[kernel] r9405 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Wed Aug 29 07:12:14 UTC 2007 

Author: dannf
Date: Wed Aug 29 07:12:14 2007
New Revision: 9405

Log:
* [SECURITY] Fix potential privilege escalation caused by improper
  clearing of the child process' pdeath signal.
  See CVE-2007-3848

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/reset-pdeathsig-on-suid.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Wed Aug 29 07:12:14 2007
@@ -13,8 +13,11 @@
   * aacraid-ioctl-perm-check.dpatch
     [SECURITY] Require admin capabilities to issue ioctls to aacraid devices
     See CVE-2007-4308
+  * [SECURITY] Fix potential privilege escalation caused by improper
+    clearing of the child process' pdeath signal.
+    See CVE-2007-3848
 
- -- dann frazier <dannf at debian.org>  Mon, 27 Aug 2007 23:56:14 -0600
+ -- dann frazier <dannf at debian.org>  Wed, 29 Aug 2007 01:10:46 -0600
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/reset-pdeathsig-on-suid.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/reset-pdeathsig-on-suid.dpatch	Wed Aug 29 07:12:14 2007
@@ -0,0 +1,49 @@
+From: Marcel Holtmann <marcel at holtmann.org>
+Date: Fri, 17 Aug 2007 19:47:58 +0000 (+0200)
+Subject: Reset current->pdeath_signal on SUID binary execution
+X-Git-Tag: v2.6.23-rc4~134
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f
+
+Reset current->pdeath_signal on SUID binary execution
+
+This fixes a vulnerability in the "parent process death signal"
+implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
+and iSEC Security Research.
+
+http://marc.info/?l=bugtraq&m=118711306802632&w=2
+
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urpN kernel-source-2.6.8.orig/fs/exec.c kernel-source-2.6.8/fs/exec.c
+--- kernel-source-2.6.8.orig/fs/exec.c	2006-12-05 02:21:56.000000000 -0700
++++ kernel-source-2.6.8/fs/exec.c	2007-08-29 01:04:35.912755102 -0600
+@@ -848,10 +848,13 @@ int flush_old_exec(struct linux_binprm *
+ 
+ 	flush_thread();
+ 
+-	if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || 
+-	    permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) ||
+-	    (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP))
++	if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
+ 		current->mm->dumpable = 0;
++		current->pdeath_signal = 0;
++	} else if (permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) ||
++			(bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
++		current->mm->dumpable = 0;
++	}
+ 
+ 	/* An exec changes our domain. We are no longer part of the thread
+ 	   group */
+@@ -945,6 +948,8 @@ static inline int unsafe_exec(struct tas
+ void compute_creds(struct linux_binprm *bprm)
+ {
+ 	int unsafe;
++	if (bprm->e_uid != current->uid)
++		current->pdeath_signal = 0;
+ 	task_lock(current);
+ 	unsafe = unsafe_exec(current);
+ 	security_bprm_apply_creds(bprm, unsafe);

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Wed Aug 29 07:12:14 2007
@@ -3,3 +3,4 @@
 + dn_fib-out-of-bounds.dpatch
 + ipv4-fib_props-out-of-bounds.dpatch
 + aacraid-ioctl-perm-check.dpatch
++ reset-pdeathsig-on-suid.dpatch

More information about the Kernel-svn-changes mailing list