[kernel/f17] CVE-2012-2123 fcaps: clear the same personality flags as suid when fcaps are used (rhbz 814523 80672

Josh Boyer jwboyer at fedoraproject.org
Fri Apr 20 12:35:26 UTC 2012 

commit 2ddaf285933218886f7feec8e657758f191de74a
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Fri Apr 20 08:28:25 2012 -0400

    CVE-2012-2123 fcaps: clear the same personality flags as suid when fcaps are used (rhbz 814523 806722)

 ...-the-same-personality-flags-as-suid-when-.patch |   38 ++++++++++++++++++++
 kernel.spec                                        |   14 +++++++-
 security-fix-compile-error-in-commoncap.c.patch    |   28 ++++++++++++++
 3 files changed, 79 insertions(+), 1 deletions(-)
---
diff --git a/fcaps-clear-the-same-personality-flags-as-suid-when-.patch b/fcaps-clear-the-same-personality-flags-as-suid-when-.patch
new file mode 100644
index 0000000..1cf2ac2
--- /dev/null
+++ b/fcaps-clear-the-same-personality-flags-as-suid-when-.patch
@@ -0,0 +1,38 @@
+From d52fc5dde171f030170a6cb78034d166b13c9445 Mon Sep 17 00:00:00 2001
+From: Eric Paris <eparis at redhat.com>
+Date: Tue, 17 Apr 2012 16:26:54 -0400
+Subject: [PATCH] fcaps: clear the same personality flags as suid when fcaps
+ are used
+
+If a process increases permissions using fcaps all of the dangerous
+personality flags which are cleared for suid apps should also be cleared.
+Thus programs given priviledge with fcaps will continue to have address space
+randomization enabled even if the parent tried to disable it to make it
+easier to attack.
+
+Signed-off-by: Eric Paris <eparis at redhat.com>
+Reviewed-by: Serge Hallyn <serge.hallyn at canonical.com>
+Signed-off-by: James Morris <james.l.morris at oracle.com>
+---
+ security/commoncap.c |    5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/security/commoncap.c b/security/commoncap.c
+index 0cf4b53..0ecf4ba 100644
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -505,6 +505,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
+ 	}
+ skip:
+ 
++	/* if we have fs caps, clear dangerous personality flags */
++	if (!cap_issubset(new->cap_permitted, old->cap_permitted))
++		bprm->per_clear |= PER_CLEAR_ON_SETID;
++
++
+ 	/* Don't let someone trace a set[ug]id/setpcap binary with the revised
+ 	 * credentials unless they have the appropriate permit
+ 	 */
+-- 
+1.7.7.6
+
diff --git a/kernel.spec b/kernel.spec
index df20b46..f0d6871 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 5
+%global baserelease 6
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -807,6 +807,10 @@ Patch22006: KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch
 #rhbz 814278 814289 CVE-2012-2119
 Patch22007: macvtap-zerocopy-validate-vector-length.patch
 
+#rhbz 814523 806722 CVE-2012-2123
+Patch22008: fcaps-clear-the-same-personality-flags-as-suid-when-.patch
+Patch22009: security-fix-compile-error-in-commoncap.c.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1567,6 +1571,10 @@ ApplyPatch KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch
 #rhbz 814278 814289 CVE-2012-2119
 ApplyPatch macvtap-zerocopy-validate-vector-length.patch
 
+#rhbz 814523 806722 CVE-2012-2123
+ApplyPatch fcaps-clear-the-same-personality-flags-as-suid-when-.patch
+ApplyPatch security-fix-compile-error-in-commoncap.c.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2411,6 +2419,10 @@ fi
 #    '-'      |  |
 #              '-'
 %changelog
+* Fri Apr 20 2012 Josh Boyer <jwboyer at redhat.com>
+- CVE-2012-2123 fcaps: clear the same personality flags as suid when fcaps
+  are used (rhbz 814523 806722)
+
 * Thu Apr 19 2012 Justin M. Forbes <jforbes at redhat.com>
 - CVE-2012-2119 macvtap: zerocopy: vector length is not validated before
   pinning user pages (rhbz 814278 814289)
diff --git a/security-fix-compile-error-in-commoncap.c.patch b/security-fix-compile-error-in-commoncap.c.patch
new file mode 100644
index 0000000..de333e2
--- /dev/null
+++ b/security-fix-compile-error-in-commoncap.c.patch
@@ -0,0 +1,28 @@
+From 51b79bee627d526199b2f6a6bef8ee0c0739b6d1 Mon Sep 17 00:00:00 2001
+From: Jonghwan Choi <jhbird.choi at samsung.com>
+Date: Wed, 18 Apr 2012 17:23:04 -0400
+Subject: [PATCH] security: fix compile error in commoncap.c
+
+Add missing "personality.h"
+security/commoncap.c: In function 'cap_bprm_set_creds':
+security/commoncap.c:510: error: 'PER_CLEAR_ON_SETID' undeclared (first use in this function)
+security/commoncap.c:510: error: (Each undeclared identifier is reported only once
+security/commoncap.c:510: error: for each function it appears in.)
+
+Signed-off-by: Jonghwan Choi <jhbird.choi at samsung.com>
+Acked-by: Serge Hallyn <serge.hallyn at canonical.com>
+Signed-off-by: James Morris <james.l.morris at oracle.com>
+---
+ security/commoncap.c |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+--- linux-3.3.2-6.fc17.noarch.orig/security/commoncap.c
++++ linux-3.3.2-6.fc17.noarch/security/commoncap.c
+@@ -28,6 +28,7 @@
+ #include <linux/prctl.h>
+ #include <linux/securebits.h>
+ #include <linux/user_namespace.h>
++#include <linux/personality.h>
+ 
+ /*
+  * If a non-root user executes a setuid-root binary in

More information about the scm-commits mailing list