Bug 493771 (CVE-2009-1337) - CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check
Summary: CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1337
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 494267 494268 494269 494270 494271 497266
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-03 01:58 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:29 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-21 17:59:40 UTC


Attachments (Terms of Use)
Upsream patch (1.22 KB, patch)
2009-04-07 05:33 UTC, Eugene Teo (Security Response)
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0451 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2009-04-29 09:28:23 UTC
Red Hat Product Errata RHSA-2009:0473 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-05-07 10:53:11 UTC
Red Hat Product Errata RHSA-2009:1024 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 4.8 kernel security and bug fix update 2009-05-18 14:57:26 UTC
Red Hat Product Errata RHSA-2009:1077 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-06-02 16:48:01 UTC
Red Hat Product Errata RHSA-2009:1550 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-11-03 21:59:47 UTC

Description Eugene Teo (Security Response) 2009-04-03 01:58:39 UTC
Description of problem:
A malicious application can execute a setuid binary before exit. This would mean that we will not reset the ->exit_signal to SIGCHLD unless the binary drops CAP_KILL.

Reference:
http://marc.info/?l=linux-kernel&m=123560588713763&w=2

Comment 5 Eugene Teo (Security Response) 2009-04-07 03:52:20 UTC
[RESEND] exit_notify: kill the wrong capable(CAP_KILL) check
http://patchwork.kernel.org/patch/16544/

Comment 6 Eugene Teo (Security Response) 2009-04-07 05:33:27 UTC
Created attachment 338457 [details]
Upsream patch

Upstream commit:
http://git.kernel.org/linus/432870dab85a2f69dc417022646cb9a70acf7f94

Comment 12 errata-xmlrpc 2009-04-29 09:28:34 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:0451 https://rhn.redhat.com/errata/RHSA-2009-0451.html

Comment 14 errata-xmlrpc 2009-05-07 10:53:18 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0473 https://rhn.redhat.com/errata/RHSA-2009-0473.html

Comment 15 errata-xmlrpc 2009-05-18 19:03:06 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1024 https://rhn.redhat.com/errata/RHSA-2009-1024.html

Comment 16 errata-xmlrpc 2009-05-18 20:36:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1024 https://rhn.redhat.com/errata/RHSA-2009-1024.html

Comment 17 Chuck Ebbert 2009-05-21 17:16:59 UTC
Fixed in upstream stable updates: 2.6.27.22, 2.6.28.10 and 2.6.29.3

Comment 20 Fedora Update System 2009-05-22 09:01:46 UTC
kernel-2.6.27.24-170.2.68.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.24-170.2.68.fc10

Comment 25 Fedora Update System 2009-05-25 21:09:20 UTC
kernel-2.6.27.24-170.2.68.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 29 errata-xmlrpc 2009-06-02 16:28:07 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2009:1077 https://rhn.redhat.com/errata/RHSA-2009-1077.html

Comment 32 errata-xmlrpc 2009-11-03 22:03:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html


Note You need to log in before you can comment on or make changes to this bug.