Bug 1599161 (CVE-2018-13405)
| Summary: | CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abhgupta, airlied, aquini, bhu, blc, bskeggs, dbaker, dhoward, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jokerman, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, mmilgram, nmurray, plougher, rt-maint, rvrbovsk, skozina, slawomir, steved, sthangav, trankin, vdronov, williams, yozone, zhao |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:32:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1599162, 1599163, 1600951, 1600952, 1600953, 1600954, 1600955, 1600956, 1600957, 1600958, 1725179, 1725180, 1727386, 1727387, 1730052, 1730053 | ||
| Bug Blocks: | 1599165 | ||
|
Description
Sam Fowler
2018-07-09 05:50:44 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1599162] Note: The Linux kernel has a vulnerability in the fs/inode.c:inode_init_owner() function logic that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory has SGID bit set and belongs to a certain group and is writable by a user who is not a member of this group. In such a case a directory group non-member user can create a plain file whose group ownership is of that group and with group execution and SGID permission bits set. This can lead to excessive permissions granted in case when they should not. The intended behavior is that the non-member user can trigger creation of a directory with group execution and SGID permission bits set whose group ownership is of that group, but not a plain file. The above is true for filesystems using fs/inode.c:inode_init_owner() function from the VFS code, like EXT4 and tmpfs filesystems. Some other filesystems may not be using this code. For example, the XFS filesystem is a special case here, it does not use fs/inode.c:inode_init_owner(), but uses its own fs/xfs/xfs_inode.c:xfs_ialloc() function. The XFS filesystem behavior in such situations is controlled by the fs.xfs.irix_sgid_inherit sysctl parameter: [https://www.kernel.org/doc/Documentation/filesystems/xfs.txt] fs.xfs.irix_sgid_inherit (Min: 0 Default: 0 Max: 1) Controls files created in SGID directories. If the group ID of the new file does not match the effective group ID or one of the supplementary group IDs of the parent dir, the ISGID bit is cleared if the irix_sgid_inherit compatibility sysctl is set. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:0717 https://access.redhat.com/errata/RHSA-2019:0717 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Via RHSA-2019:2476 https://access.redhat.com/errata/RHSA-2019:2476 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:2566 https://access.redhat.com/errata/RHSA-2019:2566 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:2696 https://access.redhat.com/errata/RHSA-2019:2696 This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2019:2730 https://access.redhat.com/errata/RHSA-2019:2730 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Telco Extended Update Support Red Hat Enterprise Linux 7.2 Advanced Update Support Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions Via RHSA-2019:4164 https://access.redhat.com/errata/RHSA-2019:4164 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Telco Extended Update Support Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Via RHSA-2019:4159 https://access.redhat.com/errata/RHSA-2019:4159 |