Your message dated Thu, 19 May 2005 07:17:46 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#308634: fixed in kernel-source-2.6.8 2.6.8-16
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 May 2005 18:14:25 +0000
>From [EMAIL PROTECTED] Thu May 12 11:14:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from polaris.galacticasoftware.com [206.45.95.222]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DWICX-000353-00; Thu, 12 May 2005 11:14:25 -0700
Received: from mira.lan.galacticasoftware.com
([2001:470:1f00:907:20d:87ff:fe3c:98c8])
by polaris.galacticasoftware.com with esmtp (Exim 4.50)
id 1DWICV-0005WJ-CL; Thu, 12 May 2005 13:14:23 -0500
Received: from adamm by mira.lan.galacticasoftware.com with local (Exim 4.50)
id 1DWIDs-00018v-QC; Thu, 12 May 2005 13:15:48 -0500
Content-Type: multipart/mixed; boundary="===============0918223092=="
MIME-Version: 1.0
From: "Adam M." <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: Privilege escalation in ELF core dump (fs/binfmt_elf.c)
X-Mailer: reportbug 3.12
Date: Thu, 12 May 2005 13:15:48 -0500
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============0918223092==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: kernel-source-2.6.8
Version: 2.6.8-15
Severity: critical
Tags: security patch
>From Secunia advisory http://secunia.com/advisories/15341/
DESCRIPTION:
Paul Starzetz has reported a vulnerability in the Linux kernel, which
can be exploited by malicious, local users to gain escalated
privileges.
The vulnerability is caused due to a signedness error in the Linux
ELF binary format loader's core dump function (elf_core_dump()) and
can be exploited to cause a buffer overflow via a specially crafted
ELF binary.
Successful exploitation makes it possible to gain root privileges and
execute arbitrary code with kernel privileges.
The vulnerability has been reported in versions 2.2 through
2.2.27-rc2, versions 2.4 through 2.4.31-pre1, and versions 2.6
through 2.6.12-rc4.
ORIGINAL ADVISORY:
Kernel.org:
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.9
iSEC Security Research:
http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-1-k7
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Versions of packages kernel-source-2.6.8 depends on:
ii binutils 2.15-5 The GNU assembler, linker and bina
ii bzip2 1.0.2-6 high-quality block-sorting file co
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
-- no debconf information
--===============0918223092==
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="kernel.diff"
--- a/fs/binfmt_elf.c 2005-05-11 15:43:56 -07:00
+++ b/fs/binfmt_elf.c 2005-05-11 15:43:56 -07:00
@@ -257,7 +257,7 @@
}
/* Populate argv and envp */
- p = current->mm->arg_start;
+ p = current->mm->arg_end = current->mm->arg_start;
while (argc-- > 0) {
size_t len;
__put_user((elf_addr_t)p, argv++);
@@ -1279,7 +1279,7 @@
static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
struct mm_struct *mm)
{
- int i, len;
+ unsigned int i, len;
/* first copy the parameters from user space */
memset(psinfo, 0, sizeof(struct elf_prpsinfo));
--===============0918223092==--
---------------------------------------
Received: (at 308634-close) by bugs.debian.org; 19 May 2005 11:22:52 +0000
>From [EMAIL PROTECTED] Thu May 19 04:22:52 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DYj75-0008Bd-00; Thu, 19 May 2005 04:22:52 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DYj2A-0001yJ-00; Thu, 19 May 2005 07:17:46 -0400
From: Simon Horman <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#308634: fixed in kernel-source-2.6.8 2.6.8-16
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 19 May 2005 07:17:46 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 15
Source: kernel-source-2.6.8
Source-Version: 2.6.8-16
We believe that the bug you reported is fixed in the latest version of
kernel-source-2.6.8, which is due to be installed in the Debian FTP archive:
kernel-doc-2.6.8_2.6.8-16_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-doc-2.6.8_2.6.8-16_all.deb
kernel-patch-debian-2.6.8_2.6.8-16_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-patch-debian-2.6.8_2.6.8-16_all.deb
kernel-source-2.6.8_2.6.8-16.diff.gz
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16.diff.gz
kernel-source-2.6.8_2.6.8-16.dsc
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16.dsc
kernel-source-2.6.8_2.6.8-16_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16_all.deb
kernel-tree-2.6.8_2.6.8-16_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-tree-2.6.8_2.6.8-16_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <[EMAIL PROTECTED]> (supplier of updated kernel-source-2.6.8
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 19 May 2005 16:51:34 +0900
Source: kernel-source-2.6.8
Binary: kernel-source-2.6.8 kernel-doc-2.6.8 kernel-tree-2.6.8
kernel-patch-debian-2.6.8
Architecture: source all
Version: 2.6.8-16
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <[EMAIL PROTECTED]>
Description:
kernel-doc-2.6.8 - Linux kernel specific documentation for version 2.6.8
kernel-patch-debian-2.6.8 - Debian patches to Linux 2.6.8
kernel-source-2.6.8 - Linux kernel source for version 2.6.8 with Debian patches
kernel-tree-2.6.8 - Linux kernel source tree for building Debian kernel images
Closes: 272683 295725 300163 301372 301488 301528 301799 301799 301799 301799
302352 303140 303498 304548 307552 308034 308634 308724 308855 309429
Changes:
kernel-source-2.6.8 (2.6.8-16) unstable; urgency=low
.
* smbfs-overrun.dpatch:
Reinstated smbfs-overrun.dpatch to complete fix for CAN-2004-1191
(Simon Horman) (closes: #300163)
.
* radeon-race-2.dpatch:
Symbol fix for radeon race fix in 2.6.8-15.
(Simon Horman) (closes: #301488, #301528, #308034)
.
* drivers-input-serio-nmouse.dpatch:
[Security] fix N_MOUSE TTY privelage problem. See CAN-2005-0839
(Simon Horman) (closes: #301372)
.
* net-bluetooth-signdness-fix.dpatch:
[Security] Fix signedness problem at socket creation in bluetooth
which can lead to local root exploit. See CAN-2005-0750
(Simon Horman) (closes: #301799)
.
* fs-ext2-info-leak.dpatch:
[Security] Fix information leak in ext2 which leads to
a local information leak. See CAN-2005-0400
(Simon Horman) (closes: #301799)
.
* fs-isofs-range-check-1.dpatch, fs-isofs-range-check-2.dpatch,
fs-isofs-range-check-3.dpatch:
[Security] Fix range checking in isofs which leads to a local crash
and arbitary code execution. See CAN-2005-0815
(Simon Horman) (closes: #301799)
.
* mm-shmem-truncate.dpatch
[Security] tmpfs caused truncate bug which leads to a local dos.
CVE yet to be assigned.
(Simon Horman)
.
* fs-binfmt_elf-dos.dpatch:
Potential DOS in load_elf_library. See CAN-2005-0749
(Simon Horman) (closes: #301799, #303498)
.
* arch-ppc64-hugepage-aio-panic.dpatch:
fix AIO panic on PPC64 caused by is_hugepage_only_range().
See CAN-2005-0916. (Simon Horman) (closes: #302352)
.
* kernel-futex-deadlock.dpatch:
Fix possible deadlog in fitex mmap_sem. See CAN-2005-0937
(closes: #303140) (Simon Horman)
.
* net-ipv4-bic-binary-search.patch:
Fix BIC congestion avoidance algorithm error
(Simon Horman)
.
* net-ipv4-ipsec-icmp-deadlock.patch:
Fix IPSEC ICMP deadlock
(Simon Horman)
.
* drivers-media-video-saa7110-oops.patch:
Fix saa7110 driver to handle I2C_FUNC_I2C support correctly,
prefiously it would oops.
(Simon Horman)
.
* fs-cramfs-stat.dpatch:
Fix bogus blocks field for devices in cramfs.
(Simon Horman)
.
* drivers-media-video-i2c-msg.dpatch:
Fix i2c message flags in video drivers
(Simon Horman)
.
* drivers-net-sis900-oops.dpatch:
Fix oops in sis900 driver caused by it being preemted
before it has finished setting sis_priv->mii
(Simon Horman)
.
* drivers-net-via-rhine-wol-oops.dpatch:
Fix oops in VIA Rhine driver caused by assuming all cards have WOL support.
(Simon Horman)
.
* net-netrom-double-lock.dpatch:
Fix dealock in netrom caused by double locking.
(Simon Horman)
.
* drivers-net-amd811e-irq.dpatch:
Fix bug in AMD8111e driver where it neglects to release an
irq on some error conditions.
(Simon Horman)
.
* net-xfrm-find_acq_byseq.dpatch:
Fix __xfrm_find_acq_byseq() so it only returns objects
in the XFRM_STATE_ACQ state.
(Simon Horman)
.
* drivers-net-via-rhine-irq.dpatch:
VIA Rhine driver was releasing an irq in some error situations
(Simon Horman)
.
* sound-core-timer-oops.dpatch:
Fix ALSA timer notification.
o Ooops in read()
o wake-up polls and signals with new events
(Simon Horman)
.
* fs-jdb-race.dpatch:
Fix race in JDB
(Simon Horman)
.
* arch-ia64-syscall-audit.dpatch:
Fix ia64 syscall auditing
(Simon Horman)
.
* drivers-i2c-chips-eprom.dpatch:
Fix oops in eprom driver that occrs when data is read from sysfs
(Simon Horman)
.
* lib-rwsem-spinlock.dpatch:
Fix dealock that occurs dio_complete() does up_read() from IRQ context
by using interupd disabling spin locks.
(Simon Horman)
.
* fs-jdb-slow-leak.dpatch:
Fix longstanding jdb commit leak - since 2.6.6. (Maximilian Attems)
.
* sparc64-sigpoll-2.6.8.dpatch:
Separate __SI_FAULT and __SI_POLL branches in copy_siginfo_to_user32()
to resolve fcntl() bug. (Jurij Smakov, Simon Horman) (closes: #272683)
.
* net-ipv4-icmp-quench.diff:
[CAN-2004-0790] Just silently ignore ICMP Source Quench messages.
(Simon Horman) (See: #305655)
.
* sparc64-sunsu-init.dpatch:
[sparc64] Patch by David Miller to fix the initialization of the
sunsu serial driver. Mouse connected to the serial port is now
detected properly. Thanks to Frans Pop for testing. (Jurij Smakov)
(closes: #295725)
Ref: http://lists.debian.org/debian-sparc/2005/04/msg00203.html
.
* drivers-i2c-sysfs-permisions.dpatch:
I2C: Fix incorrect sysfs file permissions in it87 and via686a drivers.
See CAN-2005-1369. (closes: #307552) (Simon Horman)
.
* arch-sparc64-kernel-ptrace-cont-bogosity.dpatch:
SPARC: Fix PTRACE_CONT bogosity. (Simon Horman)
.
* net-ipv4-fib_hash-crash.dpatch:
DoS vulnerability in fib_seq_start()
See CAN-2005-1041. (closes: #304548). (Simon Horman)
.
* fs-binfmt_elf-dump-privelage.dpatch:
Linux kernel ELF core dump privilege elevation
See CAN-2005-1263. (closes: #308634, #308724, #308855). (Simon Horman)
.
* drivers-block-raw-ioctl.dpatch:
[SECURITY] Fix root hole in raw device. See CAN-2005-1264.
(closes: #309429) (Simon Horman)
.
* net-ipv4-ipvs-icmp-leak.dpatch:
Fix leak in LVS ICMP handler that manifests under heavy traffic situations.
(Simon Horman)
.
* Add myself as an uploader (Simon Horman)
Files:
639732a50dc3105cc1ccfb2a848d109f 989 devel optional
kernel-source-2.6.8_2.6.8-16.dsc
0bc5e87dffd47078dcd7f01793576843 911998 devel optional
kernel-source-2.6.8_2.6.8-16.diff.gz
78776b39100d55bc04e87069aa94576c 930508 devel optional
kernel-patch-debian-2.6.8_2.6.8-16_all.deb
aa9d24c8aa7c10270625032ad45e208e 34924214 devel optional
kernel-source-2.6.8_2.6.8-16_all.deb
e1979374bcaf53de9c13d5855c58fd49 29284 devel optional
kernel-tree-2.6.8_2.6.8-16_all.deb
fd2e4e8f57268058aa1e9eb982ef6611 6175240 doc optional
kernel-doc-2.6.8_2.6.8-16_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCjHI3du+M6Iexz7URAq/zAKDTAZe8lyhnOIFcKkev6kc5tTGxpwCfVq+J
F3wXWBaIkWSeK3n/ystmga0=
=fqDP
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
