On 11/11/2016 09:03 PM, Ben Hutchings wrote:
On Fri, 2016-11-11 at 10:58 +0100, Jan Kara wrote:
Hi!
On Thu 10-11-16 16:59:17, Josh Hunt wrote:
You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit when
setting file permissions") which has been identified to resolve
CVE-2016-7097, but is missing from linux-4.1.y.
If you believe this commit should be part of linux-4.1.y can you please
reply with your approval for its inclusion?
Yes, the problem exists all the way back, I belive since ACLs were
introduced. Definitely exists in 3.0 which is the oldest version I've
checked. The patch may need some massaging to apply which is why it didn't
get into 4.1 I assume. And the backport will need a review because all
filesystems supporting ACLs need to be handled where frankly I'm not quite
sure the bug-severity / effort is worth it.
I've attempted backports to 3.2 and 3.16, and will send those out for
review in the next few days.
Ben.
Jan/Ben
Thanks for following up on this.
Ben - I'll be on the lookout for those backports.
Thanks!
Josh
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html