Release Found: Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG.

Update 1st September 2009: This article has been updated to reflect the release of the Red Hat Security Advisory RHSA-2009:1193, which fixes the CVE-2009-1895 issue in Red Hat Enterprise Linux 5.

Update 15th September 2009: This article has been updated to reflect the release of the Red Hat Security Advisory RHSA-2009:1438, which fixes the CVE-2009-1895 issue in Red Hat Enterprise Linux 4.

Update 4th November 2009: This article has been updated to reflect the release of the Red Hat Security Advisories RHSA-2009:1550 and RHSA-2009:1540, which fix the CVE-2009-1895 issue in Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG respectively.

Problem

The flaw identified by CVE-2009-1895 (Red Hat Bugzilla bug 511171) describes an issue with the current PER_CLEAR_ON_SETID mask in the Linux kernel, versions 2.6.31-rc2 and earlier (including 2.6.27.26 and 2.6.30.1). The ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. This flaw was addressed via the upstream git commit f9fabcb5. On systems without this patch, this flaw could allow a local, unprivileged user to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.

Solution

This issue has been fixed in Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG via the Red Hat Security Advisories RHSA-2009:1550, RHSA-2009:1438, RHSA-2009:1193, and RHSA-2009:1540 respectively.