[kernel/f18] CVE-2013-1979 net: incorrect SCM_CREDENTIALS passing (rhbz 955629 955647)

Tue Apr 23 13:09:27 UTC 2013

commit 66a9977428716cea919b53fe565221ed3f21fda8
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Apr 23 09:09:12 2013 -0400

    CVE-2013-1979 net: incorrect SCM_CREDENTIALS passing (rhbz 955629 955647)
    
    - CVE-2013-3224 Bluetooth: possible info leak in bt_sock_recvmsg (rhbz 955599 955607)

 kernel.spec                                 |    7 ++++
 net-fix-incorrect-credentials-passing.patch |   45 +++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 0 deletions(-)
---

diff --git a/kernel.spec b/kernel.spec
index 1b07f6c..ac63caa 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -805,6 +805,9 @@ Patch25014: atm-update-msg_namelen-in-vcc_recvmsg.patch
 #CVE-2013-3224 rhbz 955599 955607
 Patch25015: Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
 
+#CVE-2013-1979 rhbz 955629 955647
+Patch25016: net-fix-incorrect-credentials-passing.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1560,6 +1563,9 @@ ApplyPatch atm-update-msg_namelen-in-vcc_recvmsg.patch
 #CVE-2013-3224 rhbz 955599 955607
 ApplyPatch Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
 
+#CVE-2013-1979 rhbz 955629 955647
+ApplyPatch net-fix-incorrect-credentials-passing.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2418,6 +2424,7 @@ fi
 #                 ||     ||
 %changelog
 * Tue Apr 23 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-1979 net: incorrect SCM_CREDENTIALS passing (rhbz 955629 955647)
 - CVE-2013-3224 Bluetooth: possible info leak in bt_sock_recvmsg (rhbz 955599 955607)
 
 * Mon Apr 22 2013 Josh Boyer <jwboyer at redhat.com>
diff --git a/net-fix-incorrect-credentials-passing.patch b/net-fix-incorrect-credentials-passing.patch
new file mode 100644
index 0000000..639faba
--- /dev/null
+++ b/net-fix-incorrect-credentials-passing.patch
@@ -0,0 +1,45 @@
+From 83f1b4ba917db5dc5a061a44b3403ddb6e783494 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri, 19 Apr 2013 15:32:32 +0000
+Subject: [PATCH] net: fix incorrect credentials passing
+
+Commit 257b5358b32f ("scm: Capture the full credentials of the scm
+sender") changed the credentials passing code to pass in the effective
+uid/gid instead of the real uid/gid.
+
+Obviously this doesn't matter most of the time (since normally they are
+the same), but it results in differences for suid binaries when the wrong
+uid/gid ends up being used.
+
+This just undoes that (presumably unintentional) part of the commit.
+
+Reported-by: Andy Lutomirski <luto at amacapital.net>
+Cc: Eric W. Biederman <ebiederm at xmission.com>
+Cc: Serge E. Hallyn <serge at hallyn.com>
+Cc: David S. Miller <davem at davemloft.net>
+Cc: stable at vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/net/scm.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/scm.h b/include/net/scm.h
+index 975cca0..b117081 100644
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -56,8 +56,8 @@ static __inline__ void scm_set_cred(struct scm_cookie *scm,
+ 	scm->pid  = get_pid(pid);
+ 	scm->cred = cred ? get_cred(cred) : NULL;
+ 	scm->creds.pid = pid_vnr(pid);
+-	scm->creds.uid = cred ? cred->euid : INVALID_UID;
+-	scm->creds.gid = cred ? cred->egid : INVALID_GID;
++	scm->creds.uid = cred ? cred->uid : INVALID_UID;
++	scm->creds.gid = cred ? cred->gid : INVALID_GID;
+ }
+ 
+ static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
+-- 
+1.8.1.4
+
