Bug 87244 - (CVE-2005-1761) VUL-0: CVE-2005-1761: kernel: Malicious user can use ptrace to crash the system
(CVE-2005-1761)
VUL-0: CVE-2005-1761: kernel: Malicious user can use ptrace to crash the system
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
IA64 SLES 9
: P5 - None : Critical
: ---
Assigned To: Security Team bot
Security Team bot
CVE-2005-1761: CVSS v2 Base Score: 2....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-06 19:52 UTC by Tony Luck
Modified: 2021-11-04 16:18 UTC (History)
3 users (show)

See Also:
Found By: Customer
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch from Matt Chapman (1.26 KB, patch)
2005-06-07 16:18 UTC, Tony Luck
Details | Diff
version 2 - close hole via ptrace_setregs too (1.91 KB, patch)
2005-06-11 17:04 UTC, Tony Luck
Details | Diff
Fix restore_sigcontext() path too (3.13 KB, patch)
2005-06-13 21:14 UTC, Tony Luck
Details | Diff
Backport to 2.4.21 (3.04 KB, text/plain)
2005-07-05 15:41 UTC, Andreas Schwab
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tony Luck 2005-06-06 19:52:16 UTC
Is this bug publicly visible ... I'd like to defer adding details until I know 
whether I'm writing for the whole world.  The bug is old ... most kernel 
versions are affected.  IA64 specific.  I'd like to send the patch to Linus for 
inclusion in 2.6.12 (only about a week away according to rumour).
Comment 1 Marcus Meissner 2005-06-07 08:42:03 UTC
it now no longer is publically visible, so please add. 
 
we had several ia64 ptrace issues already fixed, is this a previously known 
one? 
 
 
Comment 2 Tony Luck 2005-06-07 16:18:25 UTC
Created attachment 38758 [details]
patch from Matt Chapman

New ptrace bug for ia64 (sigh).

Matt Chapman found this, and supplied the attached fix.
Comment 3 Marcus Meissner 2005-06-07 20:35:25 UTC
can you work with the security@kernel.org contact please.  
  
and keep us posted on disclosure dates.  
  
andreas, this must stay out of CVS until disclosure ...  
 
Greg, FYI only for now 
Comment 4 Ludwig Nussel 2005-06-08 16:01:39 UTC
CAN-2005-0761 
Comment 5 Ludwig Nussel 2005-06-09 06:56:38 UTC
wrong number, it's CAN-2005-1761 
Comment 6 Tony Luck 2005-06-11 17:04:12 UTC
Created attachment 39006 [details]
version 2 - close hole via ptrace_setregs too

Aargh! David Mosberger sent me e-mail last night saying that he thought there
might be another code path for this bug through ptrace_setregs().  He's right. 
Here's an updated patch that should close that too.  But so far it is untested
(apart from that it compiles).	No reviews yet either.
Comment 7 Tony Luck 2005-06-11 19:40:35 UTC
I have an ACK from David Mosberger that the new patch is OK.
Comment 8 Tony Luck 2005-06-11 23:32:01 UTC
But now Christ Wright has spotted another place (restore_sigcontext) where 
ar.rsc can be loaded with an arbitrary value supplied from user space.

I'm giving up on trying to coordinate this with the 2.6.12 release.  It will go 
into a 2.6.12.y release.
Comment 9 Tony Luck 2005-06-13 21:14:32 UTC
Created attachment 39074 [details]
Fix restore_sigcontext() path too

This should be the final version.  If there are no problems with it, then I
will release this on Wed June 22nd at noon PDT.
Comment 10 Marcus Meissner 2005-06-23 10:35:47 UTC
public now  
Comment 11 Andreas Schwab 2005-06-23 11:30:18 UTC
Checked into SP2. Any other branch? 
Comment 12 Marcus Meissner 2005-06-27 08:37:48 UTC
no, unless Intel thinks it is problematic for SLES 8 too. 
Comment 13 Marcus Meissner 2005-06-30 09:22:20 UTC
Tony? does this affect the 2.4 kernels? 
Comment 14 Tony Luck 2005-06-30 17:06:31 UTC
ptrace.c has seen some major changes between 2.4 and 2.6, but it looks like the 
same problem is present there too.
Comment 15 Andreas Schwab 2005-07-05 15:41:19 UTC
Created attachment 41174 [details]
Backport to 2.4.21
Comment 16 Andreas Schwab 2005-07-05 15:43:50 UTC
Checked into SLES8 kernel. 
Comment 17 Ludwig Nussel 2005-08-04 07:11:20 UTC
updates released 
Comment 18 Marcus Meissner 2005-09-14 08:33:55 UTC
this patch does not appear in the mainline 2.4 yet. 
Comment 19 Thomas Biege 2009-10-13 21:26:32 UTC
CVE-2005-1761: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)