[kernel] r9907 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Thu Dec 6 07:31:40 UTC 2007

Author: dannf
Date: Thu Dec  6 07:31:40 2007
New Revision: 9907

Log:
* bugfix/coredump-only-to-same-uid.patch
  [SECURITY] Fix an issue where core dumping over a file that
  already exists retains the ownership of the original file
  See CVE-2007-6206

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/coredump-only-to-same-uid.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch6

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Thu Dec  6 07:31:40 2007
@@ -3,8 +3,12 @@
   * bugfix/isdn-net-overflow.patch
     [SECURITY] Fix potential overflows in the ISDN subsystem
     See CVE-2007-6063
+  * bugfix/coredump-only-to-same-uid.patch
+    [SECURITY] Fix an issue where core dumping over a file that
+    already exists retains the ownership of the original file
+    See CVE-2007-6206
 
- -- dann frazier <dannf at debian.org>  Tue, 04 Dec 2007 11:48:54 -0700
+ -- dann frazier <dannf at debian.org>  Wed, 05 Dec 2007 23:41:52 -0700
 
 linux-2.6 (2.6.18.dfsg.1-13etch5) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/coredump-only-to-same-uid.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/coredump-only-to-same-uid.patch	Thu Dec  6 07:31:40 2007
@@ -0,0 +1,38 @@
+From: Ingo Molnar <mingo at elte.hu>
+Date: Wed, 28 Nov 2007 12:59:18 +0000 (+0100)
+Subject: vfs: coredumping fix
+X-Git-Tag: v2.6.24-rc4~82
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=c46f739dd39db3b07ab5deb4e3ec81e1c04a91af
+
+vfs: coredumping fix
+
+fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043
+
+only allow coredumping to the same uid that the coredumping
+task runs under.
+
+Signed-off-by: Ingo Molnar <mingo at elte.hu>
+Acked-by: Alan Cox <alan at redhat.com>
+Acked-by: Christoph Hellwig <hch at lst.de>
+Acked-by: Al Viro <viro at ftp.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/exec.c linux-source-2.6.18/fs/exec.c
+--- linux-source-2.6.18.orig/fs/exec.c	2007-10-03 12:38:15.000000000 -0600
++++ linux-source-2.6.18/fs/exec.c	2007-12-05 23:41:00.000000000 -0700
+@@ -1524,6 +1524,12 @@ int do_coredump(long signr, int exit_cod
+ 
+ 	if (!S_ISREG(inode->i_mode))
+ 		goto close_fail;
++	/*
++	 * Dont allow local users get cute and trick others to coredump
++	 * into their pre-created files:
++	 */
++	if (inode->i_uid != current->fsuid)
++		goto close_fail;
+ 	if (!file->f_op)
+ 		goto close_fail;
+ 	if (!file->f_op->write)

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch6
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch6	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch6	Thu Dec  6 07:31:40 2007
@@ -1 +1,2 @@
 + bugfix/isdn-net-overflow.patch
++ bugfix/coredump-only-to-same-uid.patch

