Bug 134876 - CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073)
CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 ...
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel (Show other bugs)
ia64 Linux
medium Severity medium
: ---
: ---
Assigned To: Jim Paradis
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-10-06 17:24 EDT by Josh Bressers
Modified: 2013-08-05 21:08 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-12-13 15:17:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2004-10-06 17:24:06 EDT
Paul Starzetz has repoted to vendor-sec an issue in the Linux ELF
binary loader while handling setuid binaries.  This could lead to
local privilege escalation.

This issue is fairly complicated, the advisory is attachment 104867 [details]
with the current patch being investigated as attachment 104868 [details]

This issue is currently embargoed with no date set.
Comment 1 Jason Baron 2004-10-11 15:21:10 EDT
moving to needinfo, as per Dave Anderson's comments in the
corresponding rhel3 bug, 134874.
Comment 2 Josh Bressers 2004-11-10 09:26:19 EST
Removing embargo.
Comment 3 Josh Bressers 2004-11-29 14:16:36 EST
Here is the CVE information for this issue.

>>20040920 binfmt_elf loader vulnerabilities
>>      2.4.27 and earlier, 2.6.9 and earlier are vulnerable
>>      http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
>>      1&3 Missing return value check may allow memory layout
>>      modification of setuid binaries
  CAN-2004-1070 - missing return value check

>>      2. Incorrect error handling can lead to incorrect mapped image
>>      in memory
  CAN-2004-1071 - incorrect error handling

>>      4. Possible to exceed to the maximum path size of an
>>      interpreter name string which may lead to a denial of service
  CAN-2004-1072 - exceed maximum path size for interpreter name string

>>      5. open_exec() allows reading of non-readable ELF binaries
  CAN-2004-1073 - open_exec reading non-readable ELF binaries
Comment 4 John Flanagan 2004-12-13 15:17:14 EST
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.