system/procps: CVE-2018-1121: process hiding through race condition
| Bugzilla ID | 107 |
| Alias(es) | CVE-2018-1121 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-07-24 02:47:23 -0500 |
| Modified | 2019-07-24 12:58:15 -0500 |
| Status | RESOLVED WONTFIX |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2018-1121 |
Description
From upstream [1][2]:
CVE-2018-1121 is not really a procps bug, but rather how it interacts
with Linux proc filesystem. There is no fix for it, except to not use
procps or even /proc for detecting the presence of a process in the
cases of something that really wants to hide.Plenty of audit type daemons do the job better. The problem with
procps is its a point in time (or several small groups of time).This problem is like looking for a file in a directory and you have to
be absolutely sure nothing changes from the readdir() to the stat() of
the last file in that directory. In fact that is exactly what is going
on.
[1] https://gitlab.com/procps-ng/procps/issues/107
[2] https://gitlab.com/procps-ng/procps/issues/121