Bug 1214030 (CVE-2015-3339) - CVE-2015-3339 kernel: race condition between chown() and execve()
Summary: CVE-2015-3339 kernel: race condition between chown() and execve()
Status: CLOSED ERRATA
Alias: CVE-2015-3339
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150420,repor...
Keywords: Security
Depends On: 1216267 1216268 1216269 1216270 1216307 1216308 1217698 1218641 1218643
Blocks: 1214031
TreeView+ depends on / blocked
 
Reported: 2015-04-21 19:10 UTC by Martin Prpič
Modified: 2017-08-10 05:52 UTC (History)
35 users (show)

(edit)
A race condition flaw was found between the chown and execve system calls. When changing the owner of a setuid user binary to root, the race condition could momentarily make the binary setuid root. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system.
Clone Of:
(edit)
Last Closed: 2017-08-10 05:52:51 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1272 normal SHIPPED_LIVE Moderate: kernel security, bug fix, and enhancement update 2015-07-22 11:56:25 UTC
Red Hat Product Errata RHSA-2015:2152 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2015-11-20 00:56:02 UTC
Red Hat Product Errata RHSA-2015:2411 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2015-11-19 11:24:06 UTC

Description Martin Prpič 2015-04-21 19:10:44 UTC
A race condition flaw was found between the chown() and execve() system calls. When changing the owner of a setuid-user binary to root, the race condition could momentarily make the binary setuid root. When root chown()ed an attacker-owned setuid file to root, the file briefly was setuid root (and executable as such).

An attacker could take advantage of this small window and execute a setuid binary with elevated privileges.

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b01fc86b9f425899f8a3a8fc1c47d73c2c20543

Additional details:

http://seclists.org/oss-sec/2015/q2/216

Comment 1 Josh Boyer 2015-04-24 16:50:36 UTC
I went ahead and backported this to Fedora.  All branches are fixed in git.

Comment 2 Wade Mealing 2015-04-27 00:53:41 UTC
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 7 and MRG-2. This issue is not currently planned to be addressed in future Red Hat Enterprise Linux 5 kernel updates.  Future Linux kernel updates for other releases may address this issue.

For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 11 Fedora Update System 2015-05-03 17:22:37 UTC
kernel-4.0.1-300.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2015-05-12 20:41:00 UTC
kernel-3.19.7-200.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-05-26 03:56:05 UTC
kernel-3.19.8-100.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 errata-xmlrpc 2015-07-22 08:48:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1272 https://rhn.redhat.com/errata/RHSA-2015-1272.html

Comment 16 errata-xmlrpc 2015-11-19 13:18:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2411 https://rhn.redhat.com/errata/RHSA-2015-2411.html

Comment 17 errata-xmlrpc 2015-11-19 22:09:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2152 https://rhn.redhat.com/errata/RHSA-2015-2152.html

Comment 18 errata-xmlrpc 2015-11-19 23:25:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2152 https://rhn.redhat.com/errata/RHSA-2015-2152.html


Note You need to log in before you can comment on or make changes to this bug.