Bug 294541 (CVE-2007-4573) - CVE-2007-4573 x86_64 syscall vulnerability
Summary: CVE-2007-4573 x86_64 syscall vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-4573
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 297841 297851 297861 297871 297881
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-18 11:20 UTC by Mark J. Cox
Modified: 2023-05-11 12:44 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-17 15:38:08 UTC
Embargoed:

Attachments (Terms of Use)
Andis proposed patch (3.15 KB, patch)
2007-09-19 10:51 UTC, Mark J. Cox 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0936 0 normal SHIPPED_LIVE Important: kernel security update 2007-09-27 20:21:41 UTC
Red Hat Product Errata RHSA-2007:0937 0 normal SHIPPED_LIVE Important: kernel security update 2008-01-09 00:51:02 UTC
Red Hat Product Errata RHSA-2007:0938 0 normal SHIPPED_LIVE Important: kernel security update 2007-09-27 20:43:31 UTC

Description Mark J. Cox 2007-09-18 11:20:45 UTC 
Wojciech Purczynski of COSEINC notified us of a kernel security issue that could
lead to local privilege escalation on x86_64 platforms.

draft advisory to follow.

Acknowledgements:

Red Hat would like to thank Wojciech Purczynski for reporting this issue.
Comment 5 Mark J. Cox 2007-09-19 08:13:47 UTC 
Note that for RHEL5 this fix probably also need to be applied to ia32entry-xen.S
created by linux-2.6-xen.patch
Comment 13 Roland McGrath 2007-09-21 21:01:25 UTC 
Fix has been committed upstream (public)
Comment 14 Eugene Teo (Security Response) 2007-09-22 00:34:06 UTC 
URL of the fix:
http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=176df2457ef6207156ca1a40991c54ca01fef567
Comment 15 Mark J. Cox 2007-09-22 07:15:01 UTC 
public, removing embargo
Comment 17 Mark J. Cox 2007-09-24 09:56:09 UTC 
Details of privilege escalation consequence now public via advisory:
http://marc.info/?l=full-disclosure&m=119062587407908&w=2

(opening up initial comment in this bug)
Comment 24 Jan Iven 2007-09-27 14:47:45 UTC 
Working exploit has been made public.
Comment 25 Mark J. Cox 2007-09-27 15:22:18 UTC 
Jan, updated kernels are progressing through quality engineering.  We'll be
releasing them (for RHEL3,4,5) the moment they pass!
Comment 28 Jan Iven 2007-09-28 14:19:05 UTC 
While the Errata kernels have been announced on the enterprise-watch list 18h
ago and are available via RHN, it appears as if the SRPMs aren't yet on
ftp.redhat.com. Could somebody please look for them?

https://rhn.redhat.com/errata/RHSA-2007-0936.html
https://rhn.redhat.com/errata/RHSA-2007-0937.html
https://rhn.redhat.com/errata/RHSA-2007-0938.html

vs

ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/
etc.
Comment 30 Mark J. Cox 2007-10-01 06:14:51 UTC 
Jan, we had a short outage on our main ftp server on Friday during which time
the SRPMS we pushed on Thursday were missing from the ftp site.  (They were at
all times available via Red Hat Network).  

I checked this yesterday and the RHEL3 and RHEL4 srpms were present, but the
RHEL5 ones were missing.  This was escalated to our production engineering team
who resolved it.

I've checked again today and the kernel SRPMS for RHEL3, RHEL4, RHEL5 are all
there now (note RHEL5 updates are always in a different place at
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS )
Comment 34 Red Hat Product Security 2008-01-17 15:38:08 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0936.html
  http://rhn.redhat.com/errata/RHSA-2007-0937.html
  http://rhn.redhat.com/errata/RHSA-2007-0938.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2298
Note You need to log in before you can comment on or make changes to this bug.