Bug 195902 - (CVE-2006-2451) CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable
CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Ernie Petrides
Brian Brock
impact=important,source=redhat,report...
: Security
Depends On:
Blocks: 198963
  Show dependency treegraph
 
Reported: 2006-06-19 09:55 EDT by Marcel Holtmann
Modified: 2009-04-28 00:04 EDT (History)
4 users (show)

See Also:
Fixed In Version: RHSA-2006-0574
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-07 09:42:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 17 Marcel Holtmann 2006-07-07 07:45:33 EDT
The prctl() function allows to set the value 2 for PR_SET_DUMPABLE by
unprivileged processes. In case of a segmentation fault the core dump will then
be owned by the user root.

This could lead to a denial of service (disk consumption) or allow a local user
to gain root privileges.

The suid_dumpable support and prctl(PR_SET_DUMPABLE, 2) have been added with the
2.6.13 kernel and Red Hat Enterprise Linux 4 contains a backport of it.
Comment 18 Marcel Holtmann 2006-07-07 07:51:33 EDT
The patch for the stable kernel series of 2.6.17 can be found here:

http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=0af184bb9f80edfbb94de46cb52e9592e5a547b0
Comment 20 Red Hat Bugzilla 2006-07-07 09:42:38 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0574.html
Comment 21 Jason Baron 2006-07-07 13:55:20 EDT
committed in stream U4 build 40.1. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/

Comment 22 Mike Gahagan 2006-07-14 11:27:27 EDT
Verified fix on 40.1 as well by hand. (for some reason my automated test for
this doesn't want to work inside of RHTS.)
Comment 23 claranet 2006-08-03 12:21:24 EDT
downside to this is upgrade to the latest kernel on es4 = kernel-2.6.9-34.0.2
and you will be faced with this nasty =
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188141
Comment 24 Marcel Holtmann 2006-08-03 17:38:57 EDT
It is impossible that the fix included in kernel-2.6.9-34.0.2 can cause any of
the symptoms described in bug #188141. Please don't pollute this bug with
unreleated descriptions.
Comment 25 claranet 2006-08-07 06:13:06 EDT
your comment on this page, i disagree that the bug is fixed in
kernel-2.6.9-34.0.2, as on the bugzilla it states that the bug is for
kernel-2.6.9-34, are you stating it is therefore fixed in your 0.2 revision?

If so why does larry tell me that its only fixed in kernel-2.6.9-42? and that
the patch will not be implemented until es4 U4.

More importantly i rolled back the kernel on this client to 2.6.9-5 and the swap
and load went right down and resumed to normal operation, before hand it had
excatly the same symptons as the bug reported and due to the high memory usuage
on this box, it caused it to crash after a few days.
So i do not belive that this has been fixed in  kernel-2.6.9-34.0.2.

I would expect a reply to this since we want to roll out a non vulnerable kernel
upgrade on our clients redhat boxes and so far no one has given us a solution to
this problem.
Comment 26 Marcel Holtmann 2006-08-07 07:26:42 EDT
The kernel-2.6.9-34.0.x packages are kernels which contain security updates.
They are fixing security issues. In general these can not introduce the reported
issue nor can they fix it. The kernel-2.6.9-34.0.2 in particular contains a fix
for the privilege escalation described in this Bugzilla report.

I never said that that kernel-2.6.9-34.0.2 will fix your problem, but it is also
not the cause of your problem. So using this Bugzilla to report an issue is
wrong. Please open a new Bugzilla report if you have problems with the
kernel-2.6.9-34 series (RHEL4 U3) or wait for kernel-2.6.9-42 (RHEL4 U4) if this
is known to fix it.

Note You need to log in before you can comment on or make changes to this bug.