diff options
-rw-r--r-- | releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch | 49 | ||||
-rw-r--r-- | releases/2.6.22.4/series | 1 |
2 files changed, 50 insertions, 0 deletions
diff --git a/releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch b/releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch new file mode 100644 index 0000000000..d17a61e719 --- /dev/null +++ b/releases/2.6.22.4/reset-current-pdeath_signal-on-suid-binary-execution.patch @@ -0,0 +1,49 @@ +From d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f Mon Sep 17 00:00:00 2001 +From: Marcel Holtmann <marcel@holtmann.org> +Date: Fri, 17 Aug 2007 21:47:58 +0200 +Subject: Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848) + +This fixes a vulnerability in the "parent process death signal" +implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd. +and iSEC Security Research. + +http://marc.info/?l=bugtraq&m=118711306802632&w=2 + +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/exec.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -890,9 +890,12 @@ int flush_old_exec(struct linux_binprm * + */ + current->mm->task_size = TASK_SIZE; + +- if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || +- file_permission(bprm->file, MAY_READ) || +- (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { ++ if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) { ++ suid_keys(current); ++ current->mm->dumpable = suid_dumpable; ++ current->pdeath_signal = 0; ++ } else if (file_permission(bprm->file, MAY_READ) || ++ (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { + suid_keys(current); + current->mm->dumpable = suid_dumpable; + } +@@ -983,8 +986,10 @@ void compute_creds(struct linux_binprm * + { + int unsafe; + +- if (bprm->e_uid != current->uid) ++ if (bprm->e_uid != current->uid) { + suid_keys(current); ++ current->pdeath_signal = 0; ++ } + exec_keys(current); + + task_lock(current); diff --git a/releases/2.6.22.4/series b/releases/2.6.22.4/series new file mode 100644 index 0000000000..32f78caf0b --- /dev/null +++ b/releases/2.6.22.4/series @@ -0,0 +1 @@ +reset-current-pdeath_signal-on-suid-binary-execution.patch |