Date: Fri, 18 Dec 2015 07:11:35 -0500 From: Marc Deslauriers <marc.deslauriers@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: AW: CVE Request: Linux kernel: privilege escalation in user namespaces Hi, On 2015-12-18 03:54 AM, Fiedler Roman wrote: > Hi, > >> Von: John Johansen [mailto:john.johansen@...onical.com] >> Betreff: [oss-security] CVE Request: Linux kernel: privilege escalation in >> user >> namespaces >> >> Hi, >> >> I haven't seen CVE request for this one yet so, >> >> Jann Horn reported a privilege escalation in user namespaces to the lkml >> mailing list >> >> https://lkml.org/lkml/2015/12/12/259 >> >> if a root-owned process wants to enter a user namespace for some reason >> without knowing who owns it and therefore can't change to the namespace >> owner's uid and gid before entering, as soon as it has entered the >> namespace, the namespace owner can attach to it via ptrace and thereby >> gain access to its uid and gid. > > Could it be, that this is identical to > > https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050 > > which led to > > https://bugs.launchpad.net/bugs/cve/2015-1334 > > except, that combined with another timerace, this gives host uid 0 escalation > no matter how the target namespace looks like or target uid is known or not? > > The bug is marked as fixed, but looking at it, the very similar kernel issue > seems not be addressed and it is also still marked "private security" although > fix was released. > > I could ask Ubuntu Security if we should make that bug public or perhaps could > add accounts to the list of authorized users when told the Launchpad user name > to add. > I've just made the bug public. It was an oversight that we hadn't made it public once the fix got released. Marc.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ