A race condition flaw was found between the chown() and execve() system calls. When changing the owner of a setuid-user binary to root, the race condition could momentarily make the binary setuid root. When root chown()ed an attacker-owned setuid file to root, the file briefly was setuid root (and executable as such). An attacker could take advantage of this small window and execute a setuid binary with elevated privileges. Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 Additional details: http://seclists.org/oss-sec/2015/q2/216
I went ahead and backported this to Fedora. All branches are fixed in git.
Statement: This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 7 and MRG-2. This issue is not currently planned to be addressed in future Red Hat Enterprise Linux 5 kernel updates. Future Linux kernel updates for other releases may address this issue. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
kernel-4.0.1-300.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.19.7-200.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.19.8-100.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1272 https://rhn.redhat.com/errata/RHSA-2015-1272.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2411 https://rhn.redhat.com/errata/RHSA-2015-2411.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2152 https://rhn.redhat.com/errata/RHSA-2015-2152.html