The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
| Link | Tags |
|---|---|
| https://www.openwall.com/lists/oss-security/2019/04/03/4 | mailing list third party advisory exploit |
| https://www.openwall.com/lists/oss-security/2019/04/03/4/1 | mailing list third party advisory exploit |
| http://www.securityfocus.com/bid/107887 | third party advisory vdb entry |
| http://www.openwall.com/lists/oss-security/2019/04/18/5 | third party advisory mailing list |
| http://www.openwall.com/lists/oss-security/2019/05/22/7 | mailing list |
| https://usn.ubuntu.com/4007-2/ | vendor advisory |
| https://usn.ubuntu.com/4008-1/ | vendor advisory |
| https://usn.ubuntu.com/4006-1/ | vendor advisory |
| https://usn.ubuntu.com/4006-2/ | vendor advisory |
| https://usn.ubuntu.com/4007-1/ | vendor advisory |
| https://usn.ubuntu.com/4008-3/ | vendor advisory |
| http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html | vendor advisory |