* Linux 2.6.17.4
@ 2006-07-06 22:27 Greg KH
2006-07-06 22:28 ` Greg KH
0 siblings, 1 reply; 13+ messages in thread
From: Greg KH @ 2006-07-06 22:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Andrew Morton
We (the -stable team) are announcing the release of the 2.6.17.4 kernel.
I'll also be replying to this message with a copy of the patch between
2.6.17.3 and 2.6.17.4, as it is small enough to do so.
The updated 2.6.17.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.6.17.y.git
and can be browsed at the normal kernel.org git web browser:
www.kernel.org/git/
thanks,
greg k-h
--------
Makefile | 2 +-
kernel/sys.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
Summary of changes from v2.6.17.3 to v2.6.17.4
==============================================
Greg Kroah-Hartman:
fix prctl privilege escalation and suid_dumpable (CVE-2006-2451)
Linux 2.6.17.4
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: Linux 2.6.17.4 2006-07-06 22:27 Linux 2.6.17.4 Greg KH @ 2006-07-06 22:28 ` Greg KH 2006-07-06 22:43 ` Scott J. Harmon 2006-07-06 23:24 ` Chase Venters 0 siblings, 2 replies; 13+ messages in thread From: Greg KH @ 2006-07-06 22:28 UTC (permalink / raw) To: linux-kernel, stable; +Cc: torvalds, Andrew Morton diff --git a/Makefile b/Makefile index 8c72521..abcf2d7 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 6 SUBLEVEL = 17 -EXTRAVERSION = .3 +EXTRAVERSION = .4 NAME=Crazed Snow-Weasel # *DOCUMENTATION* diff --git a/kernel/sys.c b/kernel/sys.c index 0b6ec0e..59273f7 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1991,7 +1991,7 @@ asmlinkage long sys_prctl(int option, un error = current->mm->dumpable; break; case PR_SET_DUMPABLE: - if (arg2 < 0 || arg2 > 2) { + if (arg2 < 0 || arg2 > 1) { error = -EINVAL; break; } ^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: Linux 2.6.17.4 2006-07-06 22:28 ` Greg KH @ 2006-07-06 22:43 ` Scott J. Harmon 2006-07-06 22:46 ` Greg KH 2006-07-06 23:24 ` Chase Venters 1 sibling, 1 reply; 13+ messages in thread From: Scott J. Harmon @ 2006-07-06 22:43 UTC (permalink / raw) To: Greg KH; +Cc: linux-kernel, stable, torvalds, Andrew Morton Greg KH wrote: > diff --git a/Makefile b/Makefile > index 8c72521..abcf2d7 100644 > --- a/Makefile > +++ b/Makefile > @@ -1,7 +1,7 @@ > VERSION = 2 > PATCHLEVEL = 6 > SUBLEVEL = 17 > -EXTRAVERSION = .3 > +EXTRAVERSION = .4 > NAME=Crazed Snow-Weasel > > # *DOCUMENTATION* > diff --git a/kernel/sys.c b/kernel/sys.c > index 0b6ec0e..59273f7 100644 > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -1991,7 +1991,7 @@ asmlinkage long sys_prctl(int option, un > error = current->mm->dumpable; > break; > case PR_SET_DUMPABLE: > - if (arg2 < 0 || arg2 > 2) { > + if (arg2 < 0 || arg2 > 1) { > error = -EINVAL; > break; > } Just curious as to why this isn't just ... if (arg2 != 1) { ... Thanks, Scott. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Linux 2.6.17.4 2006-07-06 22:43 ` Scott J. Harmon @ 2006-07-06 22:46 ` Greg KH 2006-07-06 22:54 ` Scott J. Harmon 2006-07-06 23:49 ` Willy Tarreau 0 siblings, 2 replies; 13+ messages in thread From: Greg KH @ 2006-07-06 22:46 UTC (permalink / raw) To: Scott J. Harmon; +Cc: linux-kernel, stable, torvalds, Andrew Morton On Thu, Jul 06, 2006 at 05:43:53PM -0500, Scott J. Harmon wrote: > Greg KH wrote: > > diff --git a/Makefile b/Makefile > > index 8c72521..abcf2d7 100644 > > --- a/Makefile > > +++ b/Makefile > > @@ -1,7 +1,7 @@ > > VERSION = 2 > > PATCHLEVEL = 6 > > SUBLEVEL = 17 > > -EXTRAVERSION = .3 > > +EXTRAVERSION = .4 > > NAME=Crazed Snow-Weasel > > > > # *DOCUMENTATION* > > diff --git a/kernel/sys.c b/kernel/sys.c > > index 0b6ec0e..59273f7 100644 > > --- a/kernel/sys.c > > +++ b/kernel/sys.c > > @@ -1991,7 +1991,7 @@ asmlinkage long sys_prctl(int option, un > > error = current->mm->dumpable; > > break; > > case PR_SET_DUMPABLE: > > - if (arg2 < 0 || arg2 > 2) { > > + if (arg2 < 0 || arg2 > 1) { > > error = -EINVAL; > > break; > > } > Just curious as to why this isn't just > ... > if (arg2 != 1) { > ... Because that would be incorrect :) thanks, greg k-h ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Linux 2.6.17.4 2006-07-06 22:46 ` Greg KH @ 2006-07-06 22:54 ` Scott J. Harmon 2006-07-07 6:12 ` Jan Engelhardt 2006-07-06 23:49 ` Willy Tarreau 1 sibling, 1 reply; 13+ messages in thread From: Scott J. Harmon @ 2006-07-06 22:54 UTC (permalink / raw) To: Greg KH; +Cc: linux-kernel, stable, torvalds, Andrew Morton Greg KH wrote: > On Thu, Jul 06, 2006 at 05:43:53PM -0500, Scott J. Harmon wrote: >> Greg KH wrote: >>> diff --git a/Makefile b/Makefile >>> index 8c72521..abcf2d7 100644 >>> --- a/Makefile >>> +++ b/Makefile >>> @@ -1,7 +1,7 @@ >>> VERSION = 2 >>> PATCHLEVEL = 6 >>> SUBLEVEL = 17 >>> -EXTRAVERSION = .3 >>> +EXTRAVERSION = .4 >>> NAME=Crazed Snow-Weasel >>> >>> # *DOCUMENTATION* >>> diff --git a/kernel/sys.c b/kernel/sys.c >>> index 0b6ec0e..59273f7 100644 >>> --- a/kernel/sys.c >>> +++ b/kernel/sys.c >>> @@ -1991,7 +1991,7 @@ asmlinkage long sys_prctl(int option, un >>> error = current->mm->dumpable; >>> break; >>> case PR_SET_DUMPABLE: >>> - if (arg2 < 0 || arg2 > 2) { >>> + if (arg2 < 0 || arg2 > 1) { >>> error = -EINVAL; >>> break; >>> } >> Just curious as to why this isn't just >> ... >> if (arg2 != 1) { >> ... > > Because that would be incorrect :) > > thanks, > > greg k-h DOH! /me hides under a rock Thanks, Scott. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Linux 2.6.17.4 2006-07-06 22:54 ` Scott J. Harmon @ 2006-07-07 6:12 ` Jan Engelhardt 0 siblings, 0 replies; 13+ messages in thread From: Jan Engelhardt @ 2006-07-07 6:12 UTC (permalink / raw) To: Scott J. Harmon; +Cc: Greg KH, linux-kernel, stable, torvalds, Andrew Morton >>>> case PR_SET_DUMPABLE: >>>> - if (arg2 < 0 || arg2 > 2) { >>>> + if (arg2 < 0 || arg2 > 1) { >>>> error = -EINVAL; >>>> break; >>>> } >>> Just curious as to why this isn't just >>> ... >>> if (arg2 != 1) { >>> ... >> >> Because that would be incorrect :) > >DOH! >/me hides under a rock That's quite a good one. Jan Engelhardt -- ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Linux 2.6.17.4 2006-07-06 22:46 ` Greg KH 2006-07-06 22:54 ` Scott J. Harmon @ 2006-07-06 23:49 ` Willy Tarreau 2006-07-06 23:53 ` [stable] " Greg KH ` (2 more replies) 1 sibling, 3 replies; 13+ messages in thread From: Willy Tarreau @ 2006-07-06 23:49 UTC (permalink / raw) To: Greg KH; +Cc: Scott J. Harmon, linux-kernel, stable, torvalds, Andrew Morton On Thu, Jul 06, 2006 at 03:46:14PM -0700, Greg KH wrote: > On Thu, Jul 06, 2006 at 05:43:53PM -0500, Scott J. Harmon wrote: > > Greg KH wrote: > > > diff --git a/Makefile b/Makefile > > > index 8c72521..abcf2d7 100644 > > > --- a/Makefile > > > +++ b/Makefile > > > @@ -1,7 +1,7 @@ > > > VERSION = 2 > > > PATCHLEVEL = 6 > > > SUBLEVEL = 17 > > > -EXTRAVERSION = .3 > > > +EXTRAVERSION = .4 > > > NAME=Crazed Snow-Weasel > > > > > > # *DOCUMENTATION* > > > diff --git a/kernel/sys.c b/kernel/sys.c > > > index 0b6ec0e..59273f7 100644 > > > --- a/kernel/sys.c > > > +++ b/kernel/sys.c > > > @@ -1991,7 +1991,7 @@ asmlinkage long sys_prctl(int option, un > > > error = current->mm->dumpable; > > > break; > > > case PR_SET_DUMPABLE: > > > - if (arg2 < 0 || arg2 > 2) { > > > + if (arg2 < 0 || arg2 > 1) { > > > error = -EINVAL; > > > break; > > > } > > Just curious as to why this isn't just > > ... > > if (arg2 != 1) { > > ... > > Because that would be incorrect :) Interestingly, 2.4 tests (arg2 !=0 && arg2 != 1) so from the code changes above, it looks like the value 2 was added on purpose, but for what ? Maybe the fix is not really correct yet ? Cheers, Willy > > thanks, > > greg k-h > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [stable] Re: Linux 2.6.17.4 2006-07-06 23:49 ` Willy Tarreau @ 2006-07-06 23:53 ` Greg KH 2006-07-06 23:56 ` Chris Wright 2006-07-06 23:57 ` Chase Venters 2 siblings, 0 replies; 13+ messages in thread From: Greg KH @ 2006-07-06 23:53 UTC (permalink / raw) To: Willy Tarreau Cc: Greg KH, torvalds, Andrew Morton, Scott J. Harmon, linux-kernel, stable On Fri, Jul 07, 2006 at 01:49:18AM +0200, Willy Tarreau wrote: > On Thu, Jul 06, 2006 at 03:46:14PM -0700, Greg KH wrote: > > On Thu, Jul 06, 2006 at 05:43:53PM -0500, Scott J. Harmon wrote: > > > Greg KH wrote: > > > > diff --git a/Makefile b/Makefile > > > > index 8c72521..abcf2d7 100644 > > > > --- a/Makefile > > > > +++ b/Makefile > > > > @@ -1,7 +1,7 @@ > > > > VERSION = 2 > > > > PATCHLEVEL = 6 > > > > SUBLEVEL = 17 > > > > -EXTRAVERSION = .3 > > > > +EXTRAVERSION = .4 > > > > NAME=Crazed Snow-Weasel > > > > > > > > # *DOCUMENTATION* > > > > diff --git a/kernel/sys.c b/kernel/sys.c > > > > index 0b6ec0e..59273f7 100644 > > > > --- a/kernel/sys.c > > > > +++ b/kernel/sys.c > > > > @@ -1991,7 +1991,7 @@ asmlinkage long sys_prctl(int option, un > > > > error = current->mm->dumpable; > > > > break; > > > > case PR_SET_DUMPABLE: > > > > - if (arg2 < 0 || arg2 > 2) { > > > > + if (arg2 < 0 || arg2 > 1) { > > > > error = -EINVAL; > > > > break; > > > > } > > > Just curious as to why this isn't just > > > ... > > > if (arg2 != 1) { > > > ... > > > > Because that would be incorrect :) > > Interestingly, 2.4 tests (arg2 !=0 && arg2 != 1) so from the code changes > above, it looks like the value 2 was added on purpose, but for what ? Maybe > the fix is not really correct yet ? No, it's correct. The change was incorrect. thanks, greg k-h ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [stable] Re: Linux 2.6.17.4 2006-07-06 23:49 ` Willy Tarreau 2006-07-06 23:53 ` [stable] " Greg KH @ 2006-07-06 23:56 ` Chris Wright 2006-07-06 23:57 ` Chase Venters 2 siblings, 0 replies; 13+ messages in thread From: Chris Wright @ 2006-07-06 23:56 UTC (permalink / raw) To: Willy Tarreau Cc: Greg KH, torvalds, Andrew Morton, Scott J. Harmon, linux-kernel, stable * Willy Tarreau (w@1wt.eu) wrote: > Interestingly, 2.4 tests (arg2 !=0 && arg2 != 1) so from the code changes > above, it looks like the value 2 was added on purpose, but for what ? Maybe > the fix is not really correct yet ? The old code was changed to support a new feature (suid_dumpable for debugging). The sysctl should support 2 (the new value), but the prctl can be abused and hence reducing the test to one analgous to 2.4. This is a correct fix. thanks, -chris ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Linux 2.6.17.4 2006-07-06 23:49 ` Willy Tarreau 2006-07-06 23:53 ` [stable] " Greg KH 2006-07-06 23:56 ` Chris Wright @ 2006-07-06 23:57 ` Chase Venters 2 siblings, 0 replies; 13+ messages in thread From: Chase Venters @ 2006-07-06 23:57 UTC (permalink / raw) To: Willy Tarreau Cc: Greg KH, Scott J. Harmon, linux-kernel, stable, torvalds, Andrew Morton On Thursday 06 July 2006 18:48, Willy Tarreau wrote: > Interestingly, 2.4 tests (arg2 !=0 && arg2 != 1) so from the code changes > above, it looks like the value 2 was added on purpose, but for what ? Maybe > the fix is not really correct yet ? Hence the source of my curiosity. My prctl() manpage says that 2 makes a core that is only readable by root. PR_SET_DUMPABLE (Since Linux 2.4) Set the state of the flag determining whether core dumps are produced for this process upon delivery of a sig- nal whose default behaviour is to produce a core dump. (Nor- mally this flag is set for a process by default, but it is cleared when a set-user-ID or set-group-ID program is executed and also by various system calls that manipulate process UIDs and GIDs). In kernels up to and including 2.6.12, arg2 must be either 0 (process is not dumpable) or 1 (process is dumpable). Since kernel 2.6.13, the value 2 is also permitted; this causes any binary which normally would not be dumped to be dumped read- able by root only. (See also the description of /proc/sys/fs/suid_dumpable in proc(5).) > Cheers, > Willy Thanks, Chase ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Linux 2.6.17.4 2006-07-06 22:28 ` Greg KH 2006-07-06 22:43 ` Scott J. Harmon @ 2006-07-06 23:24 ` Chase Venters 2006-07-06 23:54 ` [stable] " Greg KH 2006-07-07 10:34 ` Marcel Holtmann 1 sibling, 2 replies; 13+ messages in thread From: Chase Venters @ 2006-07-06 23:24 UTC (permalink / raw) To: Greg KH; +Cc: linux-kernel, stable, torvalds, Andrew Morton On Thursday 06 July 2006 17:28, Greg KH wrote: > case PR_SET_DUMPABLE: > - if (arg2 < 0 || arg2 > 2) { > + if (arg2 < 0 || arg2 > 1) { > error = -EINVAL; > break; > } Am I staring at this crooked, or not looking deep enough? My manual page for prctl says 2 is valid there. Specifically: Since kernel 2.6.13, the value 2 is also permitted; this causes any binary which normally would not be dumped to be dumped read- able by root only. (See also the description of /proc/sys/fs/suid_dumpable in proc(5).) ...has something changed, and my manpages don't reflect it? Did I miss a conversation about this? Thanks, Chase ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [stable] Re: Linux 2.6.17.4 2006-07-06 23:24 ` Chase Venters @ 2006-07-06 23:54 ` Greg KH 2006-07-07 10:34 ` Marcel Holtmann 1 sibling, 0 replies; 13+ messages in thread From: Greg KH @ 2006-07-06 23:54 UTC (permalink / raw) To: Chase Venters; +Cc: Greg KH, Andrew Morton, torvalds, linux-kernel, stable On Thu, Jul 06, 2006 at 06:24:23PM -0500, Chase Venters wrote: > On Thursday 06 July 2006 17:28, Greg KH wrote: > > case PR_SET_DUMPABLE: > > - if (arg2 < 0 || arg2 > 2) { > > + if (arg2 < 0 || arg2 > 1) { > > error = -EINVAL; > > break; > > } > > Am I staring at this crooked, or not looking deep enough? My manual page for > prctl says 2 is valid there. Specifically: > > Since kernel 2.6.13, the value 2 is also permitted; this causes > any binary which normally would not be dumped to be dumped read- > able by root only. (See also the description of > /proc/sys/fs/suid_dumpable in proc(5).) > > ...has something changed, and my manpages don't reflect it? Did I miss a > conversation about this? Please refer to the CVE number for details. thanks, greg k-h ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Linux 2.6.17.4 2006-07-06 23:24 ` Chase Venters 2006-07-06 23:54 ` [stable] " Greg KH @ 2006-07-07 10:34 ` Marcel Holtmann 1 sibling, 0 replies; 13+ messages in thread From: Marcel Holtmann @ 2006-07-07 10:34 UTC (permalink / raw) To: Chase Venters; +Cc: Greg KH, linux-kernel, stable, torvalds, Andrew Morton Hi Chase, > > case PR_SET_DUMPABLE: > > - if (arg2 < 0 || arg2 > 2) { > > + if (arg2 < 0 || arg2 > 1) { > > error = -EINVAL; > > break; > > } > > Am I staring at this crooked, or not looking deep enough? My manual page for > prctl says 2 is valid there. Specifically: > > Since kernel 2.6.13, the value 2 is also permitted; this causes > any binary which normally would not be dumped to be dumped read- > able by root only. (See also the description of > /proc/sys/fs/suid_dumpable in proc(5).) > > ...has something changed, and my manpages don't reflect it? Did I miss a > conversation about this? the manual page must change. This paragraph must be removed. Regards Marcel ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2006-07-07 10:35 UTC | newest] Thread overview: 13+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-07-06 22:27 Linux 2.6.17.4 Greg KH 2006-07-06 22:28 ` Greg KH 2006-07-06 22:43 ` Scott J. Harmon 2006-07-06 22:46 ` Greg KH 2006-07-06 22:54 ` Scott J. Harmon 2006-07-07 6:12 ` Jan Engelhardt 2006-07-06 23:49 ` Willy Tarreau 2006-07-06 23:53 ` [stable] " Greg KH 2006-07-06 23:56 ` Chris Wright 2006-07-06 23:57 ` Chase Venters 2006-07-06 23:24 ` Chase Venters 2006-07-06 23:54 ` [stable] " Greg KH 2006-07-07 10:34 ` Marcel Holtmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox