Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1095855 - (CVE-2014-3215) CVE-2014-3215 policycoreutils: local privilege escalation via seunshare
CVE-2014-3215 policycoreutils: local privilege escalation via seunshare
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20121208,repo...
: Security
Depends On: 1104546 1104547 1104548 1104549 1104551 1104552 1104567 1104568
Blocks: 1095856
  Show dependency treegraph
 
Reported: 2014-05-08 12:39 EDT by Vincent Danen
Modified: 2017-06-29 05:25 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way seunshare, a utility for running executables under a different security context, used the capng_lock functionality of the libcap-ng library. The subsequent invocation of suid root binaries that relied on the fact that the setuid() system call, among others, also sets the saved set-user-ID when dropping the binaries' process privileges, could allow a local, unprivileged user to potentially escalate their privileges on the system. Note: the fix for this issue is the kernel part of the overall fix, and introduces the PR_SET_NO_NEW_PRIVS functionality and the related SELinux exec transitions support.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-29 05:25:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0864 normal SHIPPED_LIVE Important: kernel security and bug fix update 2015-04-21 15:00:52 EDT

  None (edit)
Description Vincent Danen 2014-05-08 12:39:41 EDT 
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3215 to
the following vulnerability:

Name: CVE-2014-3215
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215
Assigned: 20140503
Reference: http://openwall.com/lists/oss-security/2014/04/29/7
Reference: http://openwall.com/lists/oss-security/2014/04/30/4
Reference: http://openwall.com/lists/oss-security/2014/05/08/1

seunshare in policycoreutils 2.2.5 is owned by root with 4755
permissions, and executes programs in a way that changes the
relationship between the setuid system call and the getresuid saved
set-user-ID value, which makes it easier for local users to gain
privileges by leveraging a program that mistakenly expected that it
could permanently drop privileges.


Note this was originally reported by Andy Lutomirski in bug #885288 (also see bug #1035427 (and its attached patch, which is for libcap-ng)).
Comment 16 Petr Matousek 2015-04-21 07:57:24 EDT 
Acknowledgements:

Red Hat would like to thank Andy Lutomirski for reporting this issue.
Comment 18 errata-xmlrpc 2015-04-21 11:01:14 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0864 https://rhn.redhat.com/errata/RHSA-2015-0864.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.