First Last Prev Next    This bug is not in your last search results.
Bug 492768 - (CVE-2009-1337) VUL-0: CVE-2009-1337: kernel-source: exit_notify: kill the wrong capable(CAP_KILL) check
(CVE-2009-1337)
VUL-0: CVE-2009-1337: kernel-source: exit_notify: kill the wrong capable(CAP_...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
wasL3:25669 maint:released:sle10-sp2:...
: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks: 496610
  Show dependency treegraph
 
Reported: 2009-04-07 09:49 UTC by Thomas Biege
Modified: 2020-04-22 14:47 UTC (History)
8 users (show)

See Also:
Found By: Development
Services Priority: 700
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
exit_notify: kill the wrong capable(CAP_KILL) check (1.27 KB, patch)
2009-04-23 08:21 UTC, Jean Delvare 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2009-04-07 09:49:42 UTC 
Hi.
There is a security bug in 'kernel'.

This information is from 'oss-security'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	https://bugzilla.redhat.com/show_bug.cgi?id=493771


Original posting:


----- Forwarded message from Eugene Teo <eugene@redhat.com> -----

Reply-To: oss-security@lists.openwall.com
Date: Tue, 07 Apr 2009 13:37:23 +0800
From: Eugene Teo <eugene@redhat.com>
User-Agent: Thunderbird 2.0.0.21 (X11/20090320)
To: oss-security@lists.openwall.com
Cc: "Steven M. Christey" <coley@linus.mitre.org>,
	Chris Wright <chrisw@redhat.com>, Greg KH <greg@kroah.com>
Subject: [oss-security] CVE request: kernel: exit_notify: kill the wrong capable(CAP_KILL)
 check

A malicious application can execute a setuid binary before exit. This
would mean that we will not reset the ->exit_signal to SIGCHLD unless
the binary drops CAP_KILL.

https://bugzilla.redhat.com/show_bug.cgi?id=493771
http://git.kernel.org/linus/432870dab85a2f69dc417022646cb9a70acf7f94

Chris/Greg, we probably need this in -stable.

Thanks, Eugene
-- 
Eugene Teo, RHCA, RHCSS / Red Hat Security Response Team

----- End forwarded message -----
Comment 1 Marcus Meissner 2009-04-16 21:28:21 UTC 
adjust prio, make sure its in the next updates please
Comment 2 Marcus Meissner 2009-04-17 14:00:34 UTC 
CVE-2009-1337
Comment 3 Jean Delvare 2009-04-22 09:24:21 UTC 
I'm on it.
Comment 4 Jean Delvare 2009-04-23 08:21:12 UTC 
Created attachment 287683 [details]
exit_notify: kill the wrong capable(CAP_KILL) check

For reference, here is the patch I used for SLES10 SP2. For other kernel
branches the fix is the same, but the context changed a bit so the patch had to be adjusted.
Comment 5 Jean Delvare 2009-04-23 08:22:05 UTC 
Fix committed to kernel branches SLES9_SP3, SLES9_SP4, SLES10_SP1, SLES10_SP2,
SLES10_SP3, SLE11, SL103 and SL110.
Comment 6 Swamp Workflow Management 2009-05-20 22:09:04 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP2 (ppc)
SLE-SDK 10-SP2 (ppc)
SLE-SERVER 10-SP2 (ppc)
Comment 7 Swamp Workflow Management 2009-05-22 09:08:58 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP2 (i386)
SLE-DESKTOP 10-SP2 (i386)
SLE-SDK 10-SP2 (i386)
SLE-SERVER 10-SP2 (i386)
Comment 8 Swamp Workflow Management 2009-05-22 09:11:02 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP2 (ia64)
SLE-SDK 10-SP2 (ia64)
SLE-SERVER 10-SP2 (ia64)
Comment 9 Swamp Workflow Management 2009-05-22 09:13:43 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP2 (s390x)
SLE-SERVER 10-SP2 (s390x)
Comment 10 Swamp Workflow Management 2009-05-22 09:15:04 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP2 (x86_64)
SLE-DESKTOP 10-SP2 (x86_64)
SLE-SDK 10-SP2 (x86_64)
SLE-SERVER 10-SP2 (x86_64)
Comment 11 Marcus Meissner 2009-05-27 13:03:37 UTC 
This bug was fixed/mentioned in the kernel that was released on May 22 for SLES/SLED 10 SP2, the released kernel version is 2.6.16.60-0.39.3.
Comment 12 Swamp Workflow Management 2009-06-08 13:54:50 UTC 
Update released for: kernel-bigsmp, kernel-debug, kernel-default, kernel-kdump, kernel-ppc64, kernel-rt, kernel-rt_debug, kernel-source, kernel-syms, kernel-xen, kernel-xenpae
Products:
openSUSE 10.3 (i386, ppc, x86_64)
Comment 13 Swamp Workflow Management 2009-06-08 15:32:36 UTC 
Update released for: acerhk-kmp-debug, acx-kmp-debug, appleir-kmp-debug, at76_usb-kmp-debug, atl2-kmp-debug, aufs-kmp-debug, dazuko-kmp-debug, drbd-kmp-debug, gspcav-kmp-debug, iscsitarget-kmp-debug, ivtv-kmp-debug, kernel-debug, kernel-default, kernel-docs, kernel-kdump, kernel-pae, kernel-ppc64, kernel-ps3, kernel-source, kernel-syms, kernel-vanilla, kernel-xen, kqemu-kmp-debug, nouveau-kmp-debug, omnibook-kmp-debug, pcc-acpi-kmp-debug, pcfclock-kmp-debug, tpctl-kmp-debug, uvcvideo-kmp-debug, virtualbox-ose-kmp-debug, vmware-kmp-debug, wlan-ng-kmp-debug
Products:
openSUSE 11.0 (debug, i386, ppc, x86_64)
Comment 14 Swamp Workflow Management 2009-06-09 08:28:09 UTC 
Update released for: aufs-kmp-debug, aufs-kmp-trace, brocade-bfa-kmp-debug, brocade-bfa-kmp-trace, dazuko-kmp-debug, dazuko-kmp-trace, drbd-kmp-debug, drbd-kmp-trace, intel-iamt-heci-kmp-debug, intel-iamt-heci-kmp-trace, iscsitarget-kmp-debug, iscsitarget-kmp-trace, kernel-debug, kernel-debug-base, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-extra, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-docs, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-extra, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-extra, kernel-ps3, kernel-ps3-debuginfo, kernel-ps3-debugsource, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-extra, kernel-vanilla, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra, kqemu-kmp-debug, kqemu-kmp-trace, kvm-kmp-trace, lirc-kmp-trace, ofed-kmp-debug, ofed-kmp-trace, oracleasm-kmp-debug, oracleasm-kmp-trace, pcfclock-kmp-debug, pcfclock-kmp-trace, virtualbox-ose-kmp-debug, virtualbox-ose-kmp-trace, vmware-kmp-debug, vmware-kmp-trace
Products:
openSUSE 11.1 (debug, i586, ppc, x86_64)
Comment 15 Marcus Meissner 2009-06-09 10:58:23 UTC 
A kernel update for SLE(S/D) 11 has just been released that mentions/fixes this bug.

The kernel version of this update is 2.6.27.23-0.1.1.
Comment 16 Swamp Workflow Management 2009-06-09 22:09:17 UTC 
Update released for: cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra, ocfs2-kmp-default, ocfs2-kmp-xen
Products:
SLE-DEBUGINFO 11 (x86_64)
SLE-DESKTOP 11 (x86_64)
SLE-HAE 11 (x86_64)
SLE-SERVER 11 (x86_64)
Comment 17 Marcus Meissner 2009-06-10 08:24:56 UTC 
almost all released, sles9 in qa
Comment 18 Marcus Meissner 2009-06-16 11:47:49 UTC 
This bug was mentioned / fixed in the currently released SLES 9 maintenance kernel update with version 2.6.5-7.317.
Comment 19 Swamp Workflow Management 2009-06-16 22:08:48 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, kernel-um, kernel-um-debug, kernel-xen, kernel-xen-debug, kernel-xenpae, kernel-xenpae-debug, um-host-install-initrd, um-host-kernel
Products:
Novell-Linux-Desktop 9 (i386)
Open-Enterprise-Server 9 (i386)
Comment 20 Swamp Workflow Management 2009-06-16 22:09:19 UTC 
Update released for: kernel-64k-pagesize, kernel-64k-pagesize-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-sn2, kernel-sn2-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (ia64)
Comment 21 Swamp Workflow Management 2009-06-16 22:09:45 UTC 
Update released for: kernel-default, kernel-default-debug, kernel-iseries64, kernel-iseries64-debug, kernel-pmac64, kernel-pmac64-debug, kernel-pseries64, kernel-pseries64-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (ppc)
Comment 22 Swamp Workflow Management 2009-06-16 22:10:08 UTC 
Update released for: kernel-s390x, kernel-s390x-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (s390x)
Comment 26 Michal Hocko 2009-07-02 07:23:54 UTC 
Starting L3 for teradata backport
Comment 27 Michal Hocko 2009-07-02 11:10:45 UTC 
Patch scheduled for the next teradata rollup kernel (bug 426350 comment 112).

L3 and bug can be closed
Comment 28 Michal Hocko 2009-07-02 13:24:34 UTC 
Patch scheduled also for next sles10sp1 teradata rollup (bug 434477 comment 79).
Comment 29 Marcus Meissner 2009-07-08 11:21:33 UTC 
A SLERT 10 SP2 kernel update was just released with this bug referenced, version 2.6.22.19-0.22.
Comment 30 Swamp Workflow Management 2009-07-08 22:08:45 UTC 
Update released for: ib-bonding-kmp-rt, ib-bonding-kmp-rt_bigsmp, ib-bonding-kmp-rt_debug, ib-bonding-kmp-rt_timing, kernel-rt, kernel-rt_bigsmp, kernel-rt_debug, kernel-rt_timing, kernel-source, kernel-syms, ofed, ofed-cxgb3-NIC-kmp-rt, ofed-cxgb3-NIC-kmp-rt_bigsmp, ofed-cxgb3-NIC-kmp-rt_debug, ofed-cxgb3-NIC-kmp-rt_timing, ofed-doc, ofed-kmp-rt, ofed-kmp-rt_bigsmp, ofed-kmp-rt_debug, ofed-kmp-rt_timing
Products:
SLE-RT 10-SP2 (i386, x86_64)
Comment 31 Thomas Biege 2009-10-14 02:22:41 UTC 
CVE-2009-1337: CVSS v2 Base Score: 4.4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
First Last Prev Next    This bug is not in your last search results.