[linux-source] missing access checks, possible local root exploit

Bug #191208 reported by disabled.user on 2008-02-12
256
Affects Status Importance Assigned to Milestone
linux-meta (Ubuntu)
Undecided
Kees Cook

Bug Description

Binary package hint: linux-source

References:
DSA-1494-1 (http://www.debian.org/security/2008/dsa-1494)

Quoting:
"The vmsplice system call did not properly verify address arguments
passed by user space processes, which allowed local attackers to
overwrite arbitrary kernel memory, gaining root privileges
(CVE-2008-0010, CVE-2008-0600).

In the vserver-enabled kernels, a missing access check on certain
symlinks in /proc enabled local attackers to access resources in other
vservers (CVE-2008-0163)."

CVE References

See also:
MDVSA-2008:043 (http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:043)

"A flaw in the vmsplice system call did not properly verify address
arguments passed by user-space processes, which allowed local attackers
to overwrite arbitrary kernel memory and gain root privileges.

Mandriva urges all users to upgrade to these new kernels immediately
as this flaw is being actively exploited. This issue only affects
2.6.17 and newer Linux kernels, [...]"

And:
http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00004.html

"Hi folks,

As you are undoubtly aware a new local root exploit has been
discovered on the weekend and reported to a wide audience.

The CVE identifier is CVE-2008-0600.

The problem affects only kernels 2.6.17 and newer, so it affects
only following of our products:
- openSUSE 10.2         (2.6.18.x kernel)
- openSUSE 10.3         (2.6.22.x kernel)"

tonfa (bboissin) wrote :

There are two bugs described here, CVE-2008-0163 isn't referenced elsewhere in launchpad.

Jamie Strandboge (jdstrand) wrote :

Removed CVE-2008-0010 and CVE-2008-0600 as these are in bug 190587. Re-opened since CVE-2008-0163 is not a duplicate.

Changed in linux-meta:
status: New → Confirmed
Kees Cook (kees) wrote :

As it turns out, CVE-2008-0163 does not affect Ubuntu -- only the vserver patch that Debian carried was vulnerable, it seems.

Changed in linux-meta:
assignee: nobody → keescook
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers