oss-sec mailing list archives

CVE request -- linux kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit

From: Vladis Dronov <vdronov () redhat com>
Date: Fri, 26 Aug 2016 05:05:11 -0400 (EDT)

Hello,

We would like to ask for a CVE-ID for the following securuty flaw.

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).

A proposed fix:
http://marc.info/?l=linux-fsdevel&m=147162313630259&w=2

Initial discussion:
http://www.spinics.net/lists/linux-fsdevel/msg98328.html

Red Hat security Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1368938

The fix is not yet accepted to the Linux kernel upstream.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Current thread:

CVE request -- linux kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit Vladis Dronov (Aug 26)
- Re: CVE request -- linux kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit cve-assign (Aug 26)
- Message not available
  - Re: CVE request -- linux kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit Vladis Dronov (Aug 29)