Bug 489808 (CVE-2009-0784)
Summary: | CVE-2009-0784 systemtap: race condition leads to privilege escalation | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||
Component: | vulnerability | Assignee: | Frank Ch. Eigler <fche> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | dsmith, fche, jlieskov, kreilly, mjc, security-response-team | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-03-31 06:56:47 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 489969, 489970, 489978, 489979 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Vincent Danen
2009-03-11 23:06:43 UTC
Created attachment 334872 [details]
Not a sufficient patch for this bug.
This patch forces the canonicalization of the module directory
to be done early, so that only the canonicalized path name is
used for both permission checking and for actual module loading.
Comment on attachment 334872 [details]
Not a sufficient patch for this bug.
Note that this patch applies to upstream and recent systemtap versions. I'll post another one against RHEL5.3.
Comment on attachment 334872 [details]
Not a sufficient patch for this bug.
Sorry, a simpler patch will fix just this bug; we'll clean up this general area later.
Created attachment 334879 [details]
Patch for RHEL5.3 and git/upstream systemtap.
RHEL4 (systemtap-0.6.2-1.el4 RPM) is also potentially affected. The same fix looks like it should fit there too. Just to note some factors that need to be in place before this can be exploited (aside from controlling the race condition itself): - the user must be in the stapusr group - the /lib/modules/$VERSION/systemtap directory must exist (does not by default) - there must be a kernel object inside this directory to use to perform the race with None of these conditions are default, even with systemtap installed. Lifting embargo. Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0784 to this vulnerability: Race condition in the SystemTap stap tool 0.0.20080705 and 0.0.20090314 allows local users in the stapusr group to gain privileges via unknown vectors. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0784 http://www.debian.org/security/2009/dsa-1755 This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:0373 https://rhn.redhat.com/errata/RHSA-2009-0373.html Fedora updates to fixed upstream version 0.9.5: https://admin.fedoraproject.org/updates/F9/FEDORA-2009-3106 https://admin.fedoraproject.org/updates/F10/FEDORA-2009-3152 |