{ "threat_severity" : "Moderate", "public_date" : "2025-12-16T00:00:00Z", "bugzilla" : { "description" : "kernel: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr", "id" : "2422699", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2422699" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-354", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr\nCurrently when both IMA and EVM are in fix mode, the IMA signature will\nbe reset to IMA hash if a program first stores IMA signature in\nsecurity.ima and then writes/removes some other security xattr for the\nfile.\nFor example, on Fedora, after booting the kernel with \"ima_appraise=fix\nevm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima,\ninstalling/reinstalling a package will not make good reference IMA\nsignature generated. Instead IMA hash is generated,\n# getfattr -m - -d -e hex /usr/bin/bash\n# file: usr/bin/bash\nsecurity.ima=0x0404...\nThis happens because when setting security.selinux, the IMA_DIGSIG flag\nthat had been set early was cleared. As a result, IMA hash is generated\nwhen the file is closed.\nSimilarly, IMA signature can be cleared on file close after removing\nsecurity xattr like security.evm or setting/removing ACL.\nPrevent replacing the IMA file signature with a file hash, by preventing\nthe IMA_DIGSIG flag from being reset.\nHere's a minimal C reproducer which sets security.selinux as the last\nstep which can also replaced by removing security.evm or setting ACL,\n#include \n#include \n#include \n#include \n#include \n#include \nint main() {\nconst char* file_path = \"/usr/sbin/test_binary\";\nconst char* hex_string = \"030204d33204490066306402304\";\nint length = strlen(hex_string);\nchar* ima_attr_value;\nint fd;\nfd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);\nif (fd == -1) {\nperror(\"Error opening file\");\nreturn 1;\n}\nima_attr_value = (char*)malloc(length / 2 );\nfor (int i = 0, j = 0; i < length; i += 2, j++) {\nsscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]);\n}\nif (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) {\nperror(\"Error setting extended attribute\");\nclose(fd);\nreturn 1;\n}\nconst char* selinux_value= \"system_u:object_r:bin_t:s0\";\nif (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) {\nperror(\"Error setting extended attribute\");\nclose(fd);\nreturn 1;\n}\nclose(fd);\nreturn 0;\n}" ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-68183\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68183\nhttps://lore.kernel.org/linux-cve-announce/2025121632-CVE-2025-68183-f588@gregkh/T" ], "name" : "CVE-2025-68183", "csaw" : false }