diff options
author | Jeremy Cline <jcline@redhat.com> | 2018-07-09 12:01:10 -0400 |
---|---|---|
committer | Jeremy Cline <jcline@redhat.com> | 2018-07-09 12:07:22 -0400 |
commit | 8f24bd8eab4919adec10ffaff3ead50c08fda941 (patch) | |
tree | 72d722904962c38e2addc7faddbe847073517625 | |
parent | 1a9181ff17aa8e6c755e8e9f49b6a3b840c8ce8f (diff) | |
download | kernel-8f24bd8eab4919adec10ffaff3ead50c08fda941.tar.gz kernel-8f24bd8eab4919adec10ffaff3ead50c08fda941.tar.xz kernel-8f24bd8eab4919adec10ffaff3ead50c08fda941.zip |
Linux v4.17.5
-rw-r--r-- | CVE-2018-13405.patch | 47 | ||||
-rw-r--r-- | kernel.spec | 9 | ||||
-rw-r--r-- | sources | 2 |
3 files changed, 56 insertions, 2 deletions
diff --git a/CVE-2018-13405.patch b/CVE-2018-13405.patch new file mode 100644 index 000000000..489e11f54 --- /dev/null +++ b/CVE-2018-13405.patch @@ -0,0 +1,47 @@ +From 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Tue, 3 Jul 2018 17:10:19 -0700 +Subject: [PATCH] Fix up non-directory creation in SGID directories + +sgid directories have special semantics, making newly created files in +the directory belong to the group of the directory, and newly created +subdirectories will also become sgid. This is historically used for +group-shared directories. + +But group directories writable by non-group members should not imply +that such non-group members can magically join the group, so make sure +to clear the sgid bit on non-directories for non-members (but remember +that sgid without group execute means "mandatory locking", just to +confuse things even more). + +Reported-by: Jann Horn <jannh@google.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + fs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/inode.c b/fs/inode.c +index 2c300e981796..8c86c809ca17 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -1999,8 +1999,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, + inode->i_uid = current_fsuid(); + if (dir && dir->i_mode & S_ISGID) { + inode->i_gid = dir->i_gid; ++ ++ /* Directories are special, and always inherit S_ISGID */ + if (S_ISDIR(mode)) + mode |= S_ISGID; ++ else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && ++ !in_group_p(inode->i_gid) && ++ !capable_wrt_inode_uidgid(dir, CAP_FSETID)) ++ mode &= ~S_ISGID; + } else + inode->i_gid = current_fsgid(); + inode->i_mode = mode; +-- +2.17.1 + diff --git a/kernel.spec b/kernel.spec index 93cdd61ca..cd8405166 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -665,6 +665,9 @@ Patch522: 0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch # CVE-2018-13095 rhbz 1597775 1597777 Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch +# CVE-2018-13405 rhbz 1599161 1599162 +Patch524: CVE-2018-13405.patch + # END OF PATCH DEFINITIONS %endif @@ -1914,6 +1917,10 @@ fi # # %changelog +* Mon Jul 09 2018 Jeremy Cline <jcline@redhat.com> - 4.17.5-100 +- Linux v4.17.5 +- Fix CVE-2018-13405 (rhbz 1599161 1599162) + * Thu Jul 05 2018 Justin M. Forbes <jforbes@fedoraproject.org> - Fix CVE-2018-13053 (rhbz 1597747 1597748) - Fix CVE-2018-12896 (rhbz 1597759 1597760) @@ -1,2 +1,2 @@ SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db -SHA512 (patch-4.17.4.xz) = 0a9f976e7cf2c2cc9ba29b5eb45a6b9722059674efa99153bf449537e022426138a0848cfdb69e1df4a1a3b71ee7c9de92b4086799d0e15f44f8356b2fd63754 +SHA512 (patch-4.17.5.xz) = 2623f82b4664b5ef6af4f1f9e2758661d7c3b4b7445990fb22b1a93d33006316a7a19c03d7dfccb0c49c7cfc2791c4b0aa6c543730ffc1d095c72402f060dd5c |