Back to bug 1368938
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Andrej Nemec | 2016-08-22 08:00:46 UTC | Depends On | 1368939 | |
| Andrej Nemec | 2016-08-22 08:04:52 UTC | Blocks | 1368940 | |
| Slawomir Czarko | 2016-08-23 15:13:08 UTC | CC | slawomir | |
| Salvatore Bonaccorso | 2016-08-26 14:51:11 UTC | CC | carnil | |
| Andrej Nemec | 2016-08-29 07:11:12 UTC | Alias | CVE-2016-7097 | |
| Andrej Nemec | 2016-08-29 07:11:28 UTC | Summary | kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit | CVE-2016-7097 kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit |
| Vladis Dronov | 2016-08-29 08:18:20 UTC | CC | vdronov | |
| Vladis Dronov | 2016-08-29 15:56:13 UTC | Whiteboard | impact=low,public=20160526,reported=20160819,source=redhat,cvss2=3.3/AV:L/AC:M/Au:N/C:P/I:P/A:N,cvss3=4.4/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N,cwe=CWE-592,rhel-5/kernel=new,rhel-6/kernel=new,rhel-7/kernel=new,rhel-7/kernel-rt=new,mrg-2/realtime-kernel=new,rhelsa-7/arm-kernel=new,fedora-all/kernel=affected | impact=low,public=20160526,reported=20160819,source=redhat,cvss2=3.3/AV:L/AC:M/Au:N/C:P/I:P/A:N,cvss3=4.4/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N,cwe=CWE-592,rhel-5/kernel=wontfix,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected |
| Vladis Dronov | 2016-08-29 17:16:15 UTC | Whiteboard | impact=low,public=20160526,reported=20160819,source=redhat,cvss2=3.3/AV:L/AC:M/Au:N/C:P/I:P/A:N,cvss3=4.4/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N,cwe=CWE-592,rhel-5/kernel=wontfix,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected | impact=moderate,public=20160526,reported=20160819,source=redhat,cvss2=3.3/AV:L/AC:M/Au:N/C:P/I:P/A:N,cvss3=4.4/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N,cwe=CWE-592,rhel-5/kernel=wontfix,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected |
| Vladis Dronov | 2016-08-29 17:16:34 UTC | Severity | low | medium |
| Vladis Dronov | 2016-08-29 17:16:51 UTC | Priority | low | medium |
| Vladis Dronov | 2016-08-29 17:18:51 UTC | Depends On | 1371252 | |
| Vladis Dronov | 2016-08-29 17:19:01 UTC | Depends On | 1371253 | |
| Vladis Dronov | 2016-08-29 17:19:11 UTC | Depends On | 1371254 | |
| Vladis Dronov | 2016-08-29 17:19:18 UTC | Depends On | 1371255 | |
| Vladis Dronov | 2016-08-29 17:19:27 UTC | Depends On | 1371256 | |
| Vladis Dronov | 2016-08-29 17:35:51 UTC | Doc Text | A vulnerability was found in the Linux kernel. When file permissions are modified via chmod and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod. | |
| Doc Type | If docs needed, set a value | Bug Fix | ||
| John Skeoch | 2016-10-04 04:18:26 UTC | CC | pholasek | |
| Martin Prpič | 2017-03-20 09:46:39 UTC | Doc Text | A vulnerability was found in the Linux kernel. When file permissions are modified via chmod and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod. | It was found that when file permissions were modified via chmod and the user modifying them was not in the owning group or capable of CAP_FSETID, the setgid bit would be cleared. Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way. This could allow a local user to gain group privileges via certain setgid applications. |
| PnT Account Manager | 2018-02-07 23:18:17 UTC | CC | agordeev | |
| PnT Account Manager | 2018-07-19 06:20:11 UTC | CC | mguzik | |
| PnT Account Manager | 2018-08-28 22:08:13 UTC | CC | lwang | |
| Eric Sammons | 2019-02-08 14:57:04 UTC | CC | esammons | |
| Product Security DevOps Team | 2019-06-08 02:57:34 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2019-06-08 02:57:34 UTC | |||
| Product Security DevOps Team | 2019-09-29 13:55:15 UTC | Whiteboard | impact=moderate,public=20160526,reported=20160819,source=redhat,cvss2=3.3/AV:L/AC:M/Au:N/C:P/I:P/A:N,cvss3=4.4/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N,cwe=CWE-592,rhel-5/kernel=wontfix,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected |
Back to bug 1368938