I've backported changes to fix CVE-2018-1120 (denial of service via FUSE-backed /proc/PID/cmdline) in 4.4-stable. See https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt for an explanation of the issue.
This was already fixed in newer stable branches, but the fix depended on API changes made in 4.9. The API changes are fairly straightforward and should be low risk, so the attached patches include those API changes.
I verified that the proof-of-concept no longer works after these changes, and that there were no regressions in the user-copy and vm self-tests. I leave it to you to decide whether it's worthwhile to fix this in 4.4.
Ben.
On Thu, Dec 13, 2018 at 08:24:24PM +0000, Ben Hutchings wrote:
I've backported changes to fix CVE-2018-1120 (denial of service via FUSE-backed /proc/PID/cmdline) in 4.4-stable. See https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt for an explanation of the issue.
This was already fixed in newer stable branches, but the fix depended on API changes made in 4.9. The API changes are fairly straightforward and should be low risk, so the attached patches include those API changes.
I verified that the proof-of-concept no longer works after these changes, and that there were no regressions in the user-copy and vm self-tests. I leave it to you to decide whether it's worthwhile to fix this in 4.4.
Wow, thanks for this, I never expected to see this happen, nice job.
All now queued up.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Ben Hutchings -
Greg Kroah-Hartman