[kernel] r9405 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Aug 29 07:12:14 UTC 2007
Author: dannf
Date: Wed Aug 29 07:12:14 2007
New Revision: 9405
Log:
* [SECURITY] Fix potential privilege escalation caused by improper
clearing of the child process' pdeath signal.
See CVE-2007-3848
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/reset-pdeathsig-on-suid.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Wed Aug 29 07:12:14 2007
@@ -13,8 +13,11 @@
* aacraid-ioctl-perm-check.dpatch
[SECURITY] Require admin capabilities to issue ioctls to aacraid devices
See CVE-2007-4308
+ * [SECURITY] Fix potential privilege escalation caused by improper
+ clearing of the child process' pdeath signal.
+ See CVE-2007-3848
- -- dann frazier <dannf at debian.org> Mon, 27 Aug 2007 23:56:14 -0600
+ -- dann frazier <dannf at debian.org> Wed, 29 Aug 2007 01:10:46 -0600
kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/reset-pdeathsig-on-suid.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/reset-pdeathsig-on-suid.dpatch Wed Aug 29 07:12:14 2007
@@ -0,0 +1,49 @@
+From: Marcel Holtmann <marcel at holtmann.org>
+Date: Fri, 17 Aug 2007 19:47:58 +0000 (+0200)
+Subject: Reset current->pdeath_signal on SUID binary execution
+X-Git-Tag: v2.6.23-rc4~134
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f
+
+Reset current->pdeath_signal on SUID binary execution
+
+This fixes a vulnerability in the "parent process death signal"
+implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
+and iSEC Security Research.
+
+http://marc.info/?l=bugtraq&m=118711306802632&w=2
+
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urpN kernel-source-2.6.8.orig/fs/exec.c kernel-source-2.6.8/fs/exec.c
+--- kernel-source-2.6.8.orig/fs/exec.c 2006-12-05 02:21:56.000000000 -0700
++++ kernel-source-2.6.8/fs/exec.c 2007-08-29 01:04:35.912755102 -0600
+@@ -848,10 +848,13 @@ int flush_old_exec(struct linux_binprm *
+
+ flush_thread();
+
+- if (bprm->e_uid != current->euid || bprm->e_gid != current->egid ||
+- permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) ||
+- (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP))
++ if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
+ current->mm->dumpable = 0;
++ current->pdeath_signal = 0;
++ } else if (permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) ||
++ (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
++ current->mm->dumpable = 0;
++ }
+
+ /* An exec changes our domain. We are no longer part of the thread
+ group */
+@@ -945,6 +948,8 @@ static inline int unsafe_exec(struct tas
+ void compute_creds(struct linux_binprm *bprm)
+ {
+ int unsafe;
++ if (bprm->e_uid != current->uid)
++ current->pdeath_signal = 0;
+ task_lock(current);
+ unsafe = unsafe_exec(current);
+ security_bprm_apply_creds(bprm, unsafe);
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Wed Aug 29 07:12:14 2007
@@ -3,3 +3,4 @@
+ dn_fib-out-of-bounds.dpatch
+ ipv4-fib_props-out-of-bounds.dpatch
+ aacraid-ioctl-perm-check.dpatch
++ reset-pdeathsig-on-suid.dpatch
More information about the Kernel-svn-changes
mailing list