Bug 463661 (CVE-2008-4210)

Summary: CVE-2008-4210 kernel: open() call allows setgid bit when user is not in new file's group
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: buckh, caiqian, dhoward, esandeen, jpirko, lwang, peterm, pstyles, vgoyal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20070502,reported=20080924,source=kernelbugzilla
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 12:41:49 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 463682, 463683, 463684, 463685, 463686, 463687, 463865, 463867    
Bug Blocks:    
Attachments:
Description Flags
Reproducer (public) none

Description Eugene Teo (Security Response) 2008-09-24 01:40:37 EDT
Description of problem:
When creating a file, open()/creat() allows the setgid bit to be set via the mode argument even when, due to the bsdgroups mount option or the file being created in a setgid directory, the new file's group is one which the user is not a member of.  The user can then use ftruncate() and memory-mapped I/O to turn the new file into an arbitrary binary and thus gain the privileges of this group, since these operations do not clear the setgid bit.
Comment 1 Eugene Teo (Security Response) 2008-09-24 02:06:59 EDT
Reference:
http://bugzilla.kernel.org/show_bug.cgi?id=8420
Comment 2 Eugene Teo (Security Response) 2008-09-24 02:13:00 EDT
Created attachment 317560 [details]
Reproducer (public)
Comment 8 Eugene Teo (Security Response) 2008-09-24 06:37:04 EDT
Additional references:
http://article.gmane.org/gmane.comp.security.oss.general/974
Comment 13 Eugene Teo (Security Response) 2008-09-26 00:02:39 EDT
(In reply to comment #7)
> Proposed upstream patch:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7b82dc0e64e93f430182f36b46b79fcee87d3532

This should include commit 01de85e057328ecbef36e108673b1e81059d54c1 as well.
Comment 18 Eugene Teo (Security Response) 2008-10-06 21:14:28 EDT
http://marc.info/?l=linux-kernel&m=101812479210977&w=2
Comment 21 Buck Huppmann 2008-11-12 17:44:04 EST
is there a RHSA coming for this for RH 4, a la

http://www.redhat.com/support/errata/RHSA-2008-0957.html
Comment 24 Vincent Danen 2010-12-21 12:41:49 EST
This was addressed via:

Red Hat Linux Advanced Workstation 2.1 (RHSA-2008:0787)
Red Hat Enterprise Linux version 5 (RHSA-2008:0957)
Red Hat Enterprise Linux version 4 (RHSA-2008:0972)
Red Hat Enterprise Linux version 3 (RHSA-2008:0973)
Red Hat Enterprise Linux version 2.1 (RHSA-2009:0001)