Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Mon, 14 Jul 2008 16:47:23 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2008-2365 kernel: ptrace: Crash on
	PTRACE_{ATTACH,DETACH} race -- affecting kernel versions <= 2.6.25

On Thu, Jun 26, 2008 at 04:53:38PM +0200, Jan Lieskovsky wrote:
> Hello guys,
> 
>   wanted to inform you about recently discovered utrace/ptrace
> attach and detach race condition affecting Linux kernel from versions
> 2.6.9 up to the upstream one (< 2.6.25).
> The upstream Linux kernel version got already patched with the following
> three patches, which resolve this issue:
> 
> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=5ecfbae093f0c37311e89b29bfc0c9d586eace87
> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f5b40e363ad6041a96e3da32281d8faa191597b9
> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f358166a9405e4f1d8e50d8f415c26d95505b6de

Jan, these patches are from 2006 and were even fixed in a 2.6.16.x stable release...
and the code was rewritten in 2.6.17 as far as I can see.

So is 2.6.25 really the upper bound?

Ciao, Marcus

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux