Bug 1235

Summary: There has been a security exploit reported against LSOF
Product: [Retired] Red Hat Linux Reporter: Chris Siebenmann <cks-rhbugzilla>
Component: lsofAssignee: David Lawrence <dkl>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2CC: cks-rhbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-02-19 16:04:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Chris Siebenmann 1999-02-18 23:27:09 UTC
BUGTRAQ has recently carried a report of a security
exploit against all current versions of LSOF up to and
including 4.40. Vic Abell, the author of LSOF, has
released a patch for it, in (email) message-id
	<001001be5b37$b7e6aeb0$aa87d280@vic2.cc.purdue.edu>
on BUGTRAQ (with the subject 'Re: [HERT] Advisory #002
Buffer overflow in lsof'); the patch itself is at
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/patches/4.40/arg.c.patch
(for lsof 4.40, clearly).
The original report of the problem was message-id
<19990218013035.B4950@red.blood.int> on BUGTRAQ and is
available at
	http://www.hert.org/advisories/HERT-02.asc
although it doesn't give any details.

(hopefully Bugzilla will preserve the angle brackets in
those message-ids)

Comment 1 Bill Nottingham 1999-02-19 00:52:59 UTC
/dev/kmem under Linux is read-only, so it is not
vulnerable to a root compromise.

Comment 2 Chris Siebenmann 1999-02-19 08:27:59 UTC
It's not clear to me if read access to kmem (apparently obtainable
through the lsof exploit on RedHat 5.2, since lsof is setgid kmem
and /dev/kmem is group-readable for kmem) can be used to do evil
things. RedHat might want to look into the situation and make a
statement one way or another. (Or it might be simpler and less time
consuming to just release new lsof RPMs built from 4.40 + Vic's
patch.)

Comment 3 Jeff Johnson 1999-02-19 16:04:59 UTC
The immediate fix is
	chmod g-s /usr/sbin/lsof
An updated errata of lsof-4.40 with Vic Abel's patch will be issued
shortly.