From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <systemtap-return-15102-listarch-systemtap=sources.redhat.com@sourceware.org>
Received: (qmail 18542 invoked by alias); 3 Feb 2010 19:50:24 -0000
Received: (qmail 18524 invoked by uid 22791); 3 Feb 2010 19:50:22 -0000
X-SWARE-Spam-Status: No, hits=-6.6 required=5.0 	tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI
X-Spam-Check-By: sourceware.org
Received: from cantor.suse.de (HELO mx1.suse.de) (195.135.220.2)     by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Wed, 03 Feb 2010 19:50:17 +0000
Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.221.2]) 	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) 	(No client certificate requested) 	by mx1.suse.de (Postfix) with ESMTP id 7EF7E8D893; 	Wed,  3 Feb 2010 20:50:15 +0100 (CET)
Date: Wed, 03 Feb 2010 19:50:00 -0000
From: Tony Jones <tonyj@suse.de>
To: Dave Brolley <brolley@redhat.com>
Cc: SystemTAP <systemtap@sources.redhat.com>
Subject: Re: CVE-2009-4273 for stap 1.0?
Message-ID: <20100203194706.GA6741@suse.de>
References: <20100128051807.GA25969@suse.de>  <4B61BFA7.5020809@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B61BFA7.5020809@redhat.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-IsSubscribed: yes
Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <systemtap.sourceware.org>
List-Subscribe: <mailto:systemtap-subscribe@sourceware.org>
List-Post: <mailto:systemtap@sourceware.org>
List-Help: <mailto:systemtap-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: systemtap-owner@sourceware.org
X-SW-Source: 2010-q1/txt/msg00313.txt.bz2

On Thu, Jan 28, 2010 at 11:47:35AM -0500, Dave Brolley wrote:
> Hi Tony,
> 
> RHEL55 will soon rebase to systemtap 1.1 which contains the fix, so
> there are currently no plans to backport the fix to 1.0.
> 
> If you need to backport to 1.0, I would be happy to help with any
> problems you may encounter. To help get you started, I've attached a
> list of the changes needed to complete the fix.
> 
> Please use the public mailing list (systemtap@sources.redhat.com)
> for any further questions.

As part of verifying the backport I tried initially to reproduce the problem 
in the un-fixed code based on the "horror cases" mentioned at: 
http://sourceware.org/bugzilla/show_bug.cgi?id=11105#c1

I tried various forms based off of the "stap-client -D 'asdf ; ls /etc' ..."
case but I guess I'm not understanding the side-effects. I assumed the above 
would result in some form of extraneous output at the client side? 

I guess I'd welcome some concrete examples that demonstrate the exploit if
you have a spare couple of minutes. Either on or off-list is fine.

Thanks