Red Hat Bugzilla – Bug 143866
CAN-2004-1237 kernel panic caused by auditd
Last modified: 2015-01-07 19:09:10 EST
Wade Holmes reported to secalert on 2004-12-28 a bug in auditd that
can cause a kernel panic.
An easily repeatable and exploitable problem with laus/auditd has been
discovered on RedHat Enterprise WS. It has been tested on IA-32 and
x86_64, others running auditd may also be vulnerable.
To cause a kernel panic/oops execute the open() call under an
user/global execute only directory from cron. Any user with access to
cron can initiate the panic. Example:
0 5 * * * /tmp/folder/panic.pl
contents of panic.pl:
# this file does not have to exist.
$file = "/tmp/foo";
permissions of /tmp/folder:
If this is a kernel issue rather than a problem with auditd, please
refile this bug.
This issue does not seem to affect anything other than RHEL3.
This is already fixed in U5, marking entry as a duplicate of BZ #
141996. The parent BZ # is 132245.
*** This bug has been marked as a duplicate of 141996 ***
Josh, this can't be embargoed. We've already made the fix in U5,
and although U5 has not yet been released, kernels with the fix
have already been given to key partners/customers for testing
other U5 fixes.
Ernie, That's fair. I wanted to be sure. Removing embargo.
The fix for this problem has also been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.2.EL).
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.