[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Florian.Weimer@RUS.UNI-STUTTGART.DE: Re: Linux kernel sysctl() vulnerability]



On Sat, Feb 10, 2001 at 04:55:02PM -0600, An Thi-Nguyen Le wrote:
> I don't think we have a security advisory out for this particular 
> kernel bug; is anyone working/going to be working on this?

this isn't the only one either, there is also something that can allow
users to ptrace suid executables and thus alter what they do (root hole),
and i think a DoS.  see bugtraq archives for the last couple days.  

i hope that Alan Cox either releases 2.2.19 soon or an errata patch to
2.2.18 to fix these, i like many do not use distribution kernels.  

> 
> -- 
> An Thi-Nguyen Le
> |QOTD:
> |	"I used to go to UCLA, but then my Dad got a job."

> From: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Delivered-To: viper@srh1171.urh.uiuc.edu
> Delivered-To: anle@pinatubo.cs.uiuc.edu
> Delivered-To: bugtraq@lists.securityfocus.com
> Delivered-To: BUGTRAQ@securityfocus.com
> Subject:      Re: Linux kernel sysctl() vulnerability
> Date:         Sat, 10 Feb 2001 10:28:01 +0100
> Approved-By: beng@SECURITYFOCUS.COM
> User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
> Reply-To: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
> X-To:         Chris Evans <chris@SCARY.BEASTS.ORG>
> 
> Chris Evans <chris@SCARY.BEASTS.ORG> writes:
> 
> > There exists a Linux system call sysctl() which is used to query and
> > modify runtime system settings. Unprivileged users are permitted to query
> > the value of many of these settings.
> 
> It appears that all current Linux kernel version (2.2.x and 2.4.x) are
> vulnerable.  Right?
> 
> Was it really necessary to release this stuff just before the weekend?
> 
> The following trivial patch should fix this issue. (I wonder how you
> can audit code for such vulnerabilities.  It's probably much easier to
> rewrite it in Ada. ;-)
> 
> --- sysctl.c    2001/02/10 09:42:12     1.1
> +++ sysctl.c    2001/02/10 09:42:26
> @@ -1123,7 +1123,7 @@
>                   void *oldval, size_t *oldlenp,
>                   void *newval, size_t newlen, void **context)
>  {
> -       int l, len;
> +       unsigned l, len;
> 
>         if (!table->data || !table->maxlen)
>                 return -ENOTDIR;
> 
> --
> Florian Weimer 	                  Florian.Weimer@RUS.Uni-Stuttgart.DE
> University of Stuttgart           http://cert.uni-stuttgart.de/
> RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898


-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgppxAWWt6XMd.pgp
Description: PGP signature


Reply to: