[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

[SECURITY BUG] All 2.2.x kernels buggy except 2.2.16



http://sendmail.net/?feed=000607linuxbug

	*WOW* is all I can say for this -- this documents why you should 
*instantly* upgrade to 2.2.16 from *WHATEVER* you are using,
architecture independent ... and also some new sendmail bugs/fixes
.. Suresh would/should be especially interested in this .. ( I
suppose he already knows ? )

	Anyone with any box doing anything even remotely "useful"
online should read this, and do the upgrade to 2.2.16 ... 


								--ravi
---

	Apologies about the "wasted" bandwidth.. but IMO, its not wasted.
[...]

 A serious bug has been discovered in the Linux kernel that can be used
   by local users to gain root access. The problem, a vulnerability in
   the Linux kernel capability model, exists in kernel versions up to and
   including version 2.2.15. According to Alan Cox, a key member of the
   Linux developer community, "It will affect programs that drop setuid
   state and rely on losing saved setuid, even those that check that the
   setuid call succeeded."
     
   To ensure that this vulnerability cannot be exploited by programs
   running on Linux, Linux users are advised to update to kernel version
   2.2.16 immediately.

New sendmail release blocks exploit
   
   Because this vulnerability can be used to attack any setuid root
   program that attempts to cede special permissions - including sendmail
   - a patched version of sendmail has been released that checks for this
   vulnerability in the kernel. If it is present, sendmail refuses to
   run, making it impossible to use sendmail to exploit the problem. The
   patched version, sendmail 8.10.2, also does more detailed checks on
   certain system calls - notably setuid(2) - to detect other possible
   attacks. While programs like sendmail and procmail are possible
   vectors of attack, sources in the Linux development community have
   emphasized that "this is a problem with Linux, not with sendmail."

   Although the updated version of the kernel is now available as
source,  it's not yet clear how quickly Red Hat and other Linux vendors will
   update their own distributions. Consequently, the Sendmail Consortium
   strongly advises users running open source sendmail on Linux to
   upgrade to sendmail version 8.10.2. Those running Sendmail Pro or
   Sendmail Switch on Linux should upgrade to Sendmail Switch version
   2.0.5.
   
   Details of the kernel vulnerability
   
   The problem lies in the setcap(2) call, which is not documented on
   most Linux-based systems. (Some documentation does exist "in expired
   drafts," Alan Cox told sendmail.net, "but the committee made it rather
   hard to get those.") The setcap(2) call is based on the unratified
   Posix 1e draft. Cox went on to explain that the new kernel update,
   version 2.2.16, adopts the final Posix draft model, which eliminates
   this vulnerability.
   
   A security advisory issued by the sendmail security team describes the
   vulnerability as follows:

   The setcap(2) call attempts to break down root permissions into a
   series of capabilities. Normally root has all capabilities and normal
   users have none of the capabilities.
   
   One such capability is the ability of a process to do an arbitrary
   setuid(2) call. As documented in ISO/IEC 9945-1 (ANSI/IEEE Std 1003.1)
   POSIX Part 1:
   
     4.2.2.2 Description
     ...
     If {_POSIX_SAVED_IDS} is defined:
     (1) If the process has appropriate privileges, the setuid()
     function sets the real user ID, effective user ID, and the saved
     set-user-ID to uid.
     (2) If the process does not have the appropriate privileges, but
     uid is equal to the real user ID or the saved set-user-ID, the
     setuid() function sets the effective user ID to uid; the real user
     ID and saved set-user-ID remain unchanged by this function call.

[...]


-- 
Ravikant K.Rao : http://www.symonds.net/~ravi/
Primary Email  : <ravi@xxxxxxxxxxx> | PGP: 9544A4A1   GPG: 1024D/C2FC752D
---
Send e-mail to 'ilugc-request@xxxxxxxxxxxxxxxxxx' with 'unsubscribe' 
in either the subject or the body to unsubscribe from this list.