[SECURITY-L] [S] Reference counting bug in shmat(2)
CSIRT - UNICAMP
security em unicamp.br
Seg Fev 9 11:23:15 -02 2004
----- Forwarded message from Klaus Steding-Jessen <jessen em nic.br> -----
From: Klaus Steding-Jessen <jessen em nic.br>
Subject: [S] Reference counting bug in shmat(2)
To: seguranca em pangeia.com.br
Date: Thu, 5 Feb 2004 21:58:42 -0200
----- Forwarded message from "Todd C. Miller" <Todd.Miller em courtesan.com> -----
To: security-announce em openbsd.org
Subject: Reference counting bug in shmat(2)
Date: Thu, 05 Feb 2004 16:35:48 -0700
From: "Todd C. Miller" <Todd.Miller em courtesan.com>
X-Loop: security-announce em openbsd.org
A reference counting bug exists in the shmat(2) system call that
could be used by an attacker to write to kernel memory under certain
circumstances.
The bug, found by Joost Pol, could be used to gain elevated privileges
and has been successfully exploited under FreeBSD.
Patches for OpenBSD 3.4 and 3.3 respectively are also available:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/010_sysvshm.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/015_sysvshm.patch
The patch is already present in OpenBSD-current as well as in the
3.3 and 3.4 -stable branches.
For more information on the bug, see Joost Pol's description at:
http://www.pine.nl/press/pine-cert-20040201.txt
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L