Debian Bug report logs - #541403
linux-image-2.6.26-2-686: Local Privilege Escalation

Package: linux-2.6; Maintainer for linux-2.6 is (unknown);

Reported by: Stefano <pietranera@gmail.com>

Date: Thu, 13 Aug 2009 21:45:01 UTC

Severity: critical

Tags: security

Merged with 541483, 541496

Fixed in version 2.6.30-6

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#541403; Package linux-image-2.6.26-2-686. (Thu, 13 Aug 2009 21:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Stefano <pietranera@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Thu, 13 Aug 2009 21:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: linux-image-2.6.26-2-686
Version: 2.6.26-17
Justification: root security hole
Severity: critical
Tags: security

*** Please type your report below this line ***

Hi,

today a serious bug in the Linux Kernel has been discovered and
disclosed. It affects all 2.4 and 2.6 kernels since 2001 on all
architectures. 

See here for more details:
http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html

Hopefully this bug has already been patched:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

I'm pretty sure that you guys already know that, but it is really urgent
to apply the patch and release an update for the linux-image packages.

Thank you for your fantastic job.

Stefano

-- Package-specific info:
** Version:
Linux version 2.6.26-2-686 (Debian 2.6.26-17) (dannf@debian.org) (gcc
version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Sun Jun 21
04:57:38 UTC 2009

-- System Information:
Debian Release: squeeze/sid
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)

Versions of packages linux-image-2.6.26-2-686 depends on:
ii  debconf [debconf-2.0]         1.5.27     Debian configuration
management sy
ii  initramfs-tools [linux-initra 0.93.4     tools for generating an
initramfs
ii  module-init-tools             3.9-2      tools for managing Linux
kernel mo

Versions of packages linux-image-2.6.26-2-686 recommends:
ii  libc6-i686                    2.9-23     GNU C Library: Shared
libraries [i

Versions of packages linux-image-2.6.26-2-686 suggests:
ii  grub                          0.97-55    GRand Unified Bootloader
(dummy pa
ii  grub-legacy [grub]            0.97-55    GRand Unified Bootloader
(Legacy v
pn  linux-doc-2.6.26              <none>     (no description available)

-- debconf information excluded

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#541403; Package linux-image-2.6.26-2-686. (Fri, 14 Aug 2009 16:00:12 GMT) (full text, mbox, link).

Acknowledgement sent to Bertrand Yvain <pnl@ielo.net>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Fri, 14 Aug 2009 16:00:12 GMT) (full text, mbox, link).

Message #10 received at 541403@bugs.debian.org (full text, mbox, reply):

Package: linux-2.6
Version: 2.6.18.dfsg.1-24etch2
Followup-For: Bug #541403


Linux 2.6.18 lacks kernel_sendpage, used by official patch.
Here is a substitute.

--- net/socket.c.orig	2009-08-14 16:51:19.000000000 +0200
+++ net/socket.c	2009-08-14 16:52:20.000000000 +0200
@@ -698,7 +698,10 @@
 	if (more)
 		flags |= MSG_MORE;
 
-	return sock->ops->sendpage(sock, page, offset, size, flags);
+	if (sock->ops->sendpage)
+		return sock->ops->sendpage(sock, page, offset, size, flags);
+	
+	return sock_no_sendpage(sock, page, offset, size, flags);
 }
 
 static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb,


-- System Information:
Debian Release: 4.0
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_US, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Bug reassigned from package 'linux-image-2.6.26-2-686' to 'linux-2.6'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Fri, 14 Aug 2009 16:54:09 GMT) (full text, mbox, link).

Bug No longer marked as found in versions 2.6.18.dfsg.1-24etch2 and linux-2.6/2.6.26-17. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Fri, 14 Aug 2009 16:54:10 GMT) (full text, mbox, link).

Forcibly Merged 541403 541483. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Fri, 14 Aug 2009 16:54:12 GMT) (full text, mbox, link).

Forcibly Merged 541403 541483 541496. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Fri, 14 Aug 2009 17:39:16 GMT) (full text, mbox, link).

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (Thu, 20 Aug 2009 17:15:20 GMT) (full text, mbox, link).

Notification sent to Stefano <pietranera@gmail.com>:
Bug acknowledged by developer. (Thu, 20 Aug 2009 17:15:20 GMT) (full text, mbox, link).

Message #23 received at 541403-done@bugs.debian.org (full text, mbox, reply):

Version: 2.6.30-6

On Thu, Aug 13, 2009 at 05:43:25PM -045A00, Stefano wrote:
> Package: linux-image-2.6.26-2-686
> Version: 2.6.26-17
> Justification: root security hole
> Severity: critical
> Tags: security
> 
> *** Please type your report below this line ***
> 
> Hi,
> 
> today a serious bug in the Linux Kernel has been discovered and
> disclosed. It affects all 2.4 and 2.6 kernels since 2001 on all
> architectures. 
> 
> See here for more details:
> http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
> 
> Hopefully this bug has already been patched:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
> 
> I'm pretty sure that you guys already know that, but it is really urgent
> to apply the patch and release an update for the linux-image packages.
> 
> Thank you for your fantastic job.

This was fixed in unstable in 2.6.30-6. The 2.6.18, 2.6.24 and 2.6.26 kernels
from Etch and Lenny have been fixed in DSAs.

Cheers,
        Moritz

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (Thu, 20 Aug 2009 17:15:21 GMT) (full text, mbox, link).

Notification sent to Michael Moritz <techtech@gn.apc.org>:
Bug acknowledged by developer. (Thu, 20 Aug 2009 17:15:21 GMT) (full text, mbox, link).

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (Thu, 20 Aug 2009 17:15:22 GMT) (full text, mbox, link).

Notification sent to Tim <tim-debian@sentinelchicken.org>:
Bug acknowledged by developer. (Thu, 20 Aug 2009 17:15:22 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 25 Sep 2009 07:26:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jun 4 23:40:31 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #541403 linux-image-2.6.26-2-686: Local Privilege Escalation

Debian Bug report logs - #541403
linux-image-2.6.26-2-686: Local Privilege Escalation