On Wed, 2016-11-16 at 11:56 -0600, Josh Hunt wrote: > On 11/11/2016 09:03 PM, Ben Hutchings wrote: > > On Fri, 2016-11-11 at 10:58 +0100, Jan Kara wrote: > > > Hi! > > > > > > On Thu 10-11-16 16:59:17, Josh Hunt wrote: > > > > You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit when > > > > setting file permissions") which has been identified to resolve > > > > CVE-2016-7097, but is missing from linux-4.1.y. > > > > > > > > If you believe this commit should be part of linux-4.1.y can you please > > > > reply with your approval for its inclusion? > > > > > > Yes, the problem exists all the way back, I belive since ACLs were > > > introduced. Definitely exists in 3.0 which is the oldest version I've > > > checked. The patch may need some massaging to apply which is why it didn't > > > get into 4.1 I assume. And the backport will need a review because all > > > filesystems supporting ACLs need to be handled where frankly I'm not quite > > > sure the bug-severity / effort is worth it. > > > > I've attempted backports to 3.2 and 3.16, and will send those out for > > review in the next few days. > > > > Ben. > > Jan/Ben > > Thanks for following up on this. > > Ben - I'll be on the lookout for those backports. Here they are: https://marc.info/?l=linux-kernel&m=147908961924568 https://marc.info/?l=linux-kernel&m=147909400125559 Ben. -- Ben Hutchings Time is nature's way of making sure that everything doesn't happen at once.
Attachment:
signature.asc
Description: This is a digitally signed message part