Author: dannf Date: Sat Jul 15 08:20:30 2006 New Revision: 7006 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/proc-environ-race-1.dpatch dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/proc-environ-race-2.dpatch dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge4 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
Log: * proc-environ-race-1.dpatch, proc-environ-race-2.dpatch [SECURITY] Fix local root vulnerability caused by a race in proc See CVE-2006-3626 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sat Jul 15 08:20:30 2006 @@ -1,3 +1,11 @@ +kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high + + * proc-environ-race-1.dpatch, proc-environ-race-2.dpatch + [SECURITY] Fix local root vulnerability caused by a race in proc + See CVE-2006-3626 + + -- dann frazier <[EMAIL PROTECTED]> Sat, 15 Jul 2006 02:03:51 -0600 + kernel-source-2.6.8 (2.6.8-16sarge3) stable-security; urgency=high * net-protocol-mod-refcounts-pre.dpatch, net-protocol-mod-refcounts.dpatch Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/proc-environ-race-1.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/proc-environ-race-1.dpatch Sat Jul 15 08:20:30 2006 @@ -0,0 +1,25 @@ +From: Linus Torvalds <[EMAIL PROTECTED]> +Date: Fri, 14 Jul 2006 23:51:34 +0000 (-0700) +Subject: Fix nasty /proc vulnerability +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=18b0bbd8ca6d3cb90425aa0d77b99a762c6d6de3 + +Fix nasty /proc vulnerability + +We have a bad interaction with both the kernel and user space being able +to change some of the /proc file status. This fixes the most obvious +part of it, but I expect we'll also make it harder for users to modify +even their "own" files in /proc. + +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -1338,6 +1338,7 @@ static int pid_revalidate(struct dentry + } else { + inode->i_uid = 0; + inode->i_gid = 0; ++ inode->i_mode = 0; + } + security_task_to_inode(task, inode); + put_task_struct(task); Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/proc-environ-race-2.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/proc-environ-race-2.dpatch Sat Jul 15 08:20:30 2006 @@ -0,0 +1,35 @@ +From: Linus Torvalds <[EMAIL PROTECTED]> +Date: Sat, 15 Jul 2006 04:48:03 +0000 (-0700) +Subject: Relax /proc fix a bit +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9ee8ab9fbf21e6b87ad227cd46c0a4be41ab749b + +Relax /proc fix a bit + +Clearign all of i_mode was a bit draconian. We only really care about +S_ISUID/ISGID, after all. + +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]> +diff -uprN kernel-source-2.6.8-2.6.8.orig/fs/proc/base.c kernel-source-2.6.8-2.6.8/fs/proc/base.c +--- kernel-source-2.6.8-2.6.8.orig/fs/proc/base.c 2006-07-15 02:10:35.000000000 -0600 ++++ kernel-source-2.6.8-2.6.8/fs/proc/base.c 2006-07-15 02:12:25.000000000 -0600 +@@ -988,8 +988,8 @@ static int pid_revalidate(struct dentry + } else { + inode->i_uid = 0; + inode->i_gid = 0; +- inode->i_mode = 0; + } ++ inode->i_mode &= ~(S_ISUID | S_ISGID); + security_task_to_inode(task, inode); + return 1; + } +@@ -1017,6 +1017,7 @@ static int tid_fd_revalidate(struct dent + inode->i_uid = 0; + inode->i_gid = 0; + } ++ inode->i_mode &= ~(S_ISUID | S_ISGID); + security_task_to_inode(task, inode); + return 1; + } Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge4 ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge4 Sat Jul 15 08:20:30 2006 @@ -0,0 +1,2 @@ ++ proc-environ-race-1.dpatch ++ proc-environ-race-2.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes