Re: Fix for CVE-2016-7097 missing from linux-4.1.y

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2016-11-16 at 11:56 -0600, Josh Hunt wrote:
> On 11/11/2016 09:03 PM, Ben Hutchings wrote:
> > On Fri, 2016-11-11 at 10:58 +0100, Jan Kara wrote:
> > > Hi!
> > > 
> > > On Thu 10-11-16 16:59:17, Josh Hunt wrote:
> > > > You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit when
> > > > setting file permissions") which has been identified to resolve
> > > > CVE-2016-7097, but is missing from linux-4.1.y.
> > > > 
> > > > If you believe this commit should be part of linux-4.1.y can you please
> > > > reply with your approval for its inclusion?
> > > 
> > > Yes, the problem exists all the way back, I belive since ACLs were
> > > introduced. Definitely exists in 3.0 which is the oldest version I've
> > > checked. The patch may need some massaging to apply which is why it didn't
> > > get into 4.1 I assume. And the backport will need a review because all
> > > filesystems supporting ACLs need to be handled where frankly I'm not quite
> > > sure the bug-severity / effort is worth it.
> > 
> > I've attempted backports to 3.2 and 3.16, and will send those out for
> > review in the next few days.
> > 
> > Ben.
> 
> Jan/Ben
> 
> Thanks for following up on this.
> 
> Ben - I'll be on the lookout for those backports.

Here they are:

https://marc.info/?l=linux-kernel&m=147908961924568
https://marc.info/?l=linux-kernel&m=147909400125559

Ben.

-- 
Ben Hutchings
Time is nature's way of making sure that everything doesn't happen at
once.

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]