Bug 134876 - CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073)
Summary: CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 ...
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel   
(Show other bugs)
Version: 2.1
Hardware: ia64
OS: Linux
Target Milestone: ---
Assignee: Jim Paradis
QA Contact: Brian Brock
Whiteboard: impact=moderate,embargo=20041110:12
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-10-06 21:24 UTC by Josh Bressers
Modified: 2013-08-06 01:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-12-13 20:17:13 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:504 normal SHIPPED_LIVE Important: Updated Itanium kernel packages resolve security issues 2004-12-13 05:00:00 UTC

Description Josh Bressers 2004-10-06 21:24:06 UTC
Paul Starzetz has repoted to vendor-sec an issue in the Linux ELF
binary loader while handling setuid binaries.  This could lead to
local privilege escalation.

This issue is fairly complicated, the advisory is attachment 104867 [details]
with the current patch being investigated as attachment 104868 [details]

This issue is currently embargoed with no date set.

Comment 1 Jason Baron 2004-10-11 19:21:10 UTC
moving to needinfo, as per Dave Anderson's comments in the
corresponding rhel3 bug, 134874.

Comment 2 Josh Bressers 2004-11-10 14:26:19 UTC
Removing embargo.

Comment 3 Josh Bressers 2004-11-29 19:16:36 UTC
Here is the CVE information for this issue.

>>20040920 binfmt_elf loader vulnerabilities
>>      2.4.27 and earlier, 2.6.9 and earlier are vulnerable
>>      http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
>>      1&3 Missing return value check may allow memory layout
>>      modification of setuid binaries
  CAN-2004-1070 - missing return value check

>>      2. Incorrect error handling can lead to incorrect mapped image
>>      in memory
  CAN-2004-1071 - incorrect error handling

>>      4. Possible to exceed to the maximum path size of an
>>      interpreter name string which may lead to a denial of service
  CAN-2004-1072 - exceed maximum path size for interpreter name string

>>      5. open_exec() allows reading of non-readable ELF binaries
  CAN-2004-1073 - open_exec reading non-readable ELF binaries

Comment 4 John Flanagan 2004-12-13 20:17:14 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.