oss-security - CVE request -- linux kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 26 Aug 2016 05:05:11 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request -- linux kernel: Setting a POSIX ACL via setxattr
 doesn't clear the setgid bit

Hello,

We would like to ask for a CVE-ID for the following securuty flaw.

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).

A proposed fix:
http://marc.info/?l=linux-fsdevel&m=147162313630259&w=2

Initial discussion:
http://www.spinics.net/lists/linux-fsdevel/msg98328.html

Red Hat security Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1368938

The fix is not yet accepted to the Linux kernel upstream.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.