CVE-2019-13272

NameCVE-2019-13272
DescriptionIn the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1862-1, DLA-1863-1, DSA-4484-1, ELA-151-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)jessie, jessie (lts)3.16.84-1fixed
stretch (security)4.9.320-2fixed
stretch (lts), stretch4.9.320-3fixed
buster (security), buster, buster (lts)4.19.316-1fixed
bullseye5.10.223-1fixed
bullseye (security)5.10.226-1fixed
bookworm6.1.115-1fixed
bookworm (security)6.1.119-1fixed
trixie6.12.5-1fixed
sid6.12.6-1fixed
linux-4.9 (PTS)jessie, jessie (lts)4.9.303-1~deb8u3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcewheezy3.16.70-1~deb7u1ELA-151-1
linuxsourcejessie3.16.70-1DLA-1862-1
linuxsourcestretch4.9.168-1+deb9u4DSA-4484-1
linuxsourcebuster4.19.37-5+deb10u1DSA-4484-1
linuxsource(unstable)4.19.37-6
linux-4.9sourcejessie4.9.168-1+deb9u4~deb8u1DLA-1863-1

Notes

https://bugzilla.suse.com/show_bug.cgi?id=1140671
https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
https://git.kernel.org/linus/6994eefb0053799d2e07cd140df6c2ea106c41ee

Search for package or bug name: Reporting problems