From $URL: Issue: ====== A locally exploitable flaw has been found in the Linux ELF binary format loader's core dump function that allows local users to gain root privileges and also execute arbitrary code at kernel privilege level. ------------------------------------------------------------------- No patches at this time.
*** Bug 92133 has been marked as a duplicate of this bug. ***
This might work as a temp work around. root@* # echo > /proc/sys/kernel/core_pattern
I think 2.6.11.1 is not susceptible. From the vulnerability explanation at isec.pl, two features are necessary. The first (len variable is signed and the subtraction isn't protected) is extant in 2.6.11.1 (it's in fill_psinfo() rather than elf_core_dump()), however the second is not which means the first can't be triggered by the approach described. The create_elf_tables() function always sets both current->mm->arg_end and current->mm->env_start, before reaching the 'return 0'.
A fix was released in 2.6.11.9. I don't know if there is more that can be done, but this ought to at least close up the hole. http://linux-release.bkbits.net:8080/linux-2.6.11/gnupatch@4282874aplNy__uGtYtIace0iYmemQ
Created attachment 58788 [details, diff] Patch from 2.6.11.9
>=2.4.30-pre1 do not appear to be effected on x86.
ck-sources fixed
Fixed in genpatches-2.6-11.12 Fixed in gentoo-sources-2.6.11-r9
All fixed, closing.