[kernel] r9703 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Thu Nov 8 06:03:38 UTC 2007

Author: dannf
Date: Thu Nov  8 06:03:38 2007
New Revision: 9703

Log:
* 247_reset-pdeathsig-on-suid.diff
  [SECURITY] Fix potential privilege escalation caused by improper
  clearing of the child process' pdeath signal.
  Thanks to Marcel Holtmann for the patch.
  See CVE-2007-3848

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/247_reset-pdeathsig-on-suid.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================

--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Thu Nov  8 06:03:38 2007
@@ -26,8 +26,13 @@
   * 246_dn_fib-out-of-bounds.diff
     [SECURITY] Fix out of bounds condition in dn_fib_props[]
     See CVE-2007-2172
+  * 247_reset-pdeathsig-on-suid.diff
+    [SECURITY] Fix potential privilege escalation caused by improper
+    clearing of the child process' pdeath signal.
+    Thanks to Marcel Holtmann for the patch.
+    See CVE-2007-3848
 
- -- dann frazier <dannf at debian.org>  Thu, 12 Jul 2007 23:46:15 -0600
+ -- dann frazier <dannf at debian.org>  Wed, 07 Nov 2007 23:02:37 -0700
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/247_reset-pdeathsig-on-suid.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/247_reset-pdeathsig-on-suid.diff	Thu Nov  8 06:03:38 2007
@@ -0,0 +1,107 @@
+From: Willy Tarreau <w at 1wt.eu>
+Date: Wed, 15 Aug 2007 07:15:09 +0000 (+0200)
+Subject: [PATCH] CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG
+X-Git-Tag: v2.4.36-pre1~4
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=c15267679b66e9db3ede1a78213f2efb2e0d6cae
+
+[PATCH] CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG
+
+Fix the "parent process death signal" vulnerability in the Linux kernel
+discovered by Wojciech Purczynski of COSEINC PTE Ltd. and iSEC Security
+Research (CVE-2007-3848).
+
+To sum up, any local user could manage to start a setuid program then
+send it an arbitrary signal while it is running, by first setting the
+PR_SET_PDEATHSIG argument of the prctl() system call, and then running
+another setuid program from the parent process. This is something the
+user is normally supposed to be able to do only as long as the setuid
+program has not completely switched its UID.
+
+Depending on the installed setuid programs, this may lead to either a
+denial of service or even to a privilege escalation, so this issue is
+very distribution specific.
+
+For more information regarding this issue, please refer to the original
+advisory :
+
+   http://www.isec.pl/vulnerabilities/isec-0024-death-signal.txt
+
+The following fix has been provided by Solar Designer and is already
+part of the latest Openwall kernel.
+
+Signed-off-by: Willy Tarreau <w at 1wt.eu>
+---
+
+diff --git a/fs/exec.c b/fs/exec.c
+index f196e7e..1d23db6 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -587,6 +587,7 @@ int flush_old_exec(struct linux_binprm * bprm)
+ {
+ 	char * name;
+ 	int i, ch, retval;
++	unsigned new_mm_dumpable;
+ 	struct signal_struct * oldsig;
+ 	struct files_struct * files;
+ 	char tcomm[sizeof(current->comm)];
+@@ -622,10 +623,12 @@ int flush_old_exec(struct linux_binprm * bprm)
+ 
+ 	current->sas_ss_sp = current->sas_ss_size = 0;
+ 
++	new_mm_dumpable = 0; /* no change */
+ 	if (current->euid == current->uid && current->egid == current->gid) {
+-		current->mm->dumpable = 1;
++		new_mm_dumpable = 1;
+ 		current->task_dumpable = 1;
+ 	}
++
+ 	name = bprm->filename;
+ 	for (i=0; (ch = *(name++)) != '\0';) {
+ 		if (ch == '/')
+@@ -641,9 +644,13 @@ int flush_old_exec(struct linux_binprm * bprm)
+ 
+ 	de_thread(current);
+ 
+-	if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || 
+-	    permission(bprm->file->f_dentry->d_inode,MAY_READ))
++	if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
+ 		current->mm->dumpable = 0;
++		current->pdeath_signal = 0;
++	} else if (permission(bprm->file->f_dentry->d_inode, MAY_READ)) {
++		current->mm->dumpable = 0;
++	} else if (new_mm_dumpable)
++		current->mm->dumpable = 1;
+ 
+ 	/* An exec changes our domain. We are no longer part of the thread
+ 	   group */
+@@ -768,6 +775,7 @@ void compute_creds(struct linux_binprm *bprm)
+ 	if (bprm->e_uid != current->uid || bprm->e_gid != current->gid ||
+ 	    !cap_issubset(new_permitted, current->cap_permitted)) {
+                 current->mm->dumpable = 0;
++		current->pdeath_signal = 0;
+ 		
+ 		lock_kernel();
+ 		if (must_not_trace_exec(current)
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index d8796bf..eae527c 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -738,15 +738,12 @@ static int proc_base_readdir(struct file * filp,
+ 
+ static int task_dumpable(struct task_struct *task)
+ {
+-	int dumpable = 0;
+-	struct mm_struct *mm;
++	int retval;
+ 
+ 	task_lock(task);
+-	mm = task->mm;
+-	if (mm)
+-		dumpable = mm->dumpable;
++	retval = is_dumpable(task);
+ 	task_unlock(task);
+-	return dumpable;
++	return retval;
+ }
+ 
+ 

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	Thu Nov  8 06:03:38 2007
@@ -6,3 +6,4 @@
 + 244_bluetooth-l2cap-hci-info-leaks.diff
 + 245_bluetooth-l2cap-hci-info-leaks-2.diff
 + 246_dn_fib-out-of-bounds.diff
++ 247_reset-pdeathsig-on-suid.diff

