There is another race condition in the proc filesystem. When reading /proc/<pid>/cmdline of a process that is just being created, it is possible to get the contents of /proc/<pid>/environ, too. Since environ has stricter permissions than cmdline this is by definition a privilege escalation. Fortunately, it is not very critical, since environ mostly doesn't contain sensitive data and the race is very hard to trigger, even if you own the process. (Actually I don't know how this can really be used on foreign processes.) However, this issue might also cause unreproducable and undebuggable bugs in shell scripts that parse the output of "ps x". This is much more likely than a malicious exploit, and has probably been observed by at least one user while installing HelixPlayer. Probably all kernels 2.6 and 2.4 are affected (I only checked 2.6.7 & 2.6.5). Reproducible: Always Steps to Reproduce: 1. Run a script like the following: while [ 1 ];do ps ax | grep huioip >> TEST done 2. While the script is running, do "watch -n 30 grep -c \= TEST" 3. Let the script run until grep finds a matching line. This may easily need more than 10,000 iterations. Actual Results: If you check the file TEST, you will see at least one line in which the expected output is followed by environment variables. The amount of leaked data may vary.
Created attachment 37124 [details, diff] 2.6 patch devised by Roger Luethi (already included in -mm kernels)
Created attachment 37125 [details, diff] 2.4 Patch
Created attachment 37126 [details, diff] 2.6: Full patch from the -mm tree
gentoo-dev-sources-2.6.7-r13 has this fix in it.
I just applied it on hppa. (yay I'm the fastest one this time :)
Fixed on hardened-sources-2.4.26-r6 (x86) Fixed on hardened-sources-2.4.27-r1 (~x86)
grsec-sources-2.4.27.2.0.1-r1.ebuild patched and tested on behalf of the 2.4.x users. All works as expected.
All done, the following are left to their relevant maintainers: hardened-dev-sources: Adding hardened herd. mips-sources: Adding Kumba to the CC list. openmosix-sources: Adding cluster herd. {pegasos(-dev), ppc}-sources: Adding dholm. rsbac-(dev-)sources: Adding kang. selinux-sources: Adding pebenito. sparc-sources: Adding Joker and the Gentoo/SPARC team.
hardened-dev-sources patched, removing hardened herd
done for openmosix-sources
all done for rsbac-(dev-)sources
mips-sources all patched up.
after struggling with some odd patch errors for a couple of days pegasos-dev-sources is finally done.. {pegasos,ppc}-sources are no longer available
selinux-src fixed
sparc-sources 2.4.27-r1 are fixed.
GLSA 200408-24.
FYI this patch is present in 2.6.9-rc4
*** Bug 74463 has been marked as a duplicate of this bug. ***