Bug 882189 - (CVE-2014-4014) VUL-0: CVE-2014-4014: kernel: internal function inode_capable was used inappropriately
VUL-0: CVE-2014-4014: kernel: internal function inode_capable was used inappr...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-06-11 08:27 UTC by Johannes Segitz
Modified: 2016-04-27 14:41 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Change inode_capable to capable_wrt_inode_uidgid (7.24 KB, patch)
2014-06-11 08:27 UTC, Johannes Segitz
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-06-11 08:27:31 UTC
Created attachment 594145 [details]
Change inode_capable to capable_wrt_inode_uidgid


From: Andy Lutomirski <luto () amacapital net>
Date: Tue, 10 Jun 2014 14:49:03 -0700

The internal function inode_capable was used inappropriately.
Depending on configuration, this may be usable to escalate privileges.
A cursory inspection of my Fedora box suggests that it is not
vulnerable to the obvious way to exploit this bug.

Comment 1 SMASH SMASH 2014-06-11 08:45:21 UTC
Affected packages:

SLE-11-SP3: kernel-source
SLE-11-SP2: kernel-source
Comment 2 Swamp Workflow Management 2014-06-11 22:00:17 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-06-18 07:09:02 UTC
From: Andy Lutomirski <luto@amacapital.net>
Date: Tue, 17 Jun 2014 14:47:46 -0700

The commit that fixes this is:


The bug is that, if you created a user namespace and retained
capabilities in that namespace, then you could use chmod to set the
setgid bit on any file you owned, including files with, say, group 0.

The impact depends on what files are available that have gids that
shouldn't be available to the users who own the file.  For example,
the existence of a uid != 0, gid == 0 file would allow that uid to
escalate privileges to gid 0, which is likely good enough for full
Comment 5 Marcus Meissner 2014-06-23 09:08:39 UTC
potential local privilege escalation, bump prio
Comment 7 Jeff Mahoney 2014-06-25 16:46:27 UTC
Fix applied to SLE12 via 3.12.23.
Fix applied to openSUSE 12.3
Fix applied to openSUSE 13.1

The problem was introduced in v3.5-rc1. Earlier releases are unaffected.
Comment 8 Swamp Workflow Management 2014-08-01 13:05:44 UTC
openSUSE-SU-2014:0957-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 788080,867531,867723,877257,880484,882189,883518,883724,883795,885422,885725
CVE References: CVE-2014-0131,CVE-2014-2309,CVE-2014-3144,CVE-2014-3145,CVE-2014-3917,CVE-2014-4014,CVE-2014-4171,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699
Sources used:
openSUSE 12.3 (src):    kernel-docs-3.7.10-1.40.2, kernel-source-3.7.10-1.40.1, kernel-syms-3.7.10-1.40.1
Comment 9 Swamp Workflow Management 2014-08-11 10:07:41 UTC
openSUSE-SU-2014:0985-1: An update that solves 14 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 768714,851686,855657,866101,867531,867723,879071,880484,882189,883518,883724,883795,884840,885422,885725,886629
CVE References: CVE-2014-0100,CVE-2014-0131,CVE-2014-2309,CVE-2014-3917,CVE-2014-4014,CVE-2014-4171,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.13.1, crash-7.0.2-2.13.1, hdjmod-1.28-16.13.1, ipset-6.21.1-2.17.1, iscsitarget-, kernel-docs-3.11.10-21.3, kernel-source-3.11.10-21.1, kernel-syms-3.11.10-21.1, ndiswrapper-1.58-13.1, pcfclock-0.44-258.13.1, vhba-kmp-20130607-2.14.1, virtualbox-4.2.18-2.18.1, xen-4.3.2_01-21.1, xtables-addons-2.3-2.13.1
Comment 10 Marcus Meissner 2014-09-05 09:29:49 UTC