Bug 1599161 (CVE-2018-13405) - CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members
Summary: CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does no...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-13405
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1599162 1599163 1600951 1600952 1600953 1600954 1600955 1600956 1600957 1600958 1725179 1725180 1727386 1727387 1730052 1730053
Blocks: 1599165
TreeView+ depends on / blocked
 
Reported: 2018-07-09 05:50 UTC by Sam Fowler
Modified: 2023-02-02 10:44 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:32:05 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2948 0 None None None 2018-10-30 09:04:02 UTC
Red Hat Product Errata RHSA-2018:3083 0 None None None 2018-10-30 07:35:30 UTC
Red Hat Product Errata RHSA-2018:3096 0 None None None 2018-10-30 07:41:41 UTC
Red Hat Product Errata RHSA-2019:0717 0 None None None 2019-04-09 13:34:48 UTC
Red Hat Product Errata RHSA-2019:2476 0 None None None 2019-08-13 17:43:27 UTC
Red Hat Product Errata RHSA-2019:2566 0 None None None 2019-08-27 11:06:58 UTC
Red Hat Product Errata RHSA-2019:2696 0 None None None 2019-09-10 13:46:06 UTC
Red Hat Product Errata RHSA-2019:2730 0 None None None 2019-09-11 09:09:18 UTC
Red Hat Product Errata RHSA-2019:4159 0 None None None 2019-12-10 11:58:33 UTC
Red Hat Product Errata RHSA-2019:4164 0 None None None 2019-12-10 11:52:15 UTC

Description Sam Fowler 2018-07-09 05:50:44 UTC
The Linux kernel has a vulnerability in the fs/inode.c:inode_init_owner() function logic that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.

References:

http://seclists.org/oss-sec/2018/q3/35

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

Comment 1 Sam Fowler 2018-07-09 05:51:54 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1599162]

Comment 7 Vladis Dronov 2018-07-13 13:14:35 UTC
Note:

The Linux kernel has a vulnerability in the fs/inode.c:inode_init_owner() function logic that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory has SGID bit set and belongs to a certain group and is writable by a user who is not a member of this group.

In such a case a directory group non-member user can create a plain file whose group ownership is of that group and with group execution and SGID permission bits set. This can lead to excessive permissions granted in case when they should not.

The intended behavior is that the non-member user can trigger creation of a directory with group execution and SGID permission bits set whose group ownership is of that group, but not a plain file.

The above is true for filesystems using fs/inode.c:inode_init_owner() function from the VFS code, like EXT4 and tmpfs filesystems. Some other filesystems may not be using this code. For example, the XFS filesystem is a special case here, it does not use fs/inode.c:inode_init_owner(), but uses its own fs/xfs/xfs_inode.c:xfs_ialloc() function. The XFS filesystem behavior in such situations is controlled by the fs.xfs.irix_sgid_inherit sysctl parameter:

[https://www.kernel.org/doc/Documentation/filesystems/xfs.txt]
fs.xfs.irix_sgid_inherit (Min: 0  Default: 0  Max: 1)
  Controls files created in SGID directories.
  If the group ID of the new file does not match the effective group
  ID or one of the supplementary group IDs of the parent dir, the
  ISGID bit is cleared if the irix_sgid_inherit compatibility sysctl
  is set.

Comment 8 errata-xmlrpc 2018-10-30 07:35:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083

Comment 9 errata-xmlrpc 2018-10-30 07:41:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096

Comment 10 errata-xmlrpc 2018-10-30 09:03:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948

Comment 11 errata-xmlrpc 2019-04-09 13:34:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:0717 https://access.redhat.com/errata/RHSA-2019:0717

Comment 14 errata-xmlrpc 2019-08-13 17:43:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:2476 https://access.redhat.com/errata/RHSA-2019:2476

Comment 16 errata-xmlrpc 2019-08-27 11:06:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:2566 https://access.redhat.com/errata/RHSA-2019:2566

Comment 17 errata-xmlrpc 2019-09-10 13:46:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:2696 https://access.redhat.com/errata/RHSA-2019:2696

Comment 18 errata-xmlrpc 2019-09-11 09:09:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:2730 https://access.redhat.com/errata/RHSA-2019:2730

Comment 20 errata-xmlrpc 2019-12-10 11:52:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Telco Extended Update Support
  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions

Via RHSA-2019:4164 https://access.redhat.com/errata/RHSA-2019:4164

Comment 21 errata-xmlrpc 2019-12-10 11:58:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:4159 https://access.redhat.com/errata/RHSA-2019:4159


Note You need to log in before you can comment on or make changes to this bug.