Description of problem: CVE-2007-4573 regression Reintroduced in v2.6.27-rc1 via commit d4d67150. Upstream commits: http://git.kernel.org/linus/36d001c70d8a0144ac1d038f6876c484849a74de http://git.kernel.org/linus/eefdca043e8391dcd719711716492063030b55ac References: http://sota.gen.nz/compat2/ Acknowledgements: Red Hat would like to thank Ben Hawkes for reporting this issue.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG, as they do not contain the upstream commit d4d67150 that introduced this flaw. More information can be found in this kbase: https://access.redhat.com/kb/docs/DOC-40330
Public exploit: http://sota.gen.nz/compat2/robert_you_suck.c
There is exploit: http://seclists.org/fulldisclosure/2010/Sep/268 work on Red Hat
CentOS 5.5 example (same kernel as RHEL 5.5): 2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:08:30 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux [hacky@ks310439 ~]$ id uid=518(hacky) gid=518(hacky) groups=518(hacky) [hacky@ks310439 ~]$ ./a.out Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y $$$ Kallsyms +r $$$ K3rn3l r3l3as3: 2.6.18-194.3.1.el5 ??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d $$$ L00k1ng f0r kn0wn t4rg3tz.. $$$ c0mput3r 1z aqu1r1ng n3w t4rg3t... $$$ selinux_ops->ffffffff80327ac0 $$$ dummy_security_ops->ffffffff804b9540 $$$ capability_ops->ffffffff80329380 $$$ selinux_enforcing->ffffffff804bc2a0 $$$ audit_enabled->ffffffff804a7124 $$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d $$$ Prepare: m0rn1ng w0rk0ut b1tch3z $$$ Us1ng st4nd4rd s3ash3llz $$$ 0p3n1ng th3 m4giq p0rt4l $$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP sh-3.2# id uid=0(root) gid=518(hacky) groups=518(hacky)
(In reply to comment #6) > CentOS 5.5 example (same kernel as RHEL 5.5): > > 2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:08:30 EDT 2010 x86_64 x86_64 x86_64 > GNU/Linux > [hacky@ks310439 ~]$ id > uid=518(hacky) gid=518(hacky) groups=518(hacky) > [hacky@ks310439 ~]$ ./a.out > Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y Err, but you pasted them to the wrong bug. Please see CVE-2010-3081 instead. Thanks.
Kbase: https://access.redhat.com/kb/docs/DOC-40330
Fixed in 2.6.27.54, 2.6.32.22 and 2.6.35.5
Beta's now out, so moving from Beta nice-to-have list to Final nice-to-have list. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
This was already fixed in F14: https://admin.fedoraproject.org/updates/kernel-2.6.35.4-28.fc14
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html