From http://xforce.iss.net/xforce/xfdb/16599 : Linux kernel versions 2.4 and 2.6 could allow a local attacker to mount a remote file system from a vulnerable system and modify files' group IDs, caused by a missing check in the fchown function. Note: Linux kernel version 2.4 kernel is affected by this vulnerability if the file system is shared via an NFS server. CAN-2004-0497
Got the patches from upstream.. posting them now. btw, the issue was in attr code, not really in fchown code.
Created attachment 35037 [details, diff] Patch for 2.6 attr exploit
Created attachment 35038 [details, diff] 2.6 kernel /proc filesystem missing attr check patch
Created attachment 35039 [details, diff] 2.4 kernel sys_chown exploit patch
Created attachment 35040 [details, diff] 2.4 kernel missing ) in inode_change code patch
Both of these fixes have been in {gentoo,hardened}-dev-sources for a bit now. I dont recall if there was an earlier Gentoo bug, but the SuSE/RH advisories have been around for a bit.
Con added the fixes to -ck5 upstream, so a version bump will close the vuln there as well. (Bump requested in #56337)
Maybe this is already fixed in most of our sources, I opened this one to check that all sources are OK with this problem, as it was not listed in the recent kernel GLSA.
Comment on attachment 35039 [details, diff] 2.4 kernel sys_chown exploit patch Marking patch as obsolete since the 2.6 one does not have parenthesis issues and applies fine on 2.4.
Comment on attachment 35040 [details, diff] 2.4 kernel missing ) in inode_change code patch Marking patch as obsolete since the 2.6 one does not have parenthesis issues and applies fine on 2.4.
OK, everything should now be patched. The following sources remain, and I'm adding their maintainers to the CC list: grsec-sources: Adding solar. hardened-sources: Adding hardened herd and scox. hppa-(dev-)sources: Adding GMSoft. mips-sources: Adding `Kumba. openmosix-sources: Adding the cluster herd. pegasos-(dev-)sources: Adding dholm. rsbac-(dev-)sources: Adding kang. selinux-sources: Adding pebenito.
All done for hppa.
all done for openMosix-sources.
In that case..
Seems to be done for grsec-sources as well...
yeah twice. updated revision to grsec-sources-2.4.26.2.0-r6 and added the openmosix-sources.CAN-2004-0497.patch
selinux-sources patched
Still waiting for the following sources to be patched for CAN-2004-0497: - hardened-sources - mips-sources [reAdding `Kumba] - pegasos-(dev-)sources - rsbac-(dev-)sources
rsbac-(dev-)sources: patched
This was one of those patches I saw in an updated SuSE kernel, but I couldn't find a description or patch for -0497. Is there a description and/or patch for -0496 as well (also fixed in the updated SuSE kernel)?
The only reference I can find on -0496 is the SuSE advisory. No description, no patch. According to CVE description, it is a superset of the Sparse-found vulnerabilities we already fixed (-0495). Still waiting for : - hardened-sources - mips-sources - pegasos-(dev-)sources
pegasos(-dev)-sources fixed
Heya, as I said in my ~/.away (http://dev.gentoo.org/devaway/), I don't have any connection at home at the moment (so no access to CVS). I could however bring my ssh keys at work tomorrow, if noone else from the hardened herd can add the patch for me.
GLSA 200407-16.
mips-sources fixed
GLSA should be updated to reflect the mips-sources fix. Additionally, development-sources-2.6.8_rc1 should be marked stable on x86, ppc, arm as it is the fixed version...
Readding `Kumba - the 2.6 kernels also need the /proc patch attached to this bug; and 2.4 needs patching for CAN-2004-0497, but not the /proc issue.
hardened-sources fixed yesterday, before the GLSA went out.
Mips fixed (I hope I'm not missing anything else)
