Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Eugene Teo <eteo-H+wXaHxf7aLQT0dZR+AlfA <at> public.gmane.org>
Subject: CVE request: kernel: open() call allows setgid bit when user is not in new file's group
Newsgroups: gmane.comp.security.oss.general
Date: Wednesday 24th September 2008 10:35:12 UTC (over 8 years ago)
This was committed in upstream kernel; Reported by David Watson.

"When creating a file, open()/creat() allows the setgid bit to be set
via the mode argument even when, due to the bsdgroups mount option or
the file being created in a setgid directory, the new file's group is
one which the user is not a member of.  The user can then use
ftruncate() and memory-mapped I/O to turn the new file into an arbitrary
binary and thus gain the privileges of this group, since these
operations do not clear the setgid bit."

This bug could lead to a possible privileged information disclosure.

Upstream commit:
7b82dc0e64e93f430182f36b46b79fcee87d3532

References:
http://bugzilla.kernel.org/show_bug.cgi?id=8420
https://bugzilla.redhat.com/show_bug.cgi?id=463661

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team
 
CD: 3ms