[kernel] r8422 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Wed, 04 Apr 2007 00:50:14 -0700 

Author: dannf
Date: Wed Apr  4 07:50:11 2007
New Revision: 8422

Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/core-dump-unreadable-PT_INTERP.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* core-dump-unreadable-PT_INTERP.dpatch
  [SECURITY] Fix a vulnerability that allows local users to read
  otherwise unreadable (but executable) files by triggering a core dump.
  See CVE-2007-0958

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Wed Apr  4 07:50:11 2007
@@ -58,8 +58,12 @@
     ipv6_fl_socklist between the listening socket and the socket created
     for connection.
     See CVE-2007-1592
+  * core-dump-unreadable-PT_INTERP.dpatch
+    [SECURITY] Fix a vulnerability that allows local users to read
+    otherwise unreadable (but executable) files by triggering a core dump.
+    See CVE-2007-0958
 
- -- dann frazier <[EMAIL PROTECTED]>  Sat, 31 Mar 2007 16:55:45 -0600
+ -- dann frazier <[EMAIL PROTECTED]>  Wed, 04 Apr 2007 01:47:54 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
 

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/core-dump-unreadable-PT_INTERP.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/core-dump-unreadable-PT_INTERP.dpatch
   Wed Apr  4 07:50:11 2007
@@ -0,0 +1,51 @@
+From: Alexey Dobriyan <[EMAIL PROTECTED]>
+Date: Fri, 26 Jan 2007 08:57:16 +0000 (-0800)
+Subject: [PATCH] core-dumping unreadable binaries via PT_INTERP
+X-Git-Tag: v2.6.20-rc7^0~60
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1fb844961818ce94e782acf6a96b92dc2303553b
+
+[PATCH] core-dumping unreadable binaries via PT_INTERP
+
+Proposed patch to fix #5 in
+http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
+aka
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073
+
+To reproduce, do
+* grab poc at the end of advisory.
+* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
+  where first "4096" is something equal to or greater than 4096.
+* ./poc /usr/bin/sudo && ls -l
+
+Here I get with 2.6.20-rc5:
+
+ -rw------- 1 ad   ad   102400 2007-01-15 19:17 core
+ ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
+
+Check for MAY_READ like binfmt_misc.c does.
+
+Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+--- kernel-source-2.6.8/fs/binfmt_elf.c.orig   2006-12-05 02:21:56.000000000 
-0700
++++ kernel-source-2.6.8/fs/binfmt_elf.c        2007-04-04 01:45:00.000000000 
-0600
+@@ -635,6 +635,15 @@
+                       retval = PTR_ERR(interpreter);
+                       if (IS_ERR(interpreter))
+                               goto out_free_interp;
++
++                      /*
++                       * If the binary is not readable then enforce
++                       * mm->dumpable = 0 regardless of the interpreter's
++                       * permissions.
++                       */
++                      if (file_permission(interpreter, MAY_READ) < 0)
++                              bprm->interp_flags |= 
BINPRM_FLAGS_ENFORCE_NONDUMP;
++
+                       retval = kernel_read(interpreter, 0, bprm->buf, 
BINPRM_BUF_SIZE);
+                       if (retval != BINPRM_BUF_SIZE) {
+                               if (retval >= 0)

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
   (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
   Wed Apr  4 07:50:11 2007
@@ -11,3 +11,4 @@
 + ext3-fsfuzz.dpatch
 + hfs-no-root-inode.dpatch
 + ipv6_fl_socklist-no-share.dpatch
++ core-dump-unreadable-PT_INTERP.dpatch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

Reply via email to