Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1599161 - (CVE-2018-13405) CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members
CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does no...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180705,repo...
: Security
Depends On: 1600951 1600956 1599162 1599163 1600952 1600953 1600954 1600955 1600957 1600958
Blocks: 1599165
  Show dependency treegraph
 
Reported: 2018-07-09 01:50 EDT by Sam Fowler
Modified: 2018-10-30 05:04 EDT (History)
49 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2948 None None None 2018-10-30 05:04 EDT
Red Hat Product Errata RHSA-2018:3083 None None None 2018-10-30 03:35 EDT
Red Hat Product Errata RHSA-2018:3096 None None None 2018-10-30 03:41 EDT

  None (edit)
Description Sam Fowler 2018-07-09 01:50:44 EDT
The Linux kernel has a vulnerability in the fs/inode.c:inode_init_owner() function logic that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.

References:

http://seclists.org/oss-sec/2018/q3/35

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7
Comment 1 Sam Fowler 2018-07-09 01:51:54 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1599162]
Comment 7 Vladis Dronov 2018-07-13 09:14:35 EDT
Note:

The Linux kernel has a vulnerability in the fs/inode.c:inode_init_owner() function logic that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory has SGID bit set and belongs to a certain group and is writable by a user who is not a member of this group.

In such a case a directory group non-member user can create a plain file whose group ownership is of that group and with group execution and SGID permission bits set. This can lead to excessive permissions granted in case when they should not.

The intended behavior is that the non-member user can trigger creation of a directory with group execution and SGID permission bits set whose group ownership is of that group, but not a plain file.

The above is true for filesystems using fs/inode.c:inode_init_owner() function from the VFS code, like EXT4 and tmpfs filesystems. Some other filesystems may not be using this code. For example, the XFS filesystem is a special case here, it does not use fs/inode.c:inode_init_owner(), but uses its own fs/xfs/xfs_inode.c:xfs_ialloc() function. The XFS filesystem behavior in such situations is controlled by the fs.xfs.irix_sgid_inherit sysctl parameter:

[https://www.kernel.org/doc/Documentation/filesystems/xfs.txt]
fs.xfs.irix_sgid_inherit (Min: 0  Default: 0  Max: 1)
  Controls files created in SGID directories.
  If the group ID of the new file does not match the effective group
  ID or one of the supplementary group IDs of the parent dir, the
  ISGID bit is cleared if the irix_sgid_inherit compatibility sysctl
  is set.
Comment 8 errata-xmlrpc 2018-10-30 03:35:11 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083
Comment 9 errata-xmlrpc 2018-10-30 03:41:20 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096
Comment 10 errata-xmlrpc 2018-10-30 05:03:41 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948

Note You need to log in before you can comment on or make changes to this bug.