[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: missing capabilities in fs_mask
From:       Eugene Teo <eugene () redhat ! com>
Date:       2009-04-25 9:22:47
Message-ID: 49F2D667.7050005 () redhat ! com
[Download RAW message or body]

Hi Steve,

Steven M. Christey wrote:
> On Thu, 23 Apr 2009, Eugene Teo wrote:
> 
>> "When POSIX capabilities were introduced during the 2.1 Linux cycle, the
>> fs mask, which represents the capabilities which having fsuid==0 is
>> supposed to grant, did not include CAP_MKNOD and CAP_LINUX_IMMUTABLE.
>> However, before capabilities the privilege to call these did in fact
>> depend upon fsuid==0.
> 
> How is this different than CVE-2009-1072?  That CVE is based on the same
> bug report by Igor Zhbanov, although the description doesn't mention
> CAP_LINUX_IMMUTABLE.

Hmm. CVE-2009-1072 refers to the missing CAP_MKNOD capability in
CAP_NFSD_MASK, and this bug refers to the missing CAP_MKNOD and
CAP_LINUX_IMMUTABLE capabilities in CAP_FS_MASK. Come to think about it,
both are similar, and probably makes sense to have it part of
CVE-2009-1072 too?

Thanks, Eugene
[prev in list] [next in list] [prev in thread] [next in thread]