On Fri, 2016-11-11 at 10:58 +0100, Jan Kara wrote: > Hi! > > On Thu 10-11-16 16:59:17, Josh Hunt wrote: > > You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit when > > setting file permissions") which has been identified to resolve > > CVE-2016-7097, but is missing from linux-4.1.y. > > > > If you believe this commit should be part of linux-4.1.y can you please > > reply with your approval for its inclusion? > > Yes, the problem exists all the way back, I belive since ACLs were > introduced. Definitely exists in 3.0 which is the oldest version I've > checked. The patch may need some massaging to apply which is why it didn't > get into 4.1 I assume. And the backport will need a review because all > filesystems supporting ACLs need to be handled where frankly I'm not quite > sure the bug-severity / effort is worth it. I've attempted backports to 3.2 and 3.16, and will send those out for review in the next few days. Ben. -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do.
Attachment:
signature.asc
Description: This is a digitally signed message part