Wade Holmes reported to secalert on 2004-12-28 a bug in auditd that can cause a kernel panic. An easily repeatable and exploitable problem with laus/auditd has been discovered on RedHat Enterprise WS. It has been tested on IA-32 and x86_64, others running auditd may also be vulnerable. To cause a kernel panic/oops execute the open() call under an user/global execute only directory from cron. Any user with access to cron can initiate the panic. Example: User's crontab: 0 5 * * * /tmp/folder/panic.pl contents of panic.pl: #!/usr/bin/perl # this file does not have to exist. $file = "/tmp/foo"; open($file); permissions of /tmp/folder: dr-x--x--x If this is a kernel issue rather than a problem with auditd, please refile this bug. This issue does not seem to affect anything other than RHEL3.
This is already fixed in U5, marking entry as a duplicate of BZ # 141996. The parent BZ # is 132245. *** This bug has been marked as a duplicate of 141996 ***
Josh, this can't be embargoed. We've already made the fix in U5, and although U5 has not yet been released, kernels with the fix have already been given to key partners/customers for testing other U5 fixes.
Ernie, That's fair. I wanted to be sure. Removing embargo.
The fix for this problem has also been committed to the RHEL3 E5 patch pool this evening (in kernel version 2.4.21-27.0.2.EL).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-043.html