On Wed, 2016-11-16 at 11:56 -0600, Josh Hunt wrote:
> On 11/11/2016 09:03 PM, Ben Hutchings wrote:
> > On Fri, 2016-11-11 at 10:58 +0100, Jan Kara wrote:
> > > Hi!
> > >
> > > On Thu 10-11-16 16:59:17, Josh Hunt wrote:
> > > > You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit when
> > > > setting file permissions") which has been identified to resolve
> > > > CVE-2016-7097, but is missing from linux-4.1.y.
> > > >
> > > > If you believe this commit should be part of linux-4.1.y can you please
> > > > reply with your approval for its inclusion?
> > >
> > > Yes, the problem exists all the way back, I belive since ACLs were
> > > introduced. Definitely exists in 3.0 which is the oldest version I've
> > > checked. The patch may need some massaging to apply which is why it didn't
> > > get into 4.1 I assume. And the backport will need a review because all
> > > filesystems supporting ACLs need to be handled where frankly I'm not quite
> > > sure the bug-severity / effort is worth it.
> >
> > I've attempted backports to 3.2 and 3.16, and will send those out for
> > review in the next few days.
> >
> > Ben.
>
> Jan/Ben
>
> Thanks for following up on this.
>
> Ben - I'll be on the lookout for those backports.
Here they are:
https://marc.info/?l=linux-kernel&m=147908961924568
https://marc.info/?l=linux-kernel&m=147909400125559
Ben.
--
Ben Hutchings
Time is nature's way of making sure that everything doesn't happen at
once.
Attachment:
signature.asc
Description: This is a digitally signed message part