FS#40715 - [linux] Linux kernel futex local privilege escalation (CVE-2014-3153)

Attached to Project: Arch Linux
Opened by Daniel Micay (thestinger) - Thursday, 05 June 2014, 17:47 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 08 June 2014, 19:21 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Thomas Bächler (brain0)
Andreas Radke (AndyRTR)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

There is a serious privilege escalation issue in the kernel:

http://seclists.org/oss-sec/2014/q2/467

It's a bit worse than the usual ones, because `futex` is a very common system call permitted inside sandboxes like the ones used by Chromium, Tor and OpenSSH.
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Sunday, 08 June 2014, 19:21 GMT
Reason for closing:  Fixed
Additional comments about closing:  3.14.6
Comment by Daniel Micay (thestinger) - Thursday, 05 June 2014, 18:03 GMT
The linux-lts package also needs to be fixed but I didn't include it in the title because I was unaware when I reported the issue. It's dealt with in linux-grsec by 3.14.5.201406051310-1 (as part of the patchset).
Comment by Claire Farron (clfarron4) - Saturday, 07 June 2014, 13:38 GMT
I extracted these (the first four) from the .mbox file that the submitter used to compress all of them.

I'll test them later with my AUR packages (linux-lts312/-ck/312-ck).

NOTE: From what I understand, 0003-futex-2.6.32.patch is a correction of 0003-futex for something.
Comment by Daniel Micay (thestinger) - Saturday, 07 June 2014, 14:26 GMT
The patches should be applied from Linus' tree, now that they're upstream. There are 2 earlier futex-related patches to apply before these 4 too.
Comment by Claire Farron (clfarron4) - Saturday, 07 June 2014, 21:31 GMT
It appears there is no need to add linux-lts to this report. The 3.10.42 release contains the patches for CVE-2014-3153 (from looking at the changelog): https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.42
Comment by Daniel Micay (thestinger) - Sunday, 08 June 2014, 03:57 GMT
Arch is still on 3.10.41 (at least in [core]) which is vulnerable. The futex fixes for the non-LTS kernel are in 3.14.6, which needs to be packaged and then pushed to [core] for this to be closed.
Comment by Daniel Micay (thestinger) - Sunday, 08 June 2014, 13:35 GMT
The LTS package is now in [core], and the fixed linux version is in [testing]. The bug can be closed when that's moved to [core].

Loading...