The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 cve-icon cve-icon
http://openwall.com/lists/oss-security/2018/07/13/2 cve-icon cve-icon
http://www.securityfocus.com/bid/106503 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2948 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:3083 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:3096 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:0717 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2476 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2566 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2696 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2730 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:4159 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:4164 cve-icon cve-icon
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=0b3369840cd61c23e2b9241093737b4c395cb406 cve-icon cve-icon
https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRBNBX73SAFKQWBOX76SLMWPTKJPVGEJ/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKKIAUMR5FAYLZ7HLEPOXMKAAE3BYBQ/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2018-13405 cve-icon
https://support.f5.com/csp/article/K00854051 cve-icon cve-icon
https://twitter.com/grsecurity/status/1015082951204327425 cve-icon cve-icon
https://usn.ubuntu.com/3752-1/ cve-icon cve-icon
https://usn.ubuntu.com/3752-2/ cve-icon cve-icon
https://usn.ubuntu.com/3752-3/ cve-icon cve-icon
https://usn.ubuntu.com/3753-1/ cve-icon cve-icon
https://usn.ubuntu.com/3753-2/ cve-icon cve-icon
https://usn.ubuntu.com/3754-1/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2018-13405 cve-icon
https://www.debian.org/security/2018/dsa-4266 cve-icon cve-icon
https://www.exploit-db.com/exploits/45033/ cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-05T09:00:35.380Z

Reserved: 2018-07-06T00:00:00

Link: CVE-2018-13405

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-07-06T14:29:01.223

Modified: 2024-11-21T03:47:02.490

Link: CVE-2018-13405

cve-icon Redhat

Severity : Important

Publid Date: 2018-07-05T00:00:00Z

Links: CVE-2018-13405 - Bugzilla

cve-icon OpenCVE Enrichment

No data.