Date: Mon, 23 Jun 2014 12:27:39 -0700 From: Andy Lutomirski <luto@...capital.net> To: oss-security@...ts.openwall.com Subject: Re: CVE-2014-4014: Linux kernel user namespace bug On 06/18/2014 12:16 AM, Sven Kieske wrote: > Am 17.06.2014 23:47, schrieb Andy Lutomirski: >> On Tue, Jun 10, 2014 at 2:49 PM, Andy Lutomirski <luto@...capital.net> wrote: >>> The internal function inode_capable was used inappropriately. >>> Depending on configuration, this may be usable to escalate privileges. >>> A cursory inspection of my Fedora box suggests that it is not >>> vulnerable to the obvious way to exploit this bug. >>> >>> The fix should appear in Linus' -master shortly, and it's tagged for >>> stable. In the mean time, I've attached it here. >>> >> >> The commit that fixes this is: >> >> 23adbe12ef7d3d4195e80800ab36b37bee28cd03 > > Do you happen to know in which kernel version > this bug got introduced? I don't know, but I wouldn't be surprised if it's been there since user namespaces were introduced. I think that user namespace-enabled kernels are unlikely to be found in the wild before 3.12 or so. --Andy
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ