Bug 516171 (CVE-2009-2691)

Summary: CVE-2009-2691 kernel: /proc/$pid/maps visible during initial setuid ELF loading
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: atangrin, bhu, dhoward, dhowells, jkacur, jolsa, jrieden, lgoncalv, lwang, nobody, onestero, rkhan, security-response-team, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-22 13:25:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 516684, 516685, 516686, 516687, 516688, 516689    
Bug Blocks:    

Description Eugene Teo (Security Response) 2009-08-07 07:00:46 UTC 
Description of problem:
From Kees Cook: Steve Beattie and I noticed that the /proc/$pid/maps and smaps files are readable during ELF loading for processes that a user should not normally be able to see (for example, when launching a setuid process).
Comment 7 Eugene Teo (Security Response) 2009-08-11 03:23:48 UTC 
Upstream commits:
http://git.kernel.org/linus/13f0feafa6b8aead57a2a328e2fca6a5828bf286
http://git.kernel.org/linus/00f89d218523b9bf6b522349c039d5ac80aa536d
http://git.kernel.org/linus/704b836cbf19e885f8366bccb2e4b0474346c02d

References:
http://lkml.org/lkml/2009/6/23/652
http://lkml.org/lkml/2009/6/23/653
http://marc.info/?l=linux-kernel&m=124718946021193
http://marc.info/?l=linux-kernel&m=124718949821250
http://article.gmane.org/gmane.comp.security.oss.general/1985
Comment 16 John Kacur 2009-08-17 13:02:52 UTC 
[jkacur@tycho rt.linux.git]$ git describe --contains 13f0feafa6b8aead57a2a328e2fca6a5828bf286
v2.6.31-rc6~23^2~2

[jkacur@tycho rt.linux.git]$ git describe --contains 00f89d218523b9bf6b522349c039d5ac80aa536d
v2.6.31-rc6~23^2~1
 
[jkacur@tycho rt.linux.git]$ git describe --contains 704b836cbf19e885f8366bccb2e4b0474346c02d
v2.6.31-rc6~23^2

The current MRG V2 kernel is currently based on 2.6.31-rc6 which contains
all of the relevant commits.
Comment 18 Fedora Update System 2009-08-26 05:12:00 UTC 
kernel-2.6.29.6-217.2.16.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.29.6-217.2.16.fc11
Comment 19 Fedora Update System 2009-08-27 02:18:48 UTC 
kernel-2.6.29.6-217.2.16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2009-11-03 18:21:28 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html