oss-sec mailing list archives

Re: CVE request: kernel: nfsd did not drop CAP_MKNOD for non-root

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 24 Mar 2009 20:21:27 -0400 (EDT)


======================================================
Name: CVE-2009-1072
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1072
Reference: MLIST:[linux-kernel] 20090311 VFS, NFS security bug? Should CAP_MKNOD and CAP_LINUX_IMMUTABLE be added to 
CAP_FS_MASK?
Reference: URL:http://thread.gmane.org/gmane.linux.kernel/805280
Reference: 
CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=76a67ec6fb79ff3570dcb5342142c16098299911
Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.9
Reference: SECUNIA:34422
Reference: URL:http://secunia.com/advisories/34422
Reference: SECUNIA:34432
Reference: URL:http://secunia.com/advisories/34432
Reference: VUPEN:ADV-2009-0802
Reference: URL:http://www.vupen.com/english/advisories/2009/0802
Reference: XF:linux-kernel-capmknod-security-bypass(49356)
Reference: URL:http://xforce.iss.net/xforce/xfdb/49356

nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD
capability before handling a user request in a thread, which allows
local users to create device nodes, as demonstrated on a filesystem
that has been exported with the root_squash option.

Current thread:

CVE request: kernel: nfsd did not drop CAP_MKNOD for non-root Eugene Teo (Mar 22)
- Re: CVE request: kernel: nfsd did not drop CAP_MKNOD for non-root Steven M. Christey (Mar 24)