Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 18 Apr 2015 00:12:34 -0400 (EDT)
From: cve-assign@...re.org
To: eric@...disch.us
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: USERNS allows circumventing MNT_LOCKED - Linux kernel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> In October 2014, Andrey Vagin reported[1] to the Linux Containers list that
> it would be possible to use user namespaces to circumvent MNT_LOCKED and
> allow unprivileged users to access the directory structure underneath of
> mounts. A PoC was also produced and is public.
> 
> Patches are now available and proposed to Linus[2].
> 
> [1] https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs
> [2] http://www.spinics.net/lists/linux-containers/msg30786.html

Use CVE-2014-9717 for the

  "The semantics of MNT_LOCKED are that you aren't allowed to see what
   is beneath. So if you can get under there even by unsharing the mount
   namespace it is an implementation bug in MNT_LOCKED."

issue in the http://marc.info/?l=linux-kernel&m=141271552117745&w=2
post.

The scope of CVE-2014-9717 does not include the entire set of issues
discussed in the msg30786.html post. In particular, a different part
of that msg30786.html page already has a CVE mapping in the
http://openwall.com/lists/oss-security/2015/04/04/4 post.

There currently isn't a CVE ID for the

   "While investigating this issue I also found an issue with
    __detach_mounts. The code was unnecessarily and incorrectly
    triggering mount propagation. Resulting in too many mounts going
    away when a directory is deleted, and too many cpu cycles are
    burned while doing that."

finding (which seems to be in the
http://www.spinics.net/lists/linux-containers/msg30789.html post). If
an unprivileged user could have launched a worthwhile attack by
deleting a directory in certain circumstances, then we can assign a
separate CVE ID for that issue.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVMdexAAoJEKllVAevmvmsYEYH/RP6wqZ1QxfWEGPAhk7uPXOl
6RQePUIzYXzMSPG5dHO4VgSwLwW+PGs6/muJ7DsXTdue+PykD2LRIxu6ycQIxogy
xavEzRJGSZNTtS1X6sVIhdiMuWQQTdNGwEnH4qp5lamVzJQjKcTDRJbSHVpZVydA
0n4Qw6U505KloFVX2Rjk/mvSyHg2COKaBbbkXRa3vV3J9QVlUp1SZgyetQkvMpee
XkpQ6yXsuDM5WsViip41tLqy9ch8JSGFSOdP0uwK0MicWeGIOk7ItS6mQFlTYPvi
pM1eWFrYhU4vfECPcQsG/ATWD0ylZWrydEbk8Qaw6GGOEpEPAjWMAOqa2t4bR5U=
=xBBT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.