[kernel] r9703 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Nov 8 06:03:38 UTC 2007
Author: dannf
Date: Thu Nov 8 06:03:38 2007
New Revision: 9703
Log:
* 247_reset-pdeathsig-on-suid.diff
[SECURITY] Fix potential privilege escalation caused by improper
clearing of the child process' pdeath signal.
Thanks to Marcel Holtmann for the patch.
See CVE-2007-3848
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/247_reset-pdeathsig-on-suid.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Thu Nov 8 06:03:38 2007
@@ -26,8 +26,13 @@
* 246_dn_fib-out-of-bounds.diff
[SECURITY] Fix out of bounds condition in dn_fib_props[]
See CVE-2007-2172
+ * 247_reset-pdeathsig-on-suid.diff
+ [SECURITY] Fix potential privilege escalation caused by improper
+ clearing of the child process' pdeath signal.
+ Thanks to Marcel Holtmann for the patch.
+ See CVE-2007-3848
- -- dann frazier <dannf at debian.org> Thu, 12 Jul 2007 23:46:15 -0600
+ -- dann frazier <dannf at debian.org> Wed, 07 Nov 2007 23:02:37 -0700
kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/247_reset-pdeathsig-on-suid.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/247_reset-pdeathsig-on-suid.diff Thu Nov 8 06:03:38 2007
@@ -0,0 +1,107 @@
+From: Willy Tarreau <w at 1wt.eu>
+Date: Wed, 15 Aug 2007 07:15:09 +0000 (+0200)
+Subject: [PATCH] CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG
+X-Git-Tag: v2.4.36-pre1~4
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=c15267679b66e9db3ede1a78213f2efb2e0d6cae
+
+[PATCH] CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG
+
+Fix the "parent process death signal" vulnerability in the Linux kernel
+discovered by Wojciech Purczynski of COSEINC PTE Ltd. and iSEC Security
+Research (CVE-2007-3848).
+
+To sum up, any local user could manage to start a setuid program then
+send it an arbitrary signal while it is running, by first setting the
+PR_SET_PDEATHSIG argument of the prctl() system call, and then running
+another setuid program from the parent process. This is something the
+user is normally supposed to be able to do only as long as the setuid
+program has not completely switched its UID.
+
+Depending on the installed setuid programs, this may lead to either a
+denial of service or even to a privilege escalation, so this issue is
+very distribution specific.
+
+For more information regarding this issue, please refer to the original
+advisory :
+
+ http://www.isec.pl/vulnerabilities/isec-0024-death-signal.txt
+
+The following fix has been provided by Solar Designer and is already
+part of the latest Openwall kernel.
+
+Signed-off-by: Willy Tarreau <w at 1wt.eu>
+---
+
+diff --git a/fs/exec.c b/fs/exec.c
+index f196e7e..1d23db6 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -587,6 +587,7 @@ int flush_old_exec(struct linux_binprm * bprm)
+ {
+ char * name;
+ int i, ch, retval;
++ unsigned new_mm_dumpable;
+ struct signal_struct * oldsig;
+ struct files_struct * files;
+ char tcomm[sizeof(current->comm)];
+@@ -622,10 +623,12 @@ int flush_old_exec(struct linux_binprm * bprm)
+
+ current->sas_ss_sp = current->sas_ss_size = 0;
+
++ new_mm_dumpable = 0; /* no change */
+ if (current->euid == current->uid && current->egid == current->gid) {
+- current->mm->dumpable = 1;
++ new_mm_dumpable = 1;
+ current->task_dumpable = 1;
+ }
++
+ name = bprm->filename;
+ for (i=0; (ch = *(name++)) != '\0';) {
+ if (ch == '/')
+@@ -641,9 +644,13 @@ int flush_old_exec(struct linux_binprm * bprm)
+
+ de_thread(current);
+
+- if (bprm->e_uid != current->euid || bprm->e_gid != current->egid ||
+- permission(bprm->file->f_dentry->d_inode,MAY_READ))
++ if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
+ current->mm->dumpable = 0;
++ current->pdeath_signal = 0;
++ } else if (permission(bprm->file->f_dentry->d_inode, MAY_READ)) {
++ current->mm->dumpable = 0;
++ } else if (new_mm_dumpable)
++ current->mm->dumpable = 1;
+
+ /* An exec changes our domain. We are no longer part of the thread
+ group */
+@@ -768,6 +775,7 @@ void compute_creds(struct linux_binprm *bprm)
+ if (bprm->e_uid != current->uid || bprm->e_gid != current->gid ||
+ !cap_issubset(new_permitted, current->cap_permitted)) {
+ current->mm->dumpable = 0;
++ current->pdeath_signal = 0;
+
+ lock_kernel();
+ if (must_not_trace_exec(current)
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index d8796bf..eae527c 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -738,15 +738,12 @@ static int proc_base_readdir(struct file * filp,
+
+ static int task_dumpable(struct task_struct *task)
+ {
+- int dumpable = 0;
+- struct mm_struct *mm;
++ int retval;
+
+ task_lock(task);
+- mm = task->mm;
+- if (mm)
+- dumpable = mm->dumpable;
++ retval = is_dumpable(task);
+ task_unlock(task);
+- return dumpable;
++ return retval;
+ }
+
+
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Thu Nov 8 06:03:38 2007
@@ -6,3 +6,4 @@
+ 244_bluetooth-l2cap-hci-info-leaks.diff
+ 245_bluetooth-l2cap-hci-info-leaks-2.diff
+ 246_dn_fib-out-of-bounds.diff
++ 247_reset-pdeathsig-on-suid.diff
More information about the Kernel-svn-changes
mailing list