Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Dec 2015 07:11:35 -0500
From: Marc Deslauriers <>
Subject: Re: AW: CVE Request: Linux kernel: privilege
 escalation in user namespaces


On 2015-12-18 03:54 AM, Fiedler Roman wrote:
> Hi,
>> Von: John Johansen []
>> Betreff: [oss-security] CVE Request: Linux kernel: privilege escalation in 
>> user
>> namespaces
>> Hi,
>> I haven't seen CVE request for this one yet so,
>> Jann Horn reported a privilege escalation in user namespaces to the lkml
>> mailing list
>> if a root-owned process wants to enter a user namespace for some reason
>> without knowing who owns it and therefore can't change to the namespace
>> owner's uid and gid before entering, as soon as it has entered the
>> namespace, the namespace owner can attach to it via ptrace and thereby
>> gain access to its uid and gid.
> Could it be, that this is identical to
> which led to
> except, that combined with another timerace, this gives host uid 0 escalation 
> no matter how the target namespace looks like or target uid is known or not?
> The bug is marked as fixed, but looking at it, the very similar kernel issue 
> seems not be addressed and it is also still marked "private security" although 
> fix was released.
> I could ask Ubuntu Security if we should make that bug public or perhaps could 
> add accounts to the list of authorized users when told the Launchpad user name 
> to add.

I've just made the bug public. It was an oversight that we hadn't made it public
once the fix got released.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ