[kernel] r9405 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Wed, 29 Aug 2007 00:12:17 -0700 

Author: dannf
Date: Wed Aug 29 07:12:14 2007
New Revision: 9405

Log:
* [SECURITY] Fix potential privilege escalation caused by improper
  clearing of the child process' pdeath signal.
  See CVE-2007-3848

Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/reset-pdeathsig-on-suid.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Wed Aug 29 07:12:14 2007
@@ -13,8 +13,11 @@
   * aacraid-ioctl-perm-check.dpatch
     [SECURITY] Require admin capabilities to issue ioctls to aacraid devices
     See CVE-2007-4308
+  * [SECURITY] Fix potential privilege escalation caused by improper
+    clearing of the child process' pdeath signal.
+    See CVE-2007-3848
 
- -- dann frazier <[EMAIL PROTECTED]>  Mon, 27 Aug 2007 23:56:14 -0600
+ -- dann frazier <[EMAIL PROTECTED]>  Wed, 29 Aug 2007 01:10:46 -0600
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/reset-pdeathsig-on-suid.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/reset-pdeathsig-on-suid.dpatch
  Wed Aug 29 07:12:14 2007
@@ -0,0 +1,49 @@
+From: Marcel Holtmann <[EMAIL PROTECTED]>
+Date: Fri, 17 Aug 2007 19:47:58 +0000 (+0200)
+Subject: Reset current->pdeath_signal on SUID binary execution
+X-Git-Tag: v2.6.23-rc4~134
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f
+
+Reset current->pdeath_signal on SUID binary execution
+
+This fixes a vulnerability in the "parent process death signal"
+implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
+and iSEC Security Research.
+
+http://marc.info/?l=bugtraq&m=118711306802632&w=2
+
+Signed-off-by: Marcel Holtmann <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urpN kernel-source-2.6.8.orig/fs/exec.c kernel-source-2.6.8/fs/exec.c
+--- kernel-source-2.6.8.orig/fs/exec.c 2006-12-05 02:21:56.000000000 -0700
++++ kernel-source-2.6.8/fs/exec.c      2007-08-29 01:04:35.912755102 -0600
+@@ -848,10 +848,13 @@ int flush_old_exec(struct linux_binprm *
+ 
+       flush_thread();
+ 
+-      if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || 
+-          permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) ||
+-          (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP))
++      if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
+               current->mm->dumpable = 0;
++              current->pdeath_signal = 0;
++      } else if (permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) ||
++                      (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
++              current->mm->dumpable = 0;
++      }
+ 
+       /* An exec changes our domain. We are no longer part of the thread
+          group */
+@@ -945,6 +948,8 @@ static inline int unsafe_exec(struct tas
+ void compute_creds(struct linux_binprm *bprm)
+ {
+       int unsafe;
++      if (bprm->e_uid != current->uid)
++              current->pdeath_signal = 0;
+       task_lock(current);
+       unsafe = unsafe_exec(current);
+       security_bprm_apply_creds(bprm, unsafe);

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   Wed Aug 29 07:12:14 2007
@@ -3,3 +3,4 @@
 + dn_fib-out-of-bounds.dpatch
 + ipv4-fib_props-out-of-bounds.dpatch
 + aacraid-ioctl-perm-check.dpatch
++ reset-pdeathsig-on-suid.dpatch 

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

Reply via email to