Bug#597576: [Secure-testing-team] Bug#597576: linux-image-2.6.32-5-amd64: 2.6.32-23 still vulnerable to CVE-2010-3301
On Mon, 20 Sep 2010 18:51:16 -0400 Jon wrote: Package: linux-2.6 Version: 2.6.32-23 Justification: root security hole Severity: critical Tags: security The changelog says the CVE-2010-3301 was fixed in this update: * x86-64, compat (CVE-2010-3301): - Retruncate rax after ia32 syscall entry tracing - Test %rax for the syscall number, not %eax But a test of the exploit shows otherwise: n...@nobel:~(0)$ ./robert_you_suck resolved symbol commit_creds to 0x8106914d resolved symbol prepare_kernel_cred to 0x81069050 mapping at 3f8000 UID 1000, EUID:1000 GID:100, EGID:100 $ did you reboot? mike -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100920191926.2516291a.michael.s.gilb...@gmail.com
Bug#597576: [Secure-testing-team] Bug#597576: linux-image-2.6.32-5-amd64: 2.6.32-23 still vulnerable to CVE-2010-3301
On Mon, Sep 20, 2010 at 06:51:16PM -0400, Jon wrote: Package: linux-2.6 Version: 2.6.32-23 Justification: root security hole Severity: critical Tags: security The changelog says the CVE-2010-3301 was fixed in this update: * x86-64, compat (CVE-2010-3301): - Retruncate rax after ia32 syscall entry tracing - Test %rax for the syscall number, not %eax But a test of the exploit shows otherwise: n...@nobel:~(0)$ ./robert_you_suck resolved symbol commit_creds to 0x8106914d resolved symbol prepare_kernel_cred to 0x81069050 mapping at 3f8000 UID 1000, EUID:1000 GID:100, EGID:100 $ How so? UID 1000 isn't root... -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100920231910.ge13...@lackof.org