Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Dec 2015 07:11:35 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: AW: CVE Request: Linux kernel: privilege
 escalation in user namespaces

Hi,

On 2015-12-18 03:54 AM, Fiedler Roman wrote:
> Hi,
> 
>> Von: John Johansen [mailto:john.johansen@...onical.com]
>> Betreff: [oss-security] CVE Request: Linux kernel: privilege escalation in 
>> user
>> namespaces
>>
>> Hi,
>>
>> I haven't seen CVE request for this one yet so,
>>
>> Jann Horn reported a privilege escalation in user namespaces to the lkml
>> mailing list
>>
>> https://lkml.org/lkml/2015/12/12/259
>>
>> if a root-owned process wants to enter a user namespace for some reason
>> without knowing who owns it and therefore can't change to the namespace
>> owner's uid and gid before entering, as soon as it has entered the
>> namespace, the namespace owner can attach to it via ptrace and thereby
>> gain access to its uid and gid.
> 
> Could it be, that this is identical to
> 
> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050
> 
> which led to
> 
> https://bugs.launchpad.net/bugs/cve/2015-1334
> 
> except, that combined with another timerace, this gives host uid 0 escalation 
> no matter how the target namespace looks like or target uid is known or not?
> 
> The bug is marked as fixed, but looking at it, the very similar kernel issue 
> seems not be addressed and it is also still marked "private security" although 
> fix was released.
> 
> I could ask Ubuntu Security if we should make that bug public or perhaps could 
> add accounts to the list of authorized users when told the Launchpad user name 
> to add.
> 

I've just made the bug public. It was an oversight that we hadn't made it public
once the fix got released.

Marc.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ