806722 – (CVE-2012-2123) CVE-2012-2123 kernel: fcaps: clear the same personality flags as suid when fcaps are used

Bug 806722 (CVE-2012-2123) - CVE-2012-2123 kernel: fcaps: clear the same personality flags as suid when fcaps are used

Summary: CVE-2012-2123 kernel: fcaps: clear the same personality flags as suid when fc...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-2123
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	806725 806726 806727 814522 814523
Blocks:	806718
TreeView+	depends on / blocked

Reported:	2012-03-26 05:16 UTC by Eugene Teo (Security Response)
Modified:	2021-02-24 12:50 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-04-05 08:03:05 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0670	0	normal	SHIPPED_LIVE	Important: kernel-rt security and bug fix update	2012-05-16 00:14:03 UTC
Red Hat Product Errata	RHSA-2012:0743	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2012-06-18 17:32:36 UTC

Comment 13 Eugene Teo (Security Response) 2012-04-20 04:41:48 UTC

Reported by Steve Grubb, if a process increases permissions using fcaps all of the dangerous personality flags which are cleared for suid apps should also be cleared. Thus for example programs given privilege with fcaps will continue to have address space randomization enabled even if the parent tried to disable it to make it easier to attack.

Comment 14 Eugene Teo (Security Response) 2012-04-20 04:48:10 UTC

Upstream commit:
http://git.kernel.org/linus/d52fc5dde171f030170a6cb78034d166b13c9445

Comment 15 Eugene Teo (Security Response) 2012-04-20 04:51:19 UTC

Statement:

This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4, and 5. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0670.html. This has been addressed in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2012-0743.html.

Comment 16 Eugene Teo (Security Response) 2012-04-20 04:52:51 UTC

Also from Steve, AFAIK, there are no packages we ship on RHEL6 that use file system based capabilities because rpm lacked the support at the time. But rpm might get upgraded and some package from Fedora becomes a RHEL6 rebase and then we have the problem. Or maybe the software stacks pulls one in. But we still want to fix it.

Fedora 15 is where we started shipping packages that take advantage of the file
system based capabilities. And since RHEL7-alpha is an import of F16/17, it
certainly has the issue.

Comment 18 Eugene Teo (Security Response) 2012-04-20 04:59:06 UTC

Created kernel tracking bugs for this issue

Affects: fedora-all [bug 814523]

Comment 19 Kurt Seifried 2012-04-20 04:59:37 UTC

Added CVE as per http://www.openwall.com/lists/oss-security/2012/04/20/6

Comment 20 Josh Boyer 2012-04-20 12:17:09 UTC

(In reply to comment #14)
> Upstream commit:
> http://git.kernel.org/linus/d52fc5dde171f030170a6cb78034d166b13c9445

You probably also want:

http://git.kernel.org/linus/51b79bee627d526199b2f6a6bef8ee0c0739b6d1

to fix a non-x86 build error.

Comment 21 Fedora Update System 2012-04-24 04:30:00 UTC

kernel-3.3.2-8.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2012-04-24 14:54:34 UTC

kernel-3.3.2-6.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2012-04-26 03:29:26 UTC

kernel-2.6.43.2-6.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 errata-xmlrpc 2012-05-15 22:59:28 UTC

This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0670 https://rhn.redhat.com/errata/RHSA-2012-0670.html

Comment 29 errata-xmlrpc 2012-06-18 13:33:53 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0743 https://rhn.redhat.com/errata/RHSA-2012-0743.html

Note You need to log in before you can comment on or make changes to this bug.