[kernel] r13437 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Sat Apr 18 20:37:07 2009
New Revision: 13437

Log:
exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/15lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Fri Apr 17 17:30:18 2009	(r13436)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sat Apr 18 20:37:07 2009	(r13437)
@@ -10,6 +10,7 @@
   * nfsd: drop CAP_MKNOD for non-root (CVE-2009-1072)
   * af_rose/x25: Sanity check the maximum user frame size (CVE-2009-1265)
   * KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)
+  * exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)
 
  -- dann frazier <dannf at debian.org>  Fri, 03 Apr 2009 19:12:51 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch	Sat Apr 18 20:37:07 2009	(r13437)
@@ -0,0 +1,31 @@
+commit 432870dab85a2f69dc417022646cb9a70acf7f94
+Author: Oleg Nesterov <oleg at redhat.com>
+Date:   Mon Apr 6 16:16:02 2009 +0200
+
+    exit_notify: kill the wrong capable(CAP_KILL) check
+    
+    The CAP_KILL check in exit_notify() looks just wrong, kill it.
+    
+    Whatever logic we have to reset ->exit_signal, the malicious user
+    can bypass it if it execs the setuid application before exiting.
+    
+    Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+    Acked-by: Serge Hallyn <serue at us.ibm.com>
+    Acked-by: Roland McGrath <roland at redhat.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/kernel/exit.c linux-source-2.6.26/kernel/exit.c
+--- linux-source-2.6.26.orig/kernel/exit.c	2009-03-25 17:20:40.000000000 -0600
++++ linux-source-2.6.26/kernel/exit.c	2009-04-17 18:59:15.000000000 -0600
+@@ -868,8 +868,7 @@ static void exit_notify(struct task_stru
+ 	 */
+ 	if (tsk->exit_signal != SIGCHLD && !task_detached(tsk) &&
+ 	    (tsk->parent_exec_id != tsk->real_parent->self_exec_id ||
+-	     tsk->self_exec_id != tsk->parent_exec_id) &&
+-	    !capable(CAP_KILL))
++	     tsk->self_exec_id != tsk->parent_exec_id))
+ 		tsk->exit_signal = SIGCHLD;
+ 
+ 	/* If something other than our normal parent is ptracing us, then

Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Fri Apr 17 17:30:18 2009	(r13436)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Sat Apr 18 20:37:07 2009	(r13437)
@@ -6,3 +6,4 @@
 + bugfix/all/nfsd-drop-CAP_MKNOD-for-non-root.patch
 + bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
 + bugfix/x86/kvm-vmx-inhibit-EFER-access.patch
++ bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch