FS#57527 - [shadow] newgidmap is setuid and allows an unprivileged user to be placed in a user namespace where
Attached to Project:
Arch Linux
Opened by Karol Babioch (johnpatcher) - Friday, 16 February 2018, 08:46 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 05 January 2019, 16:14 GMT
Opened by Karol Babioch (johnpatcher) - Friday, 16 February 2018, 08:46 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 05 January 2019, 16:14 GMT
|
Details
CVE-2018-7169
An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7169 http://www.cvedetails.com/cve/CVE-2018-7169/ https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fix: https://github.com/shadow-maint/shadow/pull/97 |
This task depends upon
Closed by Dave Reisner (falconindy)
Saturday, 05 January 2019, 16:14 GMT
Reason for closing: Fixed
Additional comments about closing: shadow-4.6-1
Saturday, 05 January 2019, 16:14 GMT
Reason for closing: Fixed
Additional comments about closing: shadow-4.6-1