SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel sys_chown() Bug May Let Remote NFS Users Modify Group Permissions on Files
SecurityTracker Alert ID:  1010859
SecurityTracker URL:  http://securitytracker.com/id/1010859
CVE Reference:   CVE-2004-0497   (Links to External Site)
Date:  Aug 4 2004
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.4.27
Description:   A vulnerability was reported in the Linux kernel. A remote authenticated user can modify the group permissions of files on the target system.

It is reported that users can modify the group ID of arbitrary files on the system due to a missing check for fsuid in the sys_chown() function. An NFS client may be able to make unauthorized changes to the group ownership of files on a remote system.

Impact:   A remote authenticated user can modify the group permissions of arbitrary files on the target system.
Solution:   A fix is availabe in 2.4.27 RC5. Individual Linux distribution vendors are expected to release fixes for their distributions.
Cause:   Access control error, State error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 19 2004 (Red Hat Issues Fix for RHEL/Itanium) Linux Kernel sys_chown() Bug May Let Remote NFS Users Modify Group Permissions on Files
Red Hat has released an Itanium kernel fix for Red Hat Enterprise Linux 2.1.
Sep 27 2004 (Conectiva Issues Fix) Linux Kernel sys_chown() Bug May Let Remote NFS Users Modify Group Permissions on Files
Conectiva has released a fix.



 Source Message Contents

Subject:  Linux 2.4.27-rc5



Hi, 

Here goes the fifth release candidate of kernel v2.4.27.

It includes a handful of XFS fixes, a network update (Bluetooth, Netfilter, 
bridge), it revert problematic DVD-RW support for now (should be back in 
2.4.28).

Most importantly this release fixes an exploitable race in file offset handling 
which allows unpriviledged users from potentially reading kernel memory.
This touches several drivers and generic proc code. This issue is covered by 
CAN-2004-0415.
Vendors should be releasing their updates real soon now. 

Here are the most important security issues fixed by the 2.4.27 release:

CAN-2004-0495 (Al Viro sparse fixes)
CAN-2004-0497 (users could modify group ID of arbitrary files on the system)
CAN-2004-0535 (e1000 minor info leak)
CAN-2004-0685 (backported Conectiva usb sparse fixes)
CAN-2004-0415 (file offset pointer handling race)
CAN-2004-0565 (information leak ia64)

-final should be out in a few days if nothing bad shows up. 

For more details please read the detailed changelog.

Summary of changes from v2.4.27-rc4 to v2.4.27-rc5
============================================

Adrian Bunk:
  o [NET]: Update CONFIG_NET_SCH_NETEM Configure.help entry

Chris Wright:
  o ethtool_get_regs copy right number of bytes to user

Eric Sandeen:
  o [XFS] Don't lock down user pages when doing direct IO; this can lead to trouble (double-locking zero page, etc).

Harald Welte:
  o [NETFILTER]: ipt_ULOG fix for packet delay
  o [NETFILTER]: Fix broken debug assertion

Marcel Holtmann:
  o [Bluetooth] Fix kernel panic when device config fails
  o [Bluetooth] Replace BCSP retransmitting message with BT_DBG
  o [Bluetooth] Fix resetting to default filters
  o [Bluetooth] Send HCI_Reset for ISSC USB dongles

Marcelo Tosatti:
  o Revert DVD-RW write support for now: axboe@suse.de|ChangeSet|20040606235035|46544
  o Cset exclude: axboe@suse.de|ChangeSet|20040607195639|57919
  o Remove mm/page_alloc.c debugging
  o Al Viro and others: Fix file offset handling races in several drivers
  o Changed EXTRAVERSION to -rc5
  o update-i386-defconfig.patch

Nathan Scott:
  o [XFS] Fix data loss problem - we no longer update i_size anywhere without holding i_sem for 2.4 as well.
  o [XFS] Fix diotest4 test case issues with direct reads in XFS

  o Fix non-use of HZ in 6pack.c

Stephen Hemminger:
  o bridge fix
  o [TCP]: Bic tcp congestion calculation timestamp
  o [PKT_SCHED]: netem limit not returned correctly

                                                                                

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC