From full-disclosure: http://lists.netsys.com/pipermail/full-disclosure/2005-March/032240.html PaX privilege elevation security bug Severity: critical Description: unprivileged users can execute arbitrary code with the privileges of the target in any program they or other users can execute it is definitely exploitable for local users, remote exploitability depends on how much control one can have over executable file mappings in the target Affected versions: all releases since 2003 September (when vma mirroring was introduced) Affected configurations: anyone having SEGMEXEC or RANDEXEC (vma mirroring) in the kernel's .config file Fixed versions: patches released today, see http://pax.grsecurity.net Mitigation: echo "0 0" > /proc/sys/vm/pagetable_cache this will eliminate the obvious exploit vector only, patching is still unavoidable Technical details will be posted to the dailydave mailing list, probably early next week. This is a spectacular fuckup, it pretty much destroys what PaX has always stood and been trusted for. For this and other reasons, PaX will be terminated on 1st April, 2005, a fitting date... Brad Spengler offered to take it up but if you're interested in helping as well, contact pageexec at freemail.hu. New grsecurity patch has been released: http://grsecurity.net/news.php#grsec212 [03/04] grsecurity 2.1.2 released for 2.4.29/2.6.11 *CRITICAL UPDATE* grsecurity 2.1.2 has been released today for the 2.4.29 and 2.6.11 kernels. This is a critical release, and all users of grsecurity are strongly urged to upgrade as soon as possible. Changes in this release include the removal of RANDEXEC from the configuration, a fix for the unsafe terminal false positive, the ability to use hostnames instead of IPs in the RBAC policy file, the removal of the randomized TCP ISN, RPC XID, and IP ID code, since they added no greater security that what Linux currently provides, more consistent log messages, and PaX updates. Of particular importance is a fix for an exploitable vulnerability in PaX that exists if the SEGMEXEC or RANDEXEC features are enabled. The vulnerability was found yesterday by the PaX team during an audit of their code. Though remote exploitation of the vulnerability is very unlikely, it can be abused locally to compromise the system. If you have grsecurity configured in the LOW or MEDIUM settings, you are not vulnerable. To mitigate some of the risk imposed by the vulnerability until you can patch your machines, echo "0 0" > /proc/sys/vm/pagetable_cache The PaX team's advisory is available here. Reproducible: Always Steps to Reproduce: 1. 2. 3. grsec-sources, hardened-sources... affected.
All sources making use of GRSEC should urgently patch.
*** Bug 84154 has been marked as a duplicate of this bug. ***
I think ck-sources also
grsec-sources fixed. marked stable for all supporting arches.
Created attachment 52737 [details, diff] 2.4.28-grsec-2.1.0-pax-mmap-pgtables.patch This is the patch I backported from http://cvsweb.grsecurity.net/index.cgi/linux_pax_2_4_29/mm/mmap.c.diff?r1=1.3&r2=1.4
ck-sources isn't affected, it doesn't include grsec.
lck does
lck does? it is provided as an extra patch, but shouldn't be in the normal lck patch and the ebuild doesn't apply the extra grsecurity patch. Or did I miss something here?
hardened-sources 2.4 fixed (2.4.28-r5)
Fixed gentoo-sources-2.4 yesterday.
*** Bug 68364 has been marked as a duplicate of this bug. ***
This is now http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0666
gradm-2.1.3.200503070918 (stable all supporting arches) hardened-dev-sources-2.6.11-r1 (stable all supporting arches) grsec-sources-2.4.29.2.1.3 (stable all supporting arches) hardened-sources-2.4.28-r5 (stable but uses gradm-2.1.0)
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all of these...
If nothing else remains this seems like it can be closed.
All seems fixed, closing bug.
I found out yesterday that sparc-sources includes grsec. They would use pageexec there vs segmexec on that arch and would not be effected. But for future reference it's good to know which kernels include what.
