First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 140444
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Daniel Black <dragonheart@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
1505_procfs-dumpable-race.patch Patch patch Tim Yamin (RETIRED) 2006-07-15 05:45 0000 634 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 140444 depends on: Show dependency tree
Show dependency graph
Bug 140444 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-07-14 23:40 0000 
A Linux Kernel Exploit was posted to Full-Disclosure effecting the 2.6.x
kernels.
The attached code exploits a root race in /proc, The exploit has been
acknowledged and a patch is now available.

The exploit can be found:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047913.html

A patch for this exploit can be found here:
http://lkml.org/lkml/diff/2006/7/14/306/1

(written by _array on #gentoo-hardened)

Note: http://lkml.org/lkml/2006/7/15/5 says that <HAL-0.5.7 may have troubles
latest gentoo stable is hal-0.5.5.1-r3 (all arches)

------- Comment #1 From Daniel Black 2006-07-15 00:17:24 0000 ------- 
CVE from http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.5

------- Comment #2 From Tim Yamin (RETIRED) 2006-07-15 05:44:44 0000 ------- 
Please do *not* use the 2.6.16.25 or 2.6.17.5 fix; I'm attaching a better one
which shouldn't break HAL & etc...

------- Comment #3 From Tim Yamin (RETIRED) 2006-07-15 05:45:24 0000 ------- 
Created an attachment (id=91781) [edit]
Patch

------- Comment #4 From Tim Yamin (RETIRED) 2006-07-15 07:08:26 0000 ------- 
Maintainers please bump your genpatches (2.6.16-15 or 2.6.17-4) or use the
attached patch (don't use 2.6.17.5):

ck-sources: marineam
hardened-sources-2.6: johnm, hardened
hppa-sources: GMSoft
mips-sources: `Kumba
rsbac-sources: kang
sh-sources: sh
suspend2-sources: brix
usermode-sources: dang
xbox-sources: chrb
xen-sources: chrb, agriffis

------- Comment #5 From Daniel Black 2006-07-15 07:10:33 0000 ------- 
workaround for those waiting for a release is to mount proc with options nosuid
as suggested by padde in #gentoo-bugs

------- Comment #6 From Christian Heim (RETIRED) 2006-07-15 07:24:28 0000 ------- 
gentoo-sources-2.6.16/2.6.17 -> done
suspend2-sources-2.6.16/2.6.17 -> done

------- Comment #7 From Christian Heim (RETIRED) 2006-07-15 08:06:15 0000 ------- 
openvz-sources-026.015 (2.6.16) -> done

------- Comment #8 From Christian Heim (RETIRED) 2006-07-15 08:34:28 0000 ------- 
ck-sources-2.6.16/2.6.17 -> done

------- Comment #9 From solar 2006-07-15 09:04:19 0000 ------- 
hardened-sources-2.6.16-r11 bumped with genpatches 14

------- Comment #10 From Daniel Gryniewicz 2006-07-15 09:53:38 0000 ------- 
usermode-sources bumped.

------- Comment #11 From solar 2006-07-15 10:53:14 0000 ------- 
(In reply to comment #9)
I ment 15

------- Comment #12 From Daniel Drake 2006-07-15 17:35:07 0000 ------- 
*** Bug 140581 has been marked as a duplicate of this bug. ***

------- Comment #13 From Tim Yamin (RETIRED) 2006-07-17 09:11:50 0000 ------- 
*** Bug 140797 has been marked as a duplicate of this bug. ***

------- Comment #14 From Tuan Van (RETIRED) 2006-07-17 10:05:01 0000 ------- 
(In reply to comment #4)
> Maintainers please bump your genpatches (2.6.16-15 or 2.6.17-4) or use the
> attached patch (don't use 2.6.17.5):
> 
> ck-sources: marineam
> hardened-sources-2.6: johnm, hardened
> hppa-sources: GMSoft
> mips-sources: `Kumba
> rsbac-sources: kang
> sh-sources: sh
> suspend2-sources: brix
> usermode-sources: dang
> xbox-sources: chrb
> xen-sources: chrb, agriffis
> 

2.6.16.26 fix these issues right? If so I have copied xen-sources-2.6.16.18 to
xen-sources-2.6.16.26 and and it WFM on my xen test box.

HTH.

------- Comment #15 From Tim Yamin (RETIRED) 2006-07-17 13:24:11 0000 ------- 
(In reply to comment #14)
> 2.6.16.26 fix these issues right? If so I have copied xen-sources-2.6.16.18 to
> xen-sources-2.6.16.26 and and it WFM on my xen test box.

Yes, .26 fixes these issues correctly.

------- Comment #16 From Guy Martin 2006-07-18 13:04:20 0000 ------- 
Fixed on hppa. First commit from my new place \o/

------- Comment #17 From Chris Bainbridge (RETIRED) 2006-07-19 13:47:44 0000 ------- 
I've updated xen and xbox -sources to 2.6.16.26.

------- Comment #18 From Harlan Lieberman-Berg (RETIRED) 2006-11-01 19:06:22 0000 ------- 
SH, RSBAC, this one too. Bump or patch.

------- Comment #19 From Guillaume Destuynder (RETIRED) 2006-11-09 06:40:26 0000 ------- 
rsbac-sources bumped to 2.6.18 in ~

------- Comment #20 From Harlan Lieberman-Berg (RETIRED) 2006-11-09 18:26:55 0000 ------- 
As discussed in the past, SH no longer is kept track of by Gentoo Kernel
Security. Closing bug.
First Last Prev Next    No search results available      Search page      Enter new bug