All linux kernels prior to 2.2.16 contain a bug in the `capabilites' access-control model. Local users can exploit this bug to obtain root access.
The 2.2 kernel introduces `capabilities' which provides finer-grained access controls than the traditional root/non-root model. Typically, capabilities for a new process are inherited from the parent process.
One of the capabilities deals with the ability of a process to change its uid via the setuid() system call. Any process can clear this capability for itself (and therefore for all of its children). If such a process then calls a different program which is suid root, the second program will run as root (as it must). However, if the second program then tries to drop its root access, it will fail due to the capability lacking. Thus the second process runs entirely as root, exposing lots of code that was not designed to be run as root.
Download the following RPM packages to the NetWinder into a temporary
directory, then install them with the command "rpm -Uvh *.rpm". Be sure
there are no other files ending in ".rpm" in the temporary directory. See
http://www.netwinder.org/security/install.html for more help.
Note: the fix from 2.2.16 has been included in the following 2.2.14 kernels. For OfficeServer product, it is also necessary to download and install a newer "modutils" package.
REFERENCESReported to BugTraq on June 7, 2000 by Sendmail Security.