Launchpad.net

CVE 2018-7169

An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

Related bugs and status

CVE-2018-7169 (Candidate) is related to these bugs:

Bug #1729357: unprivileged user can drop supplementary groups

Summary				In	Importance	Status
	1729357	unprivileged user can drop supplementary groups		shadow (Ubuntu)	Low	Confirmed
	1729357	unprivileged user can drop supplementary groups		shadow (openSUSE)	Medium	Fix Released

Bug #1840375: groupdel doesn't support extrausers

		In	Importance	Status
1840375	groupdel doesn't support extrausers	shadow (Ubuntu)	Wishlist	Fix Released
1840375	groupdel doesn't support extrausers	snapd	Medium	Fix Released
1840375	groupdel doesn't support extrausers	shadow (Ubuntu Bionic)	Wishlist	Fix Released
1840375	groupdel doesn't support extrausers	shadow (Ubuntu Xenial)	Wishlist	Won't Fix
1840375	groupdel doesn't support extrausers	shadow (Ubuntu Disco)	Wishlist	Won't Fix

See the

CVE page on Mitre.org for more details.

References

MISC: https://bugs.launchpad...
GENTOO: GLSA-201805-09