From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mx2.suse.de ([195.135.220.15]:33080 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1755540AbcKKJ61 (ORCPT <rfc822;stable@vger.kernel.org>);
        Fri, 11 Nov 2016 04:58:27 -0500
Date: Fri, 11 Nov 2016 10:58:24 +0100
From: Jan Kara <jack@suse.cz>
To: Josh Hunt <johunt@akamai.com>
Cc: jack@suse.cz, "Levin, Alexander" <alexander.levin@verizon.com>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: Re: Fix for CVE-2016-7097 missing from linux-4.1.y
Message-ID: <20161111095824.GA2730@quack2.suse.cz>
References: <5824FBC5.7060606@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5824FBC5.7060606@akamai.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

Hi!

On Thu 10-11-16 16:59:17, Josh Hunt wrote:
> You are the author of commit 073931017b49 ("posix_acl: Clear SGID bit when
> setting file permissions") which has been identified to resolve
> CVE-2016-7097, but is missing from linux-4.1.y.
> 
> If you believe this commit should be part of linux-4.1.y can you please
> reply with your approval for its inclusion?

Yes, the problem exists all the way back, I belive since ACLs were
introduced. Definitely exists in 3.0 which is the oldest version I've
checked. The patch may need some massaging to apply which is why it didn't
get into 4.1 I assume. And the backport will need a review because all
filesystems supporting ACLs need to be handled where frankly I'm not quite
sure the bug-severity / effort is worth it.

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR