Recently multiple servers of the Debian project were compromised using a Debian developers account and an unknown root exploit. Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space. This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release. This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and 2.6.0-test6 kernel tree. For Debian it has been fixed in version 2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386 kernel images and version 2.4.18-11 of the alpha kernel images.
iggy is buzy patching all kernels in portage right now. First kernel to see the fix is gentoo-sources. This is the fix. http://linux.bkbits.net:8080/linux-2.5/patch%401.1267.76.6
All kernels are patched, and I'm almost done with revision bumps, but revision bumps on gentoo-sources probably won't happen till tomorrow morning since it's almost 3am here.
added this here as this bug is the probable root cause: openmosix-sources-2.4.22-r1 fails to compile because of errors in mm/mmap.c: the len variable has not been defines and the addr or address variable is not sure what it should be from Line1041: int len ... added by me // is orginal if statement __________________________________ int expand_stack(struct vm_area_struct * vma, unsigned long address) { unsigned long grow; int len = vma->vm_end - vma->vm_start; //if ((addr + len) > TASK_SIZE || (addr + len) < addr) if ((address + len) > TASK_SIZE || (address + len) < address) return -EINVAL;
bill: uhh your patch is working in the function expand_stack() ... i thought the patch was against do_brk() ...
fixed the openmosix patch in cvs, give it another try in a few minutes
Created attachment 21596 [details] output of function epatch while trying to use patch "do_brk_fix.patch" (hardened-sources-2.4.22-r1) I have some problems with hardened-sources-2.4.22-r1. (No newer version was available at 21:50 CET, 12/02/2003). After unpacking it gives: * Applying do_brk_fix.patch... * Failed Patch: do_brk_fix.patch! * * Include in your bugreport the contents of: * * /var/tmp/portage/hardened-sources-2.4.22-r1/temp/do_brk_fix.patch-26726.out Please see attachment for the contents of do_brk_fix.patch-26726.out. (I have addpatches-0.2 installed on my system.) Am I the only one who has this problem? Of course, the patch "do_brk_fix.patch" itself works, if you patch manually (patch -p1 < ...)
hardened sources is fixed in cvs
Another problem: gs-sources 2.4.23_pre8-gss-r1 forgets its a "r1" and installed over the top of 2.4.23_pre8-gss ... bunyip src # emerge gs-sources -s Searching... [ Results for search key : gs-sources ] [ Applications found : 1 ] * sys-kernel/gs-sources Latest version available: 2.4.23_pre8-r1 Latest version installed: 2.4.23_pre8-r1 Size of downloaded files: 32,413 kB Homepage: http://www.kernel.org/ http://www.gentoo.org/ Description: This kernel stays up to date with current kernel -pres, with recent acpi,evms,win3lin ,futexes,aic79xx, superfreeswan,preempt/ll, and various hw fixes. bunyip src # ls -al total 80 drwxr-xr-x 5 root root 4096 Nov 12 14:06 . drwxr-xr-x 17 root root 4096 Sep 24 13:50 .. -rw-r--r-- 1 root root 0 Sep 23 21:23 .keep -rwxr-xr-x 1 root root 39922 May 2 2003 fglrx_panel_sources.tgz -rwxr-xr-x 1 root root 17336 May 2 2003 fglrx_sample_source.tgz lrwxrwxrwx 1 root root 21 Nov 12 14:06 linux -> linux-2.4.23_pre8-gss drwxr-xr-x 16 root root 4096 Oct 8 22:38 linux-2.4.23_pre6-gss-r1 drwxr-xr-x 16 root root 4096 Oct 26 10:30 linux-2.4.23_pre7-gss drwxr-xr-x 16 root root 4096 Dec 3 10:02 linux-2.4.23_pre8-gss bunyip src # bunyip src # genlop gs-sources * sys-kernel/gs-sources Merged at Tue Oct 7 04:46:32 2003 (gs-sources-2.4.23_pre6-r1) Merged at Mon Oct 20 05:01:02 2003 (gs-sources-2.4.23_pre7) Merged at Wed Nov 12 06:01:10 2003 (gs-sources-2.4.23_pre8) Merged at Wed Dec 3 01:36:31 2003 (gs-sources-2.4.23_pre8-r1) gs-sources: merged totally 4 times.
glsa 200312-02 sent as: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200312-02 - -------------------------------------------------------------------------- GLSA: 200312-02 package: kernel summary: A flaw in the do_brk() function of Linux kernel 2.4.22 and earlier can be exploited by local users or malicious services to gain root privileges. severity: high Gentoo bug: 34844 date: 2003-12-04 CVE: CAN-2003-0961 exploit: local affected: <2.4.22 fixed: >=2.4.23 fixed: >=2.4.22+patches DESCRIPTION: Lack of proper bounds checking exists in the do_brk() kernel function in Linux kernels prior to 2.4.23. This bug can be used to give a userland program or malicious service access to the full kernel address space and gain root privileges. This issue is known to be exploitable. All kernel ebuilds in Portage have been bumped or patched and do not contain this vulnerability. The following is a list of recommended kernels. aa-sources-2.4.23_pre6-r3 ck-sources-2.4.22-r3 gentoo-sources-2.4.20-r9 gentoo-sources-2.4.22-r1 grsec-sources-2.4.22.1.9.12-r1 grsec-sources-2.4.22.2.0_rc3-r1 gs-sources-2.4.23_pre8-r1 hardened-sources-2.4.22-r1 hardened-sources-2.4.22-r1 ia64-sources-2.4.22-r1 mips-sources-2.4.22-r4 mips-sources-2.4.22-r5 openmosix-sources-2.4.22-r1 ppc-sources-2.4.22-r3 ppc-sources-benh-2.4.20-r9 ppc-sources-benh-2.4.21-r2 ppc-sources-benh-2.4.22-r3 ppc-sources-crypto-2.4.20-r1 selinux-sources-2.4.21-r5 sparc-sources-2.4.23 usermode-sources-2.4.22-r1 wolk-sources-4.10_pre7-r1 wolk-sources-4.9-r2 xfs-sources-2.4.20-r4 SOLUTION: It is recommended that all Gentoo Linux users upgrade their machines to use a kernel from the list above. emerge sync emerge -pv [your preferred kernel sources] emerge [your preferred kernel sources] [update the /usr/src/linux symlink] [compile and install your new kernel] [emerge any necessary kernel module ebuilds] [reboot] // end -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/z5Wynt0v0zAqOHYRAujmAKCsOXthCcWiGvTWThjozzsjlW4q3gCdGqLI FWseBXkoN6qBg6u30yPVCLw= =V/8J -----END PGP SIGNATURE-----
regarding gs-sources, that was a booboo on my part, it didn't need to be bumped as it was already fixed, so pre8 and pre8-r1 are the same thing anyways, sorry for the confusion
glsa sent, closing. <http://www.gentoo.org/security/en/glsa/glsa-200312-02.xml>
