-2.6.9 - Debian patches to Linux 2.6.9
 kernel-source-2.6.9 - Linux kernel source for version 2.6.9 with Debian patches
 kernel-tree-2.6.9 - Linux kernel tree for building prepackaged Debian kernel images
Closes: 289155
Changes: 
 kernel-source-2.6.9 (2.6.9-5) unstable; urgency=low
 .
   * [powerpc] Added a couple of powermac patches from Benjamin Herrenschmidt :
     - 970FX cpu support
     - G5 thermal management update
     - Misc powermac fixes backports
     (Bug #287030) (Sven Luther)
 .
   * [powerpc] Moved from powerpc kernel-patch package :
     - powermac legacy serial fix.
     - pegasos via-ide dual interrupt fix.
     (Sven Luther)
 .
   * [powerpc] Added _chrp_type support though pegasos patch (Sven Luther)
 .
   * [powerpc - prep] Fix bad irq assignement for pci devices on motorola
     powerstack boxes. (Sven Luther)
 .
   * add dh_fixperms to the build targets to kernel-patch-debian-2.6.9
     to ensure that the permissions of the files in this package are
      sensible. (See: Bug#288279) (Simon Horman)
 .
   * [SECURITY] Fix vulnerability in the ELF loader code allowing
     local attacker to execute code as root; CAN-2004-1235.
     (Maximilian Attems)
 .
   * [SECURITY] 028-do_brk_security_fixes.dpatch
     Drop Marcelo's fix, use Linus' instead.
     Fix local root vulnerability for various do_brk() calls;
     ensure an exclusive lock on memory while modifying it; CAN-2004-1235
     (Andres Salomon) (closes: #289155).
 .
   * [SECURITY] 029-random_poolsize_overflow.dpatch
     drivers/char/random allows you to set the poolsize; its sanity checking
     on that input isn's very good.  We fix that here.
     See http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html for
     more details.  This fixes #3 on that list (Andres Salomon).
 .
   * [SECURITY] 030-moxa_user_copy_checking.dpatch
     The moxa driver does some ugly things w/ signed integers.  This fixes
     #4 on Brad Spengler's advisory (Andres Salomon).
 .
   * [SECURITY] 031-sg_scsi_ioctl_int_overflows.dpatch
     SG ioctl stuff doesn't actually check whether the scsi command length
     is positive.  #5 on the above advisory (Andres Salomon).
Files: 
 5143700ba9c43b8c3f137eff90659dd9 986 devel optional kernel-source-2.6.9_2.6.9-5.dsc
 718399080f19d22578302a078883b980 317572 devel optional kernel-source-2.6.9_2.6.9-5.diff.gz
 b06bce5ba5ddd62d470d758a9023c67d 327064 devel optional kernel-patch-debian-2.6.9_2.6.9-5_all.deb
 f2735892451a11ae4ed6a3fec837f9be 35613904 devel optional kernel-source-2.6.9_2.6.9-5_all.deb
 ff2d299a540dd3de0d3bbb40c679c178 25484 devel optional kernel-tree-2.6.9_2.6.9-5_all.deb
 bb9be2748ccb0c06ed224025ee3d3034 6316328 doc optional kernel-doc-2.6.9_2.6.9-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB372i78o9R9NraMQRAlcJAKCE19tYMVXWj9hbkwWAQmVNUJB7LgCffYfq
AcNBruAzs6HI4ui+RNNIFjs=
=DMqK
-----END PGP SIGNATURE-----
Reply to: