Red Hat Bugzilla – Bug 134876
CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073)
Last modified: 2013-08-05 21:08:07 EDT
Paul Starzetz has repoted to vendor-sec an issue in the Linux ELF
binary loader while handling setuid binaries. This could lead to
local privilege escalation.
This issue is fairly complicated, the advisory is attachment 104867 [details]
with the current patch being investigated as attachment 104868 [details]
This issue is currently embargoed with no date set.
moving to needinfo, as per Dave Anderson's comments in the
corresponding rhel3 bug, 134874.
Here is the CVE information for this issue.
>>20040920 binfmt_elf loader vulnerabilities
>> 2.4.27 and earlier, 2.6.9 and earlier are vulnerable
>> 1&3 Missing return value check may allow memory layout
>> modification of setuid binaries
CAN-2004-1070 - missing return value check
>> 2. Incorrect error handling can lead to incorrect mapped image
>> in memory
CAN-2004-1071 - incorrect error handling
>> 4. Possible to exceed to the maximum path size of an
>> interpreter name string which may lead to a denial of service
CAN-2004-1072 - exceed maximum path size for interpreter name string
>> 5. open_exec() allows reading of non-readable ELF binaries
CAN-2004-1073 - open_exec reading non-readable ELF binaries
An errata has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.