oss-sec mailing list archives

Re: CVE request: kernel: missing capabilities in fs_mask

From: "Steven M. Christey" <coley () linus mitre org>
Date: Fri, 24 Apr 2009 18:06:16 -0400 (EDT)


On Thu, 23 Apr 2009, Eugene Teo wrote:

"When POSIX capabilities were introduced during the 2.1 Linux cycle, the
fs mask, which represents the capabilities which having fsuid==0 is
supposed to grant, did not include CAP_MKNOD and CAP_LINUX_IMMUTABLE.
However, before capabilities the privilege to call these did in fact
depend upon fsuid==0.


How is this different than CVE-2009-1072?  That CVE is based on the same
bug report by Igor Zhbanov, although the description doesn't mention
CAP_LINUX_IMMUTABLE.

- Steve

======================================================
Name: CVE-2009-1072
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1072
Reference: MLIST:[linux-kernel] 20090311 VFS, NFS security bug? Should CAP_MKNOD and CAP_LINUX_IMMUTABLE be added to 
CAP_FS_MASK?
Reference: URL:http://thread.gmane.org/gmane.linux.kernel/805280
Reference: MLIST:[oss-security] 20090323 CVE request: kernel: nfsd did not drop CAP_MKNOD for non-root
Reference: URL:http://www.openwall.com/lists/oss-security/2009/03/23/1
Reference: 
CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=76a67ec6fb79ff3570dcb5342142c16098299911
Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.9
Reference: SUSE:SUSE-SA:2009:021
Reference: URL:http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00007.html
Reference: BID:34205
Reference: URL:http://www.securityfocus.com/bid/34205
Reference: SECUNIA:34422
Reference: URL:http://secunia.com/advisories/34422
Reference: SECUNIA:34432
Reference: URL:http://secunia.com/advisories/34432
Reference: SECUNIA:34786
Reference: URL:http://secunia.com/advisories/34786
Reference: VUPEN:ADV-2009-0802
Reference: URL:http://www.vupen.com/english/advisories/2009/0802
Reference: XF:linux-kernel-capmknod-security-bypass(49356)
Reference: URL:http://xforce.iss.net/xforce/xfdb/49356

nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD
capability before handling a user request in a thread, which allows
local users to create device nodes, as demonstrated on a filesystem
that has been exported with the root_squash option.

Current thread:

CVE request: kernel: missing capabilities in fs_mask Eugene Teo (Apr 22)
- Re: CVE request: kernel: missing capabilities in fs_mask Eugene Teo (Apr 22)
- Re: CVE request: kernel: missing capabilities in fs_mask Steven M. Christey (Apr 24)
  - Re: CVE request: kernel: missing capabilities in fs_mask Eugene Teo (Apr 25)
    - VDBs (was Re: [oss-security] CVE request: kernel: missing capabilities in fs_mask) security curmudgeon (Apr 25)