Fix for CVE-2016-7097 missing from linux-4.1.y

Fix for CVE-2016-7097 missing from linux-4.1.y

[Josh Hunt]

Hi Jan

You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit 
when setting file permissions") which has been identified to resolve 
CVE-2016-7097, but is missing from linux-4.1.y.

If you believe this commit should be part of linux-4.1.y can you please 
reply with your approval for its inclusion?

Thanks!
Josh

P.S.: This is my first attempt at trying to make sure all known CVE 
fixes are in the stable kernels. After a discussion with Sasha at 
Plumbers I'd like to start doing this on a regular basis. Any feedback 
here is welcome.

---
Full list of CVEs associated with 4.1.y can be found here:
http://joshuahunt.github.io/cve-tracker/linux-4.1.y-stable-cve-list.html

Re: Fix for CVE-2016-7097 missing from linux-4.1.y

[Jan Kara]

Hi!

On Thu 10-11-16 16:59:17, Josh Hunt wrote:
> You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit when
> setting file permissions") which has been identified to resolve
> CVE-2016-7097, but is missing from linux-4.1.y.
> 
> If you believe this commit should be part of linux-4.1.y can you please
> reply with your approval for its inclusion?

Yes, the problem exists all the way back, I belive since ACLs were
introduced. Definitely exists in 3.0 which is the oldest version I've
checked. The patch may need some massaging to apply which is why it didn't
get into 4.1 I assume. And the backport will need a review because all
filesystems supporting ACLs need to be handled where frankly I'm not quite
sure the bug-severity / effort is worth it.

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

Re: Fix for CVE-2016-7097 missing from linux-4.1.y

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

On Fri, 2016-11-11 at 10:58 +0100, Jan Kara wrote:
> Hi!
> 
> On Thu 10-11-16 16:59:17, Josh Hunt wrote:
> > You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit when
> > setting file permissions") which has been identified to resolve
> > CVE-2016-7097, but is missing from linux-4.1.y.
> > 
> > If you believe this commit should be part of linux-4.1.y can you please
> > reply with your approval for its inclusion?
> 
> Yes, the problem exists all the way back, I belive since ACLs were
> introduced. Definitely exists in 3.0 which is the oldest version I've
> checked. The patch may need some massaging to apply which is why it didn't
> get into 4.1 I assume. And the backport will need a review because all
> filesystems supporting ACLs need to be handled where frankly I'm not quite
> sure the bug-severity / effort is worth it.

I've attempted backports to 3.2 and 3.16, and will send those out for
review in the next few days.

Ben.

-- 
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: Fix for CVE-2016-7097 missing from linux-4.1.y

[Josh Hunt]

On 11/11/2016 09:03 PM, Ben Hutchings wrote:
> On Fri, 2016-11-11 at 10:58 +0100, Jan Kara wrote:
>> Hi!
>>
>> On Thu 10-11-16 16:59:17, Josh Hunt wrote:
>>> You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit when
>>> setting file permissions") which has been identified to resolve
>>> CVE-2016-7097, but is missing from linux-4.1.y.
>>>
>>> If you believe this commit should be part of linux-4.1.y can you please
>>> reply with your approval for its inclusion?
>>
>> Yes, the problem exists all the way back, I belive since ACLs were
>> introduced. Definitely exists in 3.0 which is the oldest version I've
>> checked. The patch may need some massaging to apply which is why it didn't
>> get into 4.1 I assume. And the backport will need a review because all
>> filesystems supporting ACLs need to be handled where frankly I'm not quite
>> sure the bug-severity / effort is worth it.
>
> I've attempted backports to 3.2 and 3.16, and will send those out for
> review in the next few days.
>
> Ben.

Jan/Ben

Thanks for following up on this.

Ben - I'll be on the lookout for those backports.

Thanks!
Josh

Re: Fix for CVE-2016-7097 missing from linux-4.1.y

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 1513 bytes --]

On Wed, 2016-11-16 at 11:56 -0600, Josh Hunt wrote:
> On 11/11/2016 09:03 PM, Ben Hutchings wrote:
> > On Fri, 2016-11-11 at 10:58 +0100, Jan Kara wrote:
> > > Hi!
> > > 
> > > On Thu 10-11-16 16:59:17, Josh Hunt wrote:
> > > > You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit when
> > > > setting file permissions") which has been identified to resolve
> > > > CVE-2016-7097, but is missing from linux-4.1.y.
> > > > 
> > > > If you believe this commit should be part of linux-4.1.y can you please
> > > > reply with your approval for its inclusion?
> > > 
> > > Yes, the problem exists all the way back, I belive since ACLs were
> > > introduced. Definitely exists in 3.0 which is the oldest version I've
> > > checked. The patch may need some massaging to apply which is why it didn't
> > > get into 4.1 I assume. And the backport will need a review because all
> > > filesystems supporting ACLs need to be handled where frankly I'm not quite
> > > sure the bug-severity / effort is worth it.
> > 
> > I've attempted backports to 3.2 and 3.16, and will send those out for
> > review in the next few days.
> > 
> > Ben.
> 
> Jan/Ben
> 
> Thanks for following up on this.
> 
> Ben - I'll be on the lookout for those backports.

Here they are:

https://marc.info/?l=linux-kernel&m=147908961924568
https://marc.info/?l=linux-kernel&m=147909400125559

Ben.

-- 
Ben Hutchings
Time is nature's way of making sure that everything doesn't happen at
once.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]