(Red Hat Issues Fix) Linux Kernel binfmt_elf Loader Lets Local Users Obtain Root Access
|
|
SecurityTracker Alert ID: 1013998
|
|
SecurityTracker URL: http://securitytracker.com/id?1013998
|
|
CVE Reference: CAN-2004-1070
(Links to External Site)
|
Date: May 18 2005
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Red Hat Advisory
|
Version(s): 3
|
Description: Some vulnerabilities were reported in the Linux kernel in the binfmt_elf loader. A local user can obtain root privileges on the target system.
Paul Starzetz reported several flaws in the ELF loader in the processing of set user id (setuid) binaries. These flaws include incorrect
return value validation in the load_elf_binary() function, some faulty error handling, and an unterminated string bug in 'binfmt_elf.c'
and also a file-type validation bug in 'exec.c' that allows non-readable ELF binaries to be read.
A local user can exploit these
flaws to cause a setuid binary to execute arbitrary code.
The original advisory, including some demonstration exploit code, is
available at:
http://isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
|
Impact: A local user can execute arbitrary code with setuid privileges to obtain root access on the target system.
|
Solution: Red Hat has issued a fix.
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
ia32el-1.2-2.EL3.1.src.rpm 0a300b374292c20a6945d3a55d1f30dc
IA-64:
ia32el-1.2-2.EL3.1.ia64.rpm de3aa390822b8db030bfd200655a3858
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
ia32el-1.2-2.EL3.1.src.rpm
0a300b374292c20a6945d3a55d1f30dc
IA-64:
ia32el-1.2-2.EL3.1.ia64.rpm de3aa390822b8db030bfd200655a3858
Red Hat
Enterprise Linux WS (v. 3)
SRPMS:
ia32el-1.2-2.EL3.1.src.rpm 0a300b374292c20a6945d3a55d1f30dc
IA-64:
ia32el-1.2-2.EL3.1.ia64.rpm
de3aa390822b8db030bfd200655a3858
|
Vendor URL: www.kernel.org/ (Links to External Site)
|
Cause: Access control error, Boundary error, Exception handling error, Input validation error
|
Underlying OS: Linux (Red Hat Enterprise)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 18 May 2005 11:01:30 -0400
Subject: http://rhn.redhat.com/errata/RHSA-2005-275.html
|
Low: ia32el security update
Advisory: RHSA-2005:275-09
Type: Security Advisory
Issued on: 2005-05-18
Last updated on: 2005-05-18
Affected Products: Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
CVEs (cve.mitre.org): CAN-2004-1072
Details
An updated ia32el package that fixes several bugs is now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
The ia32el package contains IA-32 Execution Layer platform which allows
emulation of IA-32 binaries on IA-64.
A flaw was found in the binfmt_elf loader of the Linux kernel which also
affects the IA-32 Execution Layer. A local user could create an
interpreter name string that is not NULL terminated, leading to a denial of
service (crash). The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-1072 to this issue.
This update also addresses the following issues:
-- Fixed execve to invoke ia32 interpreter
-- Credential fixes
-- Fixed a bug causing ibm-jvm to fail
-- Other minor bug fixes
Please refer to the package release notes for detailed information about
these changes.
All users of ia32el should upgrade to this updated package, which
resolves these issues.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
Updated packages
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
ia32el-1.2-2.EL3.1.src.rpm 0a300b374292c20a6945d3a55d1f30dc
IA-64:
ia32el-1.2-2.EL3.1.ia64.rpm de3aa390822b8db030bfd200655a3858
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
ia32el-1.2-2.EL3.1.src.rpm 0a300b374292c20a6945d3a55d1f30dc
IA-64:
ia32el-1.2-2.EL3.1.ia64.rpm de3aa390822b8db030bfd200655a3858
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
ia32el-1.2-2.EL3.1.src.rpm 0a300b374292c20a6945d3a55d1f30dc
IA-64:
ia32el-1.2-2.EL3.1.ia64.rpm de3aa390822b8db030bfd200655a3858
(The unlinked packages above are only available from the Red Hat Network)
Bugs fixed (see bugzilla for more information)
142094 - CAN-2004-1072 ia32el's binfmt_elf.c lacks recent security fix
145390 - RHEL4 U1 ia32el: new version expected from Intel
145400 - RHEL4 U1: ia32el cleanup glibc dependencies in spec file
145695 - IA64: Need SG_IO ioctl cmd support in execution layer
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1072
Keywords
i386, ia32el, ia64
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signa
ture are available from:
https://www.redhat.com/security/team/key/#package
The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/se
curity/team/contact/
|
|
