summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch49
-rw-r--r--releases/2.6.22.4/series1
2 files changed, 50 insertions, 0 deletions
diff --git a/releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch b/releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch
new file mode 100644
index 0000000000..d17a61e719
--- /dev/null
+++ b/releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch
@@ -0,0 +1,49 @@
+From d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f Mon Sep 17 00:00:00 2001
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Fri, 17 Aug 2007 21:47:58 +0200
+Subject: Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848)
+
+This fixes a vulnerability in the "parent process death signal"
+implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
+and iSEC Security Research.
+
+http://marc.info/?l=bugtraq&m=118711306802632&w=2
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/exec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -890,9 +890,12 @@ int flush_old_exec(struct linux_binprm *
+ */
+ current->mm->task_size = TASK_SIZE;
+
+- if (bprm->e_uid != current->euid || bprm->e_gid != current->egid ||
+- file_permission(bprm->file, MAY_READ) ||
+- (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
++ if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
++ suid_keys(current);
++ current->mm->dumpable = suid_dumpable;
++ current->pdeath_signal = 0;
++ } else if (file_permission(bprm->file, MAY_READ) ||
++ (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
+ suid_keys(current);
+ current->mm->dumpable = suid_dumpable;
+ }
+@@ -983,8 +986,10 @@ void compute_creds(struct linux_binprm *
+ {
+ int unsafe;
+
+- if (bprm->e_uid != current->uid)
++ if (bprm->e_uid != current->uid) {
+ suid_keys(current);
++ current->pdeath_signal = 0;
++ }
+ exec_keys(current);
+
+ task_lock(current);
diff --git a/releases/2.6.22.4/series b/releases/2.6.22.4/series
new file mode 100644
index 0000000000..32f78caf0b
--- /dev/null
+++ b/releases/2.6.22.4/series
@@ -0,0 +1 @@
+reset-current-pdeath_signal-on-suid-binary-execution.patch
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-29 08:05:35 +0000