Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 Dec 2015 14:43:50 -0500 (EST)
From: cve-assign@...re.org
To: john.johansen@...onical.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux kernel: privilege escalation in user namespaces

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Use CVE-2015-8709 for the issue fixed in the
https://lkml.org/lkml/2015/12/25/71 post.

(This is not yet available at
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/kernel/ptrace.c
and http://marc.info/?l=linux-kernel&m=145118185526359 might be the
current end of the earlier discussion.)

This issue has been covered in security advisories from one or more
Linux distributions, e.g.,

>> http://www.ubuntu.com/usn/usn-2847-1
>> 
>> Jann Horn discovered a ptrace issue with user namespaces in the Linux
>> kernel. The namespace owner could potentially exploit this flaw by ptracing
>> a root owned process entering the user namespace to elevate its privileges
>> and potentially gain access outside of the namespace.
>> (http://bugs.launchpad.net/bugs/1527374)


There has been some discussion of whether the finding was a
vulnerability discovery, e.g.,

>>> Date: Fri, 18 Dec 2015 00:07:19 +0100
>>> From: Jann Horn <jann@...jh.net>
>>> 
>>> I'm not sure whether this is CVE-worthy - the user_namespaces
>>> manpage says "the process has full privileges for operations
>>> inside the user namespace, but is unprivileged for operations
>>> outside the namespace". ptrace()ing a process in the
>>> namespace can reasonably be considered an "operation inside
>>> the user namespace" ...
>>> 
>>> In my opinion, this patch is somewhere between hardening and
>>> a security feature, but I wouldn't really call it a vuln fix.


>>>> Date: Thu, 17 Dec 2015 23:54:03 +0000
>>>> From: Serge Hallyn <serge.hallyn@...ntu.com>
>>>> 
>>>>> ptrace()ing a process in the
>>>>> namespace can reasonably be considered an "operation inside
>>>>> the user namespace"
>>>> 
>>>> Except by creating a file in the host namespace, you were, as
>>>> root in the container, able to escape your namespace, right?

We feel that, more generally, the usn-2847-1 mention of "and
potentially gain access outside of the namespace" is a realistic
concern.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWhYUBAAoJEL54rhJi8gl5clsQAJ0zSFW9FO3915URxP2n8G8o
ZhSK+jSGkt2LyKDA6pUooumSsK0AcFyHickeGcvpQwG3QVhgAhMXAafcgmPxA6yo
H1lagz87clNL96IRK4IqQF9Go8ESqxDay+lUidazRPpIvGUSx+0/qQ0OlRWixGmW
CeumSsAP2bHTEf/r6LVliPU5+2/nRdvRsSa+OXF4z6vJerzHGJAMvipaXf3otts+
VQzco/jc8R5zODFTc7xqVmIBbzyCPtP47BvmPXDJaVelt9kPima+qLOFC4ahEdw8
qChsbHH8Ab1Tv5WATqopWJ6oLQ6g4yFihrtfPr1w9JaDMoFPs3s8OKXji+RkR09F
om+7qSXTMft25wdeBoh1eTyceLD5ZdjB82cwhxLxthjyYjQTmKcQU5HBXD9xZee9
SVs03pBTYXyo0rt+z1mvaL7rsuXn6NXLRt3mwDHO7qpwKJKU3nJjt9OOdan+Cipb
Fj8/ypwFLvOBeEMC3Ymi8yhb7JOGtMetKI/q/nvouscovNeM7rfYeFIrNAup71du
PNn2to5riQHeK/XsxBYi3VUK2wHm2MyKvcwaq5wzyw0GKBCdPXYnGKYQ8k8KnT7/
b1SPmfL/8GpYENEAjtXbPNp18CwY5pXE/+u7HrX+GsBUjpapayx3o2Jsjr12/4x7
36dwQ8gGQoWfBFgofWSs
=YkNx
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ