Issue metadata
Sign in to add a comment
|
CVE-2018-13405 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-13405 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-13405 CVSS severity score: 4.6/10.0 Description: The inode_init_owner function in fs/inode.c in the Linux kernel through 4.17.4 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Aug 29
,
Aug 29
,
Aug 30
,
Aug 30
,
Aug 31
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/134696a47ec6dba6f9ec47fee817791325f3960d commit 134696a47ec6dba6f9ec47fee817791325f3960d Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Fri Aug 31 12:23:43 2018 UPSTREAM: Fix up non-directory creation in SGID directories commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 upstream. sgid directories have special semantics, making newly created files in the directory belong to the group of the directory, and newly created subdirectories will also become sgid. This is historically used for group-shared directories. But group directories writable by non-group members should not imply that such non-group members can magically join the group, so make sure to clear the sgid bit on non-directories for non-members (but remember that sgid without group execute means "mandatory locking", just to confuse things even more). BUG= chromium:878735 TEST=None Change-Id: Icc262aa17c9308881bab20f558c17e156b8d32f6 Reported-by: Jann Horn <jannh@google.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c5f2c5be9d1787a7bde81186d093be54c0caeb34 from linux-3.18.y) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1195035 [modify] https://crrev.com/134696a47ec6dba6f9ec47fee817791325f3960d/fs/inode.c
,
Aug 31
,
Sep 1
,
Dec 7
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zsm@google.com
, Aug 29Labels: Security_Severity-Medium Security_Impact-Stable Pri-2
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit is 0fa3ecd878("Fix up non-directory creation in SGID directories"). This commit is present in v4.14 and v4.4. The patch is present in 3.18.y as well, I'll pull it down to v3.18.