[kernel] r13437 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Apr 18 20:37:10 UTC 2009
Author: dannf
Date: Sat Apr 18 20:37:07 2009
New Revision: 13437
Log:
exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Fri Apr 17 17:30:18 2009 (r13436)
+++ dists/lenny-security/linux-2.6/debian/changelog Sat Apr 18 20:37:07 2009 (r13437)
@@ -10,6 +10,7 @@
* nfsd: drop CAP_MKNOD for non-root (CVE-2009-1072)
* af_rose/x25: Sanity check the maximum user frame size (CVE-2009-1265)
* KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)
+ * exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)
-- dann frazier <dannf at debian.org> Fri, 03 Apr 2009 19:12:51 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch Sat Apr 18 20:37:07 2009 (r13437)
@@ -0,0 +1,31 @@
+commit 432870dab85a2f69dc417022646cb9a70acf7f94
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Mon Apr 6 16:16:02 2009 +0200
+
+ exit_notify: kill the wrong capable(CAP_KILL) check
+
+ The CAP_KILL check in exit_notify() looks just wrong, kill it.
+
+ Whatever logic we have to reset ->exit_signal, the malicious user
+ can bypass it if it execs the setuid application before exiting.
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Acked-by: Serge Hallyn <serue at us.ibm.com>
+ Acked-by: Roland McGrath <roland at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/kernel/exit.c linux-source-2.6.26/kernel/exit.c
+--- linux-source-2.6.26.orig/kernel/exit.c 2009-03-25 17:20:40.000000000 -0600
++++ linux-source-2.6.26/kernel/exit.c 2009-04-17 18:59:15.000000000 -0600
+@@ -868,8 +868,7 @@ static void exit_notify(struct task_stru
+ */
+ if (tsk->exit_signal != SIGCHLD && !task_detached(tsk) &&
+ (tsk->parent_exec_id != tsk->real_parent->self_exec_id ||
+- tsk->self_exec_id != tsk->parent_exec_id) &&
+- !capable(CAP_KILL))
++ tsk->self_exec_id != tsk->parent_exec_id))
+ tsk->exit_signal = SIGCHLD;
+
+ /* If something other than our normal parent is ptracing us, then
Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Fri Apr 17 17:30:18 2009 (r13436)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Sat Apr 18 20:37:07 2009 (r13437)
@@ -6,3 +6,4 @@
+ bugfix/all/nfsd-drop-CAP_MKNOD-for-non-root.patch
+ bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
+ bugfix/x86/kvm-vmx-inhibit-EFER-access.patch
++ bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
More information about the Kernel-svn-changes
mailing list