libcap-ng: capng_lock sets securebits in a scary manner (CVE-2014-3215)
capng_lock sets securebits in an attempt to prevent regaining capabilities using setuid-root programs. This works, but it has little effect on setcap’d programs, and it allows a user to run setuid programs as uid 0 but without capabilities, which is potentially dangerous.
seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions, and executes programs in a way that changes the relationship between the setuid system call and the getresuid saved set-user-ID value, which makes it easier for local users to gain privileges by leveraging a program that mistakenly expected that it could permanently drop privileges.
•MLIST:[oss-security] 20140429 local privilege escalation due to
capng_lock as used in seunshare
•MLIST:[oss-security] 20140430 Re: local privilege escalation due to capng_lock as used in seunshare
•MLIST:[oss-security] 20140507 Re: local privilege escalation due to capng_lock as used in seunshare
(from redmine: issue id 3026, created on 2014-06-12, closed on 2014-06-24)