Red Hat Bugzilla – Bug 134875
CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073)
Last modified: 2013-08-05 21:08:07 EDT
Paul Starzetz has repoted to vendor-sec an issue in the Linux ELF
binary loader while handling setuid binaries. This could lead to
local privilege escalation.
This issue is fairly complicated, the advisory is attachment 104867 [details]
with the current patch being investigated as attachment 104868 [details]
This issue is currently embargoed with no date set.
moving to needinfo, as per Dave Anderson's comments in the
corresponding rhel3 bug, 134874.
A patch to fix this issue has been committed to the RHEL2.1 U6 (pensacola) tree
for release 2.4.9-e.56
Here is the CVE information for this issue.
>>20040920 binfmt_elf loader vulnerabilities
>> 2.4.27 and earlier, 2.6.9 and earlier are vulnerable
>> 1&3 Missing return value check may allow memory layout
>> modification of setuid binaries
CAN-2004-1070 - missing return value check
>> 2. Incorrect error handling can lead to incorrect mapped image
>> in memory
CAN-2004-1071 - incorrect error handling
>> 4. Possible to exceed to the maximum path size of an
>> interpreter name string which may lead to a denial of service
CAN-2004-1072 - exceed maximum path size for interpreter name string
>> 5. open_exec() allows reading of non-readable ELF binaries
CAN-2004-1073 - open_exec reading non-readable ELF binaries
An errata has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.