Ubuntu
linux package

Security bug related to CVE-2010-3301

Bug #640390 reported by Bremm on 2010-09-16

278

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	High	Stefan Bader
	Jaunty	Fix Released	High	Unassigned
	Karmic	Fix Released	High	Unassigned
	Lucid	Fix Released	High	Unassigned
	Maverick	Fix Released	High	Stefan Bader

Bug Description

Binary package hint: linux-image-generic

I'm reporting this bug here since there's no information at https://bugs.launchpad.net/bugs/cve/2010-3301

You can find a whole description here: http://sota.gen.nz/compat2/

$ gcc robert_you_suck.c
$ whoami
bremm
$ ./a.out
resolved symbol commit_creds to 0xffffffff8108bd90
resolved symbol prepare_kernel_cred to 0xffffffff8108c170
mapping at 3f80000000
UID 0, EUID:0 GID:0, EGID:0
# whoami
root

$ uname -a
Linux host 2.6.32-24-generic #42-Ubuntu SMP Fri Aug 20 14:21:58 UTC 2010 x86_64 GNU/Linux

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-09-16:

#1

Thanks for using Ubuntu and taking the time to report a bug. We are in the process of preparing updates for this now. Unfortunately, there was no pre-disclosure to vendors on this issue, but we are working hard to get the update out.

affects:	linux-meta (Ubuntu) → linux (Ubuntu)
Changed in linux (Ubuntu):
importance:	Undecided → High
status:	New → In Progress
assignee:	nobody → Stefan Bader (stefan-bader-canonical)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-09-16:

#2

Packages are available in https://edge.launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages. We expect these to be published to the archive later today.

visibility:	private → public
Changed in linux (Ubuntu):
status:	In Progress → Fix Committed

Kees Cook (kees) on 2010-09-17

Changed in linux (Ubuntu Lucid):
status:	New → Fix Committed
Changed in linux (Ubuntu Karmic):
status:	New → Fix Committed
Changed in linux (Ubuntu Jaunty):
status:	New → Fix Committed
Changed in linux (Ubuntu Karmic):
importance:	Undecided → High
Changed in linux (Ubuntu Jaunty):
importance:	Undecided → High
Changed in linux (Ubuntu Lucid):
importance:	Undecided → High

Revision history for this message

Kees Cook (kees) wrote on 2010-09-17:

#3

This fix has been published now: http://www.ubuntu.com/usn/usn-988-1

Changed in linux (Ubuntu Jaunty):
status:	Fix Committed → Fix Released
Changed in linux (Ubuntu Lucid):
status:	Fix Committed → Fix Released
Changed in linux (Ubuntu Karmic):
status:	Fix Committed → Fix Released
Changed in linux (Ubuntu Maverick):
status:	Fix Committed → Fix Released

Revision history for this message

Patrick Domack (patrickdk) wrote on 2010-11-30:

#4

This is still an issue on the ec2 kernels, I have tested I can easily root 309 and 310 for lucid.

Revision history for this message

Stefan Bader (smb) wrote on 2010-11-30:

#5

Found out that ec2 / xen duplicates some files. One of which was the target for that CVE. Have successfully tested the changes copied into the xen version and will upload this with the next proposed kernel.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.