Bugzilla – Bug 550001
VUL-0: CVE-2009-3547: kernel: local root exploit in pipe()
Last modified: 2017-03-20 21:22:38 UTC
current proposed CRD is November 4 (US time)
The SWAMPID for this issue is 28339. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/28339)
is public now: Reply-To: oss-security@lists.openwall.com Date: Tue, 03 Nov 2009 18:54:05 +0800 From: Eugene Teo <eugene@redhat.com> User-Agent: Thunderbird 2.0.0.21 (X11/20090320) To: oss-security@lists.openwall.com Cc: "Steven M. Christey" <coley@linus.mitre.org> Subject: [oss-security] CVE-2009-3547 kernel: fs: pipe.c null pointer dereference * a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. http://lkml.org/lkml/2009/10/14/184 http://lkml.org/lkml/2009/10/21/42 http://git.kernel.org/linus/ad3960243e55320d74195fb85c975e0a8cc4466c https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3547 Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
(In reply to comment #13) > is public now: I have removed the embargo in SP2/SP3 branches.
CVE-2009-3547: CVSS v2 Base Score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
applied to all relevant kernels now, and in test
*** Bug 553886 has been marked as a duplicate of this bug. ***
cross checking, the SL110_BRANCH still needs the fix.
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP2 (ia64) SLE-SDK 10-SP2 (ia64) SLE-SERVER 10-SP2 (ia64)
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms Products: SLE-DEBUGINFO 10-SP2 (s390x) SLE-SERVER 10-SP2 (s390x)
A kernel update fixing / mentioning this bug was released on Tuesday for SUSE Linux Enterprise 10 SP2, kernel version 2.6.16.60-0.42.7.
A kernel update fixing / mentioning this bug was released today for SUSE Linux Enterprise 10 SP3, kernel version 2.6.16.60-0.57.1.
Fix checked in to SL110_BRANCH. Closing.
Update released for: kernel-s390, kernel-s390-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh Products: SUSE-CORE 9 (s390)
A Linux kernel update for SUSE Linux Enterprise Server 9 was released Friday that fixes/mentions this bug. Its version is 2.6.5-7.321.
The SWAMPID for this issue is 28844. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/28844)
Update released for: adminfs, novell-cluster-services, novell-cluster-services-cli, novell-cluster-services-km, novell-evms-snapins, novell-nss, novell-sms-zapishim, novell-sms-zapishim-bigsmp, novell-sms-zapishim-default, novell-sms-zapishim-smp, python-xml Products: Open-Enterprise-Server 9 (i386)
Update released for: kernel-bigsmp, kernel-bigsmp-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, kernel-um, kernel-um-debug, kernel-xen, kernel-xen-debug, kernel-xenpae, kernel-xenpae-debug, um-host-install-initrd, um-host-kernel, xen-kmp Products: Novell-Linux-Desktop 9 (i386) Open-Enterprise-Server 9 (i386)
Starting L3 here
Patch has been scheduled for the next TD rollup: sles9sp3 - bug 426350 comment 163 sles10sp1 - bug 434477 commnet 126
L3 done here
Update released for: ib-bonding-kmp-rt, ib-bonding-kmp-rt_bigsmp, ib-bonding-kmp-rt_debug, ib-bonding-kmp-rt_timing, kernel-rt, kernel-rt_bigsmp, kernel-rt_debug, kernel-rt_timing, kernel-source, kernel-syms, ofed, ofed-cxgb3-NIC-kmp-rt, ofed-cxgb3-NIC-kmp-rt_bigsmp, ofed-cxgb3-NIC-kmp-rt_debug, ofed-cxgb3-NIC-kmp-rt_timing, ofed-doc, ofed-kmp-rt, ofed-kmp-rt_bigsmp, ofed-kmp-rt_debug, ofed-kmp-rt_timing Products: SLE-RT 10-SP2 (i386, x86_64)
Update released for: acerhk-kmp-debug, acx-kmp-debug, appleir-kmp-debug, at76_usb-kmp-debug, atl2-kmp-debug, aufs-kmp-debug, dazuko-kmp-debug, drbd-kmp-debug, gspcav-kmp-debug, iscsitarget-kmp-debug, ivtv-kmp-debug, kernel-debug, kernel-default, kernel-docs, kernel-kdump, kernel-pae, kernel-ppc64, kernel-ps3, kernel-source, kernel-syms, kernel-vanilla, kernel-xen, kqemu-kmp-debug, nouveau-kmp-debug, omnibook-kmp-debug, pcc-acpi-kmp-debug, pcfclock-kmp-debug, tpctl-kmp-debug, uvcvideo-kmp-debug, virtualbox-ose-kmp-debug, vmware-kmp-debug, wlan-ng-kmp-debug Products: openSUSE 11.0 (debug, i386, ppc, x86_64)