Bug#597576: [Secure-testing-team] Bug#597576: linux-image-2.6.32-5-amd64: 2.6.32-23 still vulnerable to CVE-2010-3301

To: Jon <nuxi@vault24.org>, 597576@bugs.debian.org
Subject: Bug#597576: [Secure-testing-team] Bug#597576: linux-image-2.6.32-5-amd64: 2.6.32-23 still vulnerable to CVE-2010-3301
From: dann frazier <dannf@debian.org>
Date: Mon, 20 Sep 2010 17:19:10 -0600
Message-id: <[🔎] 20100920231910.GE13672@lackof.org>
Reply-to: dann frazier <dannf@debian.org>, 597576@bugs.debian.org
In-reply-to: <[🔎] 20100920225116.2658.67099.reportbug@nobel.vault24.org>
References: <[🔎] 20100920225116.2658.67099.reportbug@nobel.vault24.org>

On Mon, Sep 20, 2010 at 06:51:16PM -0400, Jon wrote:
> 
> Package: linux-2.6
> Version: 2.6.32-23
> Justification: root security hole
> Severity: critical
> Tags: security
> 
> 
> The changelog says the CVE-2010-3301 was fixed in this update:
>   * x86-64, compat (CVE-2010-3301):
>     - Retruncate rax after ia32 syscall entry tracing
>     - Test %rax for the syscall number, not %eax
> 
> But a test of the exploit shows otherwise:
> 
> nuxi@nobel:~(0)$ ./robert_you_suck
> resolved symbol commit_creds to 0xffffffff8106914d
> resolved symbol prepare_kernel_cred to 0xffffffff81069050
> mapping at 3f80000000
> UID 1000, EUID:1000 GID:100, EGID:100
> $ 


How so? UID 1000 isn't root...

Reply to:

References:
- Bug#597576: linux-image-2.6.32-5-amd64: 2.6.32-23 still vulnerable to CVE-2010-3301
  - From: Jon <nuxi@vault24.org>

Prev by Date: Bug#597576: [Secure-testing-team] Bug#597576: linux-image-2.6.32-5-amd64: 2.6.32-23 still vulnerable to CVE-2010-3301
Next by Date: Bug#597582: initramfs-tools should not ignore failing hook scripts
Previous by thread: Bug#597576: [Secure-testing-team] Bug#597576: linux-image-2.6.32-5-amd64: 2.6.32-23 still vulnerable to CVE-2010-3301
Next by thread: Bug#597582: initramfs-tools should not ignore failing hook scripts
Index(es):
- Date
- Thread