win32sux |
07-20-2009 11:30 AM |
Lunux 2.6.30.2 has been released.
It includes fixes for at least two security vulnerabilities.
The changelog is available here.
Quote:
personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 upstream.
We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
We believe it is important to add MMAP_PAGE_ZERO, because by using this
personality it is possible to have the first page mapped inside a
process running as setuid root. This could be used in those scenarios:
- Exploiting a NULL pointer dereference issue in a setuid root binary
- Bypassing the mmap_min_addr restrictions of the Linux kernel: by
running a setuid binary that would drop privileges before giving us
control back (for instance by loading a user-supplied library), we
could get the first page mapped in a process we control. By further
using mremap and mprotect on this mapping, we can then completely
bypass the mmap_min_addr restrictions.
Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
since on x86 32bits it will in practice disable most of the address
space layout randomization (only the stack will remain randomized).
|
CVE-2009-1895
Quote:
tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. (CVE-2009-1897)
commit 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 upstream.
Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
packets per device") and triggered by this code:
int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
|
CVE-2009-1897
|