Sam James has sent an announcement
to the OSS Security mailing list about another
local-privilege-escalation (LPE) exploit in the same class as Dirty Frag, called
“Fragnesia”. From the disclosure:
This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag.
It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to
achieve arbitrary byte writes into the kernel page cache of read-only
files, without requiring any race condition.
James noted that there is a patch
in the works, but it has not yet been pulled into Linus Torvalds’s
tree nor into any of the stable kernels. A proof
of concept is also available.
