198963 – CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable

Bug 198963 - CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable

Summary: CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:	impact=important,source=redhat,report...
Depends On:	CVE-2006-2451
Blocks:
TreeView+	depends on / blocked

Reported:	2006-07-15 00:37 UTC by Jason Vas Dias
Modified:	2007-11-30 22:11 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-07-15 07:44:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Comment 1 Jason Vas Dias 2006-07-15 00:42:35 UTC

I've just reproduced this issue under kernel-2.6.17-1.2145 on FC-5 and
kernel-2.6.17-1.2364 on FC-6 - see bug 198893 for a nasty reproducer.

I suggest that we apply the patch to prevent processes with the 
PR_SET_DUMPABLE flag set from being able to dump core in whatever
directory they can cd into, regardless of whether the userid has
write permission, ASAP.

Comment 2 Dave Jones 2006-07-15 07:44:50 UTC

fixed in 2158 for FC5
fixed in rawhide too some time after 2364.

Note You need to log in before you can comment on or make changes to this bug.