On Wed, Mar 02, 2011 at 10:15 +0300, Michael Tokarev wrote:
02.03.2011 00:33, Vasiliy Kulikov wrote:
quoted
Since a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c any process with
CAP_NET_ADMIN may load any module from /lib/modules/. This doesn't mean
that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are
limited to /lib/modules/**. However, CAP_NET_ADMIN capability shouldn't
allow anybody load any module not related to networking.
This patch restricts an ability of autoloading modules to netdev modules
with explicit aliases. This fixes CVE-2011-1019.
[]
quoted
Reference: https://lkml.org/lkml/2011/2/24/203
Signed-off-by: Vasiliy Kulikov <redacted>
This looks much saner :)
Signed-off-by: Michael Tokarev <redacted>
Is there any reason why it is not yet merged? I've answered to Jake
Edge that it is not a regression.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments