Bug 463661 (CVE-2008-4210) - CVE-2008-4210 kernel: open() call allows setgid bit when user is not in new file's group
Summary: CVE-2008-4210 kernel: open() call allows setgid bit when user is not in new f...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-4210
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 463682 463683 463684 463685 463686 463687 463865 463867
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-24 05:40 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:26 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-21 17:41:49 UTC
Embargoed:


Attachments (Terms of Use)
Reproducer (public) (219 bytes, application/octet-stream)
2008-09-24 06:13 UTC, Eugene Teo (Security Response)
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0787 0 normal SHIPPED_LIVE Important: kernel security update 2009-01-05 07:08:54 UTC
Red Hat Product Errata RHSA-2008:0957 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-11-12 09:34:44 UTC
Red Hat Product Errata RHSA-2008:0972 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-11-19 13:44:42 UTC
Red Hat Product Errata RHSA-2008:0973 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-12-17 03:18:50 UTC
Red Hat Product Errata RHSA-2009:0001 0 normal SHIPPED_LIVE Important: kernel security update 2009-01-08 15:47:52 UTC

Description Eugene Teo (Security Response) 2008-09-24 05:40:37 UTC
Description of problem:
When creating a file, open()/creat() allows the setgid bit to be set via the mode argument even when, due to the bsdgroups mount option or the file being created in a setgid directory, the new file's group is one which the user is not a member of.  The user can then use ftruncate() and memory-mapped I/O to turn the new file into an arbitrary binary and thus gain the privileges of this group, since these operations do not clear the setgid bit.

Comment 1 Eugene Teo (Security Response) 2008-09-24 06:06:59 UTC
Reference:
http://bugzilla.kernel.org/show_bug.cgi?id=8420

Comment 2 Eugene Teo (Security Response) 2008-09-24 06:13:00 UTC
Created attachment 317560 [details]
Reproducer (public)

Comment 8 Eugene Teo (Security Response) 2008-09-24 10:37:04 UTC
Additional references:
http://article.gmane.org/gmane.comp.security.oss.general/974

Comment 13 Eugene Teo (Security Response) 2008-09-26 04:02:39 UTC
(In reply to comment #7)
> Proposed upstream patch:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7b82dc0e64e93f430182f36b46b79fcee87d3532

This should include commit 01de85e057328ecbef36e108673b1e81059d54c1 as well.

Comment 18 Eugene Teo (Security Response) 2008-10-07 01:14:28 UTC
http://marc.info/?l=linux-kernel&m=101812479210977&w=2

Comment 21 Buck Huppmann 2008-11-12 22:44:04 UTC
is there a RHSA coming for this for RH 4, a la

http://www.redhat.com/support/errata/RHSA-2008-0957.html

Comment 24 Vincent Danen 2010-12-21 17:41:49 UTC
This was addressed via:

Red Hat Linux Advanced Workstation 2.1 (RHSA-2008:0787)
Red Hat Enterprise Linux version 5 (RHSA-2008:0957)
Red Hat Enterprise Linux version 4 (RHSA-2008:0972)
Red Hat Enterprise Linux version 3 (RHSA-2008:0973)
Red Hat Enterprise Linux version 2.1 (RHSA-2009:0001)


Note You need to log in before you can comment on or make changes to this bug.