86638 2005-03-25 04:25 0000 af_bluetooth local root exploit (CAN-2005-0750) 2009-05-03 15:05:19 0000 1 Unclassified Gentoo Security Kernel unspecified All All RESOLVED FIXED [linux < 2.4.30][ linux >= 2.6 < 2.6.11.6] P2 major --- 1 jaervosz@gentoo.org security@gentoo.org kang@gentoo.org kern-sec@gentoo.org rajiv@gentoo.org jaervosz@gentoo.org 2005-03-25 04:25:05 0000 there is a local root exploit by integer underflow in the bluetooth handling, triggerable by any user if you have bluetooth modules installed. (I think using socket(AF_BLUETOOTH, -index, x); ) Marcel has posted below patch, I am not sure which bk tree that is it is however. CAN-2005-0750 as by Mark J Cox. An actual exploit supposedly exist already. jaervosz@gentoo.org 2005-03-25 04:25:50 0000 Created an attachment (id=54428) CAN-2005-0750.patch koon@gentoo.org 2005-03-26 09:07:03 0000 Patch posted in BK tree. New kernel release should follow. koon@gentoo.org 2005-03-26 09:18:04 0000 Fixed in vanilla 2.6.11.6 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6 kumba@gentoo.org 2005-04-23 22:28:18 0000 mips-sources fixed. dsd@gentoo.org 2005-04-27 13:43:23 0000 Fixed in gentoo-sources-2.6.11-r6 r2d2@gentoo.org 2005-05-17 16:34:00 0000 Another that can probably be closed now. http://kiss.gentoo.org/dev/viewBug.php?BugID=86638 koon@gentoo.org 2005-05-23 04:56:47 0000 *** Bug 87901 has been marked as a duplicate of this bug. *** koon@gentoo.org 2005-05-23 04:59:04 0000 This also affects the 2.4 series. From solar : grsec-sources-2.4.30 is in the tree as ~arch. Note for other bumpers of 2.4.x series. CAN-2004-1056.patch and linux-2.4.28-random-poolsize.patch have never been applied to mainline. plasmaroo@gentoo.org 2005-08-20 11:22:34 0000 rsbac-sources affected. plasmaroo@gentoo.org 2005-11-26 02:34:57 0000 All fixed, closing. 54428 2005-03-25 04:25 0000 CAN-2005-0750.patch CAN-2005-0750.patch text/plain PT09PT0gbmV0L2JsdWV0b290aC9hZl9ibHVldG9vdGguYyAxLjQwIHZzIGVkaXRlZCA9PT09PQot LS0gMS40MC9uZXQvYmx1ZXRvb3RoL2FmX2JsdWV0b290aC5jCTIwMDUtMDMtMTggMTU6MDc6MjIg KzAxOjAwCisrKyBlZGl0ZWQvbmV0L2JsdWV0b290aC9hZl9ibHVldG9vdGguYwkyMDA1LTAzLTI0 IDE5OjQyOjE2ICswMTowMApAQCAtNjIsNyArNjIsNyBAQAogCiBpbnQgYnRfc29ja19yZWdpc3Rl cihpbnQgcHJvdG8sIHN0cnVjdCBuZXRfcHJvdG9fZmFtaWx5ICpvcHMpCiB7Ci0JaWYgKHByb3Rv ID49IEJUX01BWF9QUk9UTykKKwlpZiAocHJvdG8gPCAwIHx8IHByb3RvID49IEJUX01BWF9QUk9U TykKIAkJcmV0dXJuIC1FSU5WQUw7CiAKIAlpZiAoYnRfcHJvdG9bcHJvdG9dKQpAQCAtNzUsNyAr NzUsNyBAQAogCiBpbnQgYnRfc29ja191bnJlZ2lzdGVyKGludCBwcm90bykKIHsKLQlpZiAocHJv dG8gPj0gQlRfTUFYX1BST1RPKQorCWlmIChwcm90byA8IDAgfHwgcHJvdG8gPj0gQlRfTUFYX1BS T1RPKQogCQlyZXR1cm4gLUVJTlZBTDsKIAogCWlmICghYnRfcHJvdG9bcHJvdG9dKQpAQCAtOTAs NyArOTAsNyBAQAogewogCWludCBlcnIgPSAwOwogCi0JaWYgKHByb3RvID49IEJUX01BWF9QUk9U TykKKwlpZiAocHJvdG8gPCAwIHx8IHByb3RvID49IEJUX01BWF9QUk9UTykKIAkJcmV0dXJuIC1F SU5WQUw7CiAKICNpZiBkZWZpbmVkKENPTkZJR19LTU9EKQo=