Date: Sat, 18 Apr 2015 00:12:34 -0400 (EDT) From: cve-assign@...re.org To: eric@...disch.us Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: USERNS allows circumventing MNT_LOCKED - Linux kernel -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > In October 2014, Andrey Vagin reported to the Linux Containers list that > it would be possible to use user namespaces to circumvent MNT_LOCKED and > allow unprivileged users to access the directory structure underneath of > mounts. A PoC was also produced and is public. > > Patches are now available and proposed to Linus. > >  https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs >  http://www.spinics.net/lists/linux-containers/msg30786.html Use CVE-2014-9717 for the "The semantics of MNT_LOCKED are that you aren't allowed to see what is beneath. So if you can get under there even by unsharing the mount namespace it is an implementation bug in MNT_LOCKED." issue in the http://marc.info/?l=linux-kernel&m=141271552117745&w=2 post. The scope of CVE-2014-9717 does not include the entire set of issues discussed in the msg30786.html post. In particular, a different part of that msg30786.html page already has a CVE mapping in the http://openwall.com/lists/oss-security/2015/04/04/4 post. There currently isn't a CVE ID for the "While investigating this issue I also found an issue with __detach_mounts. The code was unnecessarily and incorrectly triggering mount propagation. Resulting in too many mounts going away when a directory is deleted, and too many cpu cycles are burned while doing that." finding (which seems to be in the http://www.spinics.net/lists/linux-containers/msg30789.html post). If an unprivileged user could have launched a worthwhile attack by deleting a directory in certain circumstances, then we can assign a separate CVE ID for that issue. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVMdexAAoJEKllVAevmvmsYEYH/RP6wqZ1QxfWEGPAhk7uPXOl 6RQePUIzYXzMSPG5dHO4VgSwLwW+PGs6/muJ7DsXTdue+PykD2LRIxu6ycQIxogy xavEzRJGSZNTtS1X6sVIhdiMuWQQTdNGwEnH4qp5lamVzJQjKcTDRJbSHVpZVydA 0n4Qw6U505KloFVX2Rjk/mvSyHg2COKaBbbkXRa3vV3J9QVlUp1SZgyetQkvMpee XkpQ6yXsuDM5WsViip41tLqy9ch8JSGFSOdP0uwK0MicWeGIOk7ItS6mQFlTYPvi pM1eWFrYhU4vfECPcQsG/ATWD0ylZWrydEbk8Qaw6GGOEpEPAjWMAOqa2t4bR5U= =xBBT -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ