CVE-2013-1979 net: incorrect SCM_CREDENTIALS passing (rhbz 955629 955647)
- CVE-2013-3224 Bluetooth: possible info leak in bt_sock_recvmsg (rhbz 955599 955607)
This commit is contained in:
Josh Boyer
parent
e9cd14fc4d
commit
f4dacfee76
|
|
@ -789,6 +789,9 @@ Patch25014: atm-update-msg_namelen-in-vcc_recvmsg.patch
|
|||
#CVE-2013-3224 rhbz 955599 955607
|
||||
Patch25015: Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
|
||||
|
||||
#CVE-2013-1979 rhbz 955629 955647
|
||||
Patch25016: net-fix-incorrect-credentials-passing.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1536,6 +1539,9 @@ ApplyPatch atm-update-msg_namelen-in-vcc_recvmsg.patch
|
|||
#CVE-2013-3224 rhbz 955599 955607
|
||||
ApplyPatch Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
|
||||
|
||||
#CVE-2013-1979 rhbz 955629 955647
|
||||
ApplyPatch net-fix-incorrect-credentials-passing.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2393,6 +2399,7 @@ fi
|
|||
# '-'
|
||||
%changelog
|
||||
* Tue Apr 23 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-1979 net: incorrect SCM_CREDENTIALS passing (rhbz 955629 955647)
|
||||
- CVE-2013-3224 Bluetooth: possible info leak in bt_sock_recvmsg (rhbz 955599 955607)
|
||||
|
||||
* Mon Apr 22 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,45 @@
|
|||
From 83f1b4ba917db5dc5a061a44b3403ddb6e783494 Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Fri, 19 Apr 2013 15:32:32 +0000
|
||||
Subject: [PATCH] net: fix incorrect credentials passing
|
||||
|
||||
Commit 257b5358b32f ("scm: Capture the full credentials of the scm
|
||||
sender") changed the credentials passing code to pass in the effective
|
||||
uid/gid instead of the real uid/gid.
|
||||
|
||||
Obviously this doesn't matter most of the time (since normally they are
|
||||
the same), but it results in differences for suid binaries when the wrong
|
||||
uid/gid ends up being used.
|
||||
|
||||
This just undoes that (presumably unintentional) part of the commit.
|
||||
|
||||
Reported-by: Andy Lutomirski <luto@amacapital.net>
|
||||
Cc: Eric W. Biederman <ebiederm@xmission.com>
|
||||
Cc: Serge E. Hallyn <serge@hallyn.com>
|
||||
Cc: David S. Miller <davem@davemloft.net>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/net/scm.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/include/net/scm.h b/include/net/scm.h
|
||||
index 975cca0..b117081 100644
|
||||
--- a/include/net/scm.h
|
||||
+++ b/include/net/scm.h
|
||||
@@ -56,8 +56,8 @@ static __inline__ void scm_set_cred(struct scm_cookie *scm,
|
||||
scm->pid = get_pid(pid);
|
||||
scm->cred = cred ? get_cred(cred) : NULL;
|
||||
scm->creds.pid = pid_vnr(pid);
|
||||
- scm->creds.uid = cred ? cred->euid : INVALID_UID;
|
||||
- scm->creds.gid = cred ? cred->egid : INVALID_GID;
|
||||
+ scm->creds.uid = cred ? cred->uid : INVALID_UID;
|
||||
+ scm->creds.gid = cred ? cred->gid : INVALID_GID;
|
||||
}
|
||||
|
||||
static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
Loading…
Reference in New Issue