Date: Mon, 21 Dec 2015 09:05:27 +0000 From: Fiedler Roman <Roman.Fiedler@....ac.at> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: CVE Request: Linux kernel: privilege escalation in user namespaces > Von: Marc Deslauriers [mailto:marc.deslauriers@...onical.com] > > Hi, > > On 2015-12-18 03:54 AM, Fiedler Roman wrote: > > Hi, > > > >> Von: John Johansen [mailto:john.johansen@...onical.com] > >> Betreff: [oss-security] CVE Request: Linux kernel: privilege escalation > >> in > >> user > >> namespaces > >> > >> Hi, > >> > >> I haven't seen CVE request for this one yet so, > >> > >> Jann Horn reported a privilege escalation in user namespaces to the lkml > >> mailing list > >> > >> https://lkml.org/lkml/2015/12/12/259 > >> > >> if a root-owned process wants to enter a user namespace for some > reason > >> without knowing who owns it and therefore can't change to the > namespace > >> owner's uid and gid before entering, as soon as it has entered the > >> namespace, the namespace owner can attach to it via ptrace and thereby > >> gain access to its uid and gid. > > > > Could it be, that this is identical to > > > > https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050 > > > > which led to > > > > https://bugs.launchpad.net/bugs/cve/2015-1334 > > > > except, that combined with another timerace, this gives host uid 0 > escalation > > no matter how the target namespace looks like or target uid is known or > not? > > > > The bug is marked as fixed, but looking at it, the very similar kernel > > issue > > seems not be addressed and it is also still marked "private security" > although > > fix was released. > > > > I could ask Ubuntu Security if we should make that bug public or perhaps > could > > add accounts to the list of authorized users when told the Launchpad user > name > > to add. > > > > I've just made the bug public. It was an oversight that we hadn't made it > public > once the fix got released. Has someone looked already, if the latest patches addressed the same problem? Otherwise making https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050 public just released a fully working zero day exploit. Kind Regards, Roman Fiedler Download attachment "smime.p7s" of type "application/pkcs7-signature" (6344 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ