Linux Kernel sys_chown() Bug May Let Remote NFS Users Modify Group Permissions on Files
SecurityTracker Alert ID: 1010859|
SecurityTracker URL: http://securitytracker.com/id/1010859
(Links to External Site)
Date: Aug 4 2004
Modification of system information|
Fix Available: Yes Vendor Confirmed: Yes |
A vulnerability was reported in the Linux kernel. A remote authenticated user can modify the group permissions of files on the target system.|
It is reported that users can modify the group ID of arbitrary files on the system due to a missing check for fsuid in the sys_chown() function. An NFS client may be able to make unauthorized changes to the group ownership of files on a remote system.
A remote authenticated user can modify the group permissions of arbitrary files on the target system.|
A fix is availabe in 2.4.27 RC5. Individual Linux distribution vendors are expected to release fixes for their distributions.|
Access control error, State error|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Linux 2.4.27-rc5|
Here goes the fifth release candidate of kernel v2.4.27.
It includes a handful of XFS fixes, a network update (Bluetooth, Netfilter,
bridge), it revert problematic DVD-RW support for now (should be back in
Most importantly this release fixes an exploitable race in file offset handling
which allows unpriviledged users from potentially reading kernel memory.
This touches several drivers and generic proc code. This issue is covered by
Vendors should be releasing their updates real soon now.
Here are the most important security issues fixed by the 2.4.27 release:
CAN-2004-0495 (Al Viro sparse fixes)
CAN-2004-0497 (users could modify group ID of arbitrary files on the system)
CAN-2004-0535 (e1000 minor info leak)
CAN-2004-0685 (backported Conectiva usb sparse fixes)
CAN-2004-0415 (file offset pointer handling race)
CAN-2004-0565 (information leak ia64)
-final should be out in a few days if nothing bad shows up.
For more details please read the detailed changelog.
Summary of changes from v2.4.27-rc4 to v2.4.27-rc5
o [NET]: Update CONFIG_NET_SCH_NETEM Configure.help entry
o ethtool_get_regs copy right number of bytes to user
o [XFS] Don't lock down user pages when doing direct IO; this can lead to trouble (double-locking zero page, etc).
o [NETFILTER]: ipt_ULOG fix for packet delay
o [NETFILTER]: Fix broken debug assertion
o [Bluetooth] Fix kernel panic when device config fails
o [Bluetooth] Replace BCSP retransmitting message with BT_DBG
o [Bluetooth] Fix resetting to default filters
o [Bluetooth] Send HCI_Reset for ISSC USB dongles
o Revert DVD-RW write support for now: firstname.lastname@example.org|ChangeSet|20040606235035|46544
o Cset exclude: email@example.com|ChangeSet|20040607195639|57919
o Remove mm/page_alloc.c debugging
o Al Viro and others: Fix file offset handling races in several drivers
o Changed EXTRAVERSION to -rc5
o [XFS] Fix data loss problem - we no longer update i_size anywhere without holding i_sem for 2.4 as well.
o [XFS] Fix diotest4 test case issues with direct reads in XFS
o Fix non-use of HZ in 6pack.c
o bridge fix
o [TCP]: Bic tcp congestion calculation timestamp
o [PKT_SCHED]: netem limit not returned correctly
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to firstname.lastname@example.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/