Package: kernel-patch-vserver Severity: critical Tags: sarge Justification: root security hole
Dear maintainer(s), I found the kernel-patch-vserver and util-vserver in sarge can not pass the testfs.sh script[1] which provide by upstream author. After some more tests, upstream author discoveryed this is a security hole. Here is what I did in my test: # ls -lda /var/lib/vservers/XXXX/.. d--------- 8 root root 4096 Sep 19 19:46 /var/lib/vservers/XXXX/../ # showattr -d /var/lib/vservers/XXXX/.. ---BU-- /var/lib/vservers/XXXX/.. # lsattr -d /var/lib/vservers/XXXX/.. ---------------t- /var/lib/vservers/XXXX/.. ssh into a guest and then starting the root exploit[2] inside a guest now gives: Exploit seems to work. =) And then I can be able to access the host, can be able to read /etc/shadow and can be able to create /test.txt in the host. [1] http://vserver.13thfloor.at/Stuff/SCRIPT/testfs.sh-0.09 [2] http://vserver.13thfloor.at/Stuff/rootesc.c -- System Information: Debian Release: 3.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27-10vserver Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
