Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 263037 (CVE-2009-0784) - dev-util/systemtap race condition leading to privilege escalation (CVE-2009-0784)
Summary: dev-util/systemtap race condition leading to privilege escalation (CVE-2009-0...
Status: RESOLVED FIXED
Alias: CVE-2009-0784
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/34475/
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-19 13:13 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-29 17:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 13:13:13 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Erik Sjölund reported a race condition where a user in group
stapusr can load a kernel object from anywhere on the filesystem due to
a race condition in the stap program.  This allows members of stapusr to
effectively elevate privileges to group stapdev or root.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 13:14:10 UTC
This bug is purely for tracking purposes, as systemtap is not currently stable. Feel free to bump and patch after the embargo date.
Comment 2 Sven Wegener gentoo-dev 2009-03-29 09:01:21 UTC
I've commited 0.9.5 to the tree, it contains a fix for CVE-2009-0784.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-29 17:26:54 UTC
public as per $URL. nothing more to do because ~arch only, closing.