Bugzilla – Bug 1193097
VUL-0: CVE-2021-3982: gnome-shell: distributions using CAP_SYS_NICE in gnome-shell may be exposed to local DoS
Last modified: 2021-12-01 09:54:05 UTC
rh#2024174 Linux distributions using CAP_SYS_NICE for gnome-shell may be exposed to a privilege escalation issue. An attacker, with low privilege permissions, may take advantage of the way CAP_SYS_NICE is currently implemented and eventually load code to increase its process scheduler priority leading to possible DoS of other services running in the same machine. References: https://bugzilla.redhat.com/show_bug.cgi?id=2024174 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3982
From reading the upstream discussions [0] [1], I gather that this only affects us if we set CAP_SYS_NICE on our gnome-shell downstream build. As far as I can tell, from looking at SUSE:SLE-*/permissions, we are not doing so, but please confirm. [0] https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2284 [1] https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/4711
(In reply to Carlos López from comment #1) > From reading the upstream discussions [0] [1], I gather that this only > affects us if we set CAP_SYS_NICE on our gnome-shell downstream build. As > far as I can tell, from looking at SUSE:SLE-*/permissions, we are not doing > so, but please confirm. > > [0] https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2284 > [1] https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/4711 Yes, I don't find we set CAP_SYS_NICE on our gnome-shell.
Since this does not affect us by default, and there is no upstream fix to prevent the bug if users set the capability manually, I'm closing this issue.