56479 2004-07-08 12:56 0000 sys-kernel/*: fchown may allow unrestricted file groupIDs modifications 2004-08-01 23:59:26 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All All RESOLVED FIXED http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497 A3 [kernel+] P2 normal --- 1 koon@gentoo.org security@gentoo.org chriswhite@gentoo.org eradicator@gentoo.org hardened@gentoo.org kang@gentoo.org pebenito@gentoo.org scox@sig11.org koon@gentoo.org 2004-07-08 12:56:18 0000 From http://xforce.iss.net/xforce/xfdb/16599 : Linux kernel versions 2.4 and 2.6 could allow a local attacker to mount a remote file system from a vulnerable system and modify files' group IDs, caused by a missing check in the fchown function. Note: Linux kernel version 2.4 kernel is affected by this vulnerability if the file system is shared via an NFS server. CAN-2004-0497 chriswhite@gentoo.org 2004-07-08 17:11:53 0000 Got the patches from upstream.. posting them now. btw, the issue was in attr code, not really in fchown code. chriswhite@gentoo.org 2004-07-08 17:12:33 0000 Created an attachment (id=35037) Patch for 2.6 attr exploit chriswhite@gentoo.org 2004-07-08 17:13:26 0000 Created an attachment (id=35038) 2.6 kernel /proc filesystem missing attr check patch chriswhite@gentoo.org 2004-07-08 17:14:12 0000 Created an attachment (id=35039) 2.4 kernel sys_chown exploit patch chriswhite@gentoo.org 2004-07-08 17:14:55 0000 Created an attachment (id=35040) 2.4 kernel missing ) in inode_change code patch tseng@gentoo.org 2004-07-08 18:31:19 0000 Both of these fixes have been in {gentoo,hardened}-dev-sources for a bit now. I dont recall if there was an earlier Gentoo bug, but the SuSE/RH advisories have been around for a bit. tseng@gentoo.org 2004-07-08 18:37:30 0000 Con added the fixes to -ck5 upstream, so a version bump will close the vuln there as well. (Bump requested in #56337) koon@gentoo.org 2004-07-09 01:19:13 0000 Maybe this is already fixed in most of our sources, I opened this one to check that all sources are OK with this problem, as it was not listed in the recent kernel GLSA. plasmaroo@gentoo.org 2004-07-09 06:20:41 0000 (From update of attachment 35039) Marking patch as obsolete since the 2.6 one does not have parenthesis issues and applies fine on 2.4. plasmaroo@gentoo.org 2004-07-09 06:20:58 0000 (From update of attachment 35040) Marking patch as obsolete since the 2.6 one does not have parenthesis issues and applies fine on 2.4. plasmaroo@gentoo.org 2004-07-09 11:23:23 0000 OK, everything should now be patched. The following sources remain, and I'm adding their maintainers to the CC list: grsec-sources: Adding solar. hardened-sources: Adding hardened herd and scox. hppa-(dev-)sources: Adding GMSoft. mips-sources: Adding `Kumba. openmosix-sources: Adding the cluster herd. pegasos-(dev-)sources: Adding dholm. rsbac-(dev-)sources: Adding kang. selinux-sources: Adding pebenito. gmsoft@gentoo.org 2004-07-09 12:40:42 0000 All done for hppa. voxus@gentoo.org 2004-07-10 05:36:54 0000 all done for openMosix-sources. dberkholz@gentoo.org 2004-07-10 13:40:22 0000 In that case.. plasmaroo@gentoo.org 2004-07-11 05:47:44 0000 Seems to be done for grsec-sources as well... solar@gentoo.org 2004-07-11 06:24:57 0000 yeah twice. updated revision to grsec-sources-2.4.26.2.0-r6 and added the openmosix-sources.CAN-2004-0497.patch method@gentoo.org 2004-07-11 14:29:18 0000 selinux-sources patched koon@gentoo.org 2004-07-16 06:12:41 0000 Still waiting for the following sources to be patched for CAN-2004-0497: - hardened-sources - mips-sources [reAdding `Kumba] - pegasos-(dev-)sources - rsbac-(dev-)sources kang@gentoo.org 2004-07-16 10:23:04 0000 rsbac-(dev-)sources: patched kumba@gentoo.org 2004-07-17 13:27:01 0000 This was one of those patches I saw in an updated SuSE kernel, but I couldn't find a description or patch for -0497. Is there a description and/or patch for -0496 as well (also fixed in the updated SuSE kernel)? koon@gentoo.org 2004-07-20 08:22:54 0000 The only reference I can find on -0496 is the SuSE advisory. No description, no patch. According to CVE description, it is a superset of the Sparse-found vulnerabilities we already fixed (-0495). Still waiting for : - hardened-sources - mips-sources - pegasos-(dev-)sources dholm@gentoo.org 2004-07-21 02:38:26 0000 pegasos(-dev)-sources fixed scox@sig11.org 2004-07-21 06:02:02 0000 Heya, as I said in my ~/.away (http://dev.gentoo.org/devaway/), I don't have any connection at home at the moment (so no access to CVS). I could however bring my ssh keys at work tomorrow, if noone else from the hardened herd can add the patch for me. plasmaroo@gentoo.org 2004-07-22 05:09:16 0000 GLSA 200407-16. kumba@gentoo.org 2004-07-22 19:19:20 0000 mips-sources fixed koon@gentoo.org 2004-07-23 00:48:44 0000 GLSA should be updated to reflect the mips-sources fix. Additionally, development-sources-2.6.8_rc1 should be marked stable on x86, ppc, arm as it is the fixed version... plasmaroo@gentoo.org 2004-07-23 03:57:36 0000 Readding `Kumba - the 2.6 kernels also need the /proc patch attached to this bug; and 2.4 needs patching for CAN-2004-0497, but not the /proc issue. scox@sig11.org 2004-07-23 07:36:50 0000 hardened-sources fixed yesterday, before the GLSA went out. kumba@gentoo.org 2004-08-01 23:59:26 0000 Mips fixed (I hope I'm not missing anything else) 35037 2004-07-08 17:12 0000 Patch for 2.6 attr exploit 2.6-attr_exploit.patch text/plain IyBUaGlzIGlzIGEgQml0S2VlcGVyIGdlbmVyYXRlZCBkaWZmIC1OcnUgc3R5bGUgcGF0Y2guCiMK IyBDaGFuZ2VTZXQKIyAgIDIwMDQvMDcvMDIgMjA6NTU6MDQtMDc6MDAgY2hyaXN3QG9zZGwub3Jn IAojICAgW1BBVENIXSBjaG93biBwZXJtaXNzaW9uIGNoZWNrIGZpeCBmb3IgQVRUUl9HSUQKIyAg IAojICAgU3VTRSBkaXNjb3ZlcmVkIHRoaXMgcHJvYmxlbSB3aXRoIGNob3duIGFuZCBBVFRSX0dJ RC4gIE1ha2Ugc3VyZSB1c2VyCiMgICBpcyBhdXRob3JpemVkIHRvIGNoYW5nZSB0aGUgZ3JvdXAs IENBTi0yMDA0LTA0OTcuCiMgCiMgZnMvYXR0ci5jCiMgICAyMDA0LzA3LzAyIDA5OjA3OjMyLTA3 OjAwIGNocmlzd0Bvc2RsLm9yZyArMiAtMQojICAgY2hvd24gcGVybWlzc2lvbiBjaGVjayBmaXgg Zm9yIEFUVFJfR0lECiMgCmRpZmYgLU5ydSBhL2ZzL2F0dHIuYyBiL2ZzL2F0dHIuYwotLS0gYS9m cy9hdHRyLmMJMjAwNC0wNy0wOCAxNjozNTo1NyAtMDc6MDAKKysrIGIvZnMvYXR0ci5jCTIwMDQt MDctMDggMTY6MzU6NTcgLTA3OjAwCkBAIC0zNSw3ICszNSw4IEBACiAKIAkvKiBNYWtlIHN1cmUg Y2FsbGVyIGNhbiBjaGdycC4gKi8KIAlpZiAoKGlhX3ZhbGlkICYgQVRUUl9HSUQpICYmCi0JICAg ICghaW5fZ3JvdXBfcChhdHRyLT5pYV9naWQpICYmIGF0dHItPmlhX2dpZCAhPSBpbm9kZS0+aV9n aWQpICYmCisJICAgIChjdXJyZW50LT5mc3VpZCAhPSBpbm9kZS0+aV91aWQgfHwKKwkgICAgKCFp bl9ncm91cF9wKGF0dHItPmlhX2dpZCkgJiYgYXR0ci0+aWFfZ2lkICE9IGlub2RlLT5pX2dpZCkp ICYmCiAJICAgICFjYXBhYmxlKENBUF9DSE9XTikpCiAJCWdvdG8gZXJyb3I7CiAK 35038 2004-07-08 17:13 0000 2.6 kernel /proc filesystem missing attr check patch 2.6-proc_exploit.patch text/plain IyBUaGlzIGlzIGEgQml0S2VlcGVyIGdlbmVyYXRlZCBkaWZmIC1OcnUgc3R5bGUgcGF0Y2guCiMK IyBDaGFuZ2VTZXQKIyAgIDIwMDQvMDcvMDIgMTg6NDg6MjYtMDc6MDAgY2hyaXN3QG9zZGwub3Jn IAojICAgW1BBVENIXSBjaGVjayBhdHRyIHVwZGF0ZXMgaW4gL3Byb2MKIyAgIAojICAgQW55IHBy b2MgZW50cnkgd2l0aCBkZWZhdWx0IHByb2NfZmlsZV9pbm9kZV9vcGVyYXRpb25zIGFsbG93IHVu YXV0aG9yaXplZAojICAgYXR0cmlidXRlIHVwZGF0ZXMuICBUaGlzIGlzIHZlcnkgZGFuZ2Vyb3Vz IGZvciBwcm9jIGVudHJpZXMgdGhhdCByZWx5CiMgICBzb2xlbHkgb24gZmlsZSBwZXJtaXNzaW9u cyBmb3Igb3Blbi9yZWFkL3dyaXRlLgojICAgCiMgICBTaWduZWQtb2ZmLWJ5OiBDaHJpcyBXcmln aHQgPGNocmlzd0Bvc2RsLm9yZz4KIyAgIFNpZ25lZC1vZmYtYnk6IExpbnVzIFRvcnZhbGRzIDx0 b3J2YWxkc0Bvc2RsLm9yZz4KIyAKIyBmcy9wcm9jL2dlbmVyaWMuYwojICAgMjAwNC8wNy8wMiAx NTo0Nzo1NS0wNzowMCBjaHJpc3dAb3NkbC5vcmcgKzE0IC03CiMgICBjaGVjayBhdHRyIHVwZGF0 ZXMgaW4gL3Byb2MKIyAKZGlmZiAtTnJ1IGEvZnMvcHJvYy9nZW5lcmljLmMgYi9mcy9wcm9jL2dl bmVyaWMuYwotLS0gYS9mcy9wcm9jL2dlbmVyaWMuYwkyMDA0LTA3LTA4IDE3OjAzOjIwIC0wNzow MAorKysgYi9mcy9wcm9jL2dlbmVyaWMuYwkyMDA0LTA3LTA4IDE3OjAzOjIwIC0wNzowMApAQCAt MjMxLDE0ICsyMzEsMjEgQEAKIHN0YXRpYyBpbnQgcHJvY19ub3RpZnlfY2hhbmdlKHN0cnVjdCBk ZW50cnkgKmRlbnRyeSwgc3RydWN0IGlhdHRyICppYXR0cikKIHsKIAlzdHJ1Y3QgaW5vZGUgKmlu b2RlID0gZGVudHJ5LT5kX2lub2RlOwotCWludCBlcnJvciA9IGlub2RlX3NldGF0dHIoaW5vZGUs IGlhdHRyKTsKLQlpZiAoIWVycm9yKSB7Ci0JCXN0cnVjdCBwcm9jX2Rpcl9lbnRyeSAqZGUgPSBQ REUoaW5vZGUpOwotCQlkZS0+dWlkID0gaW5vZGUtPmlfdWlkOwotCQlkZS0+Z2lkID0gaW5vZGUt PmlfZ2lkOwotCQlkZS0+bW9kZSA9IGlub2RlLT5pX21vZGU7Ci0JfQorCXN0cnVjdCBwcm9jX2Rp cl9lbnRyeSAqZGUgPSBQREUoaW5vZGUpOworCWludCBlcnJvcjsKIAorCWVycm9yID0gaW5vZGVf Y2hhbmdlX29rKGlub2RlLCBpYXR0cik7CisJaWYgKGVycm9yKQorCQlnb3RvIG91dDsKKworCWVy cm9yID0gaW5vZGVfc2V0YXR0cihpbm9kZSwgaWF0dHIpOworCWlmIChlcnJvcikKKwkJZ290byBv dXQ7CisJCisJZGUtPnVpZCA9IGlub2RlLT5pX3VpZDsKKwlkZS0+Z2lkID0gaW5vZGUtPmlfZ2lk OworCWRlLT5tb2RlID0gaW5vZGUtPmlfbW9kZTsKK291dDoKIAlyZXR1cm4gZXJyb3I7CiB9CiAK 35039 2004-07-08 17:14 0000 2.4 kernel sys_chown exploit patch 2.4-chown_exploit.patch text/plain IyBUaGlzIGlzIGEgQml0S2VlcGVyIGdlbmVyYXRlZCBkaWZmIC1OcnUgc3R5bGUgcGF0Y2guCiMK IyBDaGFuZ2VTZXQKIyAgIDIwMDQvMDcvMDMgMTg6MzI6NDAtMDM6MDAgbWFyY2Vsb0Bsb2dvcy5j bmV0IAojICAgICBUaG9tYXMgQmllZ2U6IEZpeCBtaXNzaW5nIERBQyBjaGVjayBvbiBzeXNfY2hv d24KIyAKIyBmcy9hdHRyLmMKIyAgIDIwMDQvMDcvMDMgMTg6Mjg6MzAtMDM6MDAgbWFyY2Vsb0Bs b2dvcy5jbmV0ICsxIC0wCiMgICBUaG9tYXMgQmllZ2U6IEZpeCBtaXNzaW5nIERBQyBjaGVjayBv biBzeXNfY2hvd24KIyAKZGlmZiAtTnJ1IGEvZnMvYXR0ci5jIGIvZnMvYXR0ci5jCi0tLSBhL2Zz L2F0dHIuYwkyMDA0LTA3LTA4IDE3OjA1OjIwIC0wNzowMAorKysgYi9mcy9hdHRyLmMJMjAwNC0w Ny0wOCAxNzowNToyMCAtMDc6MDAKQEAgLTMzLDYgKzMzLDcgQEAKIAogCS8qIE1ha2Ugc3VyZSBj YWxsZXIgY2FuIGNoZ3JwLiAqLwogCWlmICgoaWFfdmFsaWQgJiBBVFRSX0dJRCkgJiYKKwkgICAg KGN1cnJlbnQtPmZzdWlkICE9IGlub2RlLT5pX3VpZCB8fAogCSAgICAoIWluX2dyb3VwX3AoYXR0 ci0+aWFfZ2lkKSAmJiBhdHRyLT5pYV9naWQgIT0gaW5vZGUtPmlfZ2lkKSAmJgogCSAgICAhY2Fw YWJsZShDQVBfQ0hPV04pKQogCQlnb3RvIGVycm9yOwo= 35040 2004-07-08 17:14 0000 2.4 kernel missing ) in inode_change code patch 2.4-inode_change_exploit.patch text/plain IyBUaGlzIGlzIGEgQml0S2VlcGVyIGdlbmVyYXRlZCBkaWZmIC1OcnUgc3R5bGUgcGF0Y2guCiMK IyBDaGFuZ2VTZXQKIyAgIDIwMDQvMDcvMDMgMTk6Mjk6NDUtMDM6MDAgbWFyY2Vsb0Bsb2dvcy5j bmV0IAojICAgICBBZGQgbWlzc2luZyBicmFja2V0IHRvIGlub2RlX2NoYW5nZV9vaygpIGZpeAoj ICAgVEFHOiB2Mi40LjI3LXJjMwojIAojIGZzL2F0dHIuYwojICAgMjAwNC8wNy8wMyAxOToyODoy OS0wMzowMCBtYXJjZWxvQGxvZ29zLmNuZXQgKzEgLTEKIyAgIEFkZCBtaXNzaW5nIGJyYWNrZXQg dG8gaW5vZGVfY2hhbmdlX29rKCkgZml4CiMgCmRpZmYgLU5ydSBhL2ZzL2F0dHIuYyBiL2ZzL2F0 dHIuYwotLS0gYS9mcy9hdHRyLmMJMjAwNC0wNy0wOCAxNzowNjo1OCAtMDc6MDAKKysrIGIvZnMv YXR0ci5jCTIwMDQtMDctMDggMTc6MDY6NTggLTA3OjAwCkBAIC0zNCw3ICszNCw3IEBACiAJLyog TWFrZSBzdXJlIGNhbGxlciBjYW4gY2hncnAuICovCiAJaWYgKChpYV92YWxpZCAmIEFUVFJfR0lE KSAmJgogCSAgICAoY3VycmVudC0+ZnN1aWQgIT0gaW5vZGUtPmlfdWlkIHx8Ci0JICAgICghaW5f Z3JvdXBfcChhdHRyLT5pYV9naWQpICYmIGF0dHItPmlhX2dpZCAhPSBpbm9kZS0+aV9naWQpICYm CisJICAgICghaW5fZ3JvdXBfcChhdHRyLT5pYV9naWQpICYmIGF0dHItPmlhX2dpZCAhPSBpbm9k ZS0+aV9naWQpKSAmJgogCSAgICAhY2FwYWJsZShDQVBfQ0hPV04pKQogCQlnb3RvIGVycm9yOwog Cg==