Date: Thu, 31 Dec 2015 14:43:50 -0500 (EST) From: cve-assign@...re.org To: john.johansen@...onical.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Linux kernel: privilege escalation in user namespaces -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Use CVE-2015-8709 for the issue fixed in the https://lkml.org/lkml/2015/12/25/71 post. (This is not yet available at http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/kernel/ptrace.c and http://marc.info/?l=linux-kernel&m=145118185526359 might be the current end of the earlier discussion.) This issue has been covered in security advisories from one or more Linux distributions, e.g., >> http://www.ubuntu.com/usn/usn-2847-1 >> >> Jann Horn discovered a ptrace issue with user namespaces in the Linux >> kernel. The namespace owner could potentially exploit this flaw by ptracing >> a root owned process entering the user namespace to elevate its privileges >> and potentially gain access outside of the namespace. >> (http://bugs.launchpad.net/bugs/1527374) There has been some discussion of whether the finding was a vulnerability discovery, e.g., >>> Date: Fri, 18 Dec 2015 00:07:19 +0100 >>> From: Jann Horn <jann@...jh.net> >>> >>> I'm not sure whether this is CVE-worthy - the user_namespaces >>> manpage says "the process has full privileges for operations >>> inside the user namespace, but is unprivileged for operations >>> outside the namespace". ptrace()ing a process in the >>> namespace can reasonably be considered an "operation inside >>> the user namespace" ... >>> >>> In my opinion, this patch is somewhere between hardening and >>> a security feature, but I wouldn't really call it a vuln fix. >>>> Date: Thu, 17 Dec 2015 23:54:03 +0000 >>>> From: Serge Hallyn <serge.hallyn@...ntu.com> >>>> >>>>> ptrace()ing a process in the >>>>> namespace can reasonably be considered an "operation inside >>>>> the user namespace" >>>> >>>> Except by creating a file in the host namespace, you were, as >>>> root in the container, able to escape your namespace, right? We feel that, more generally, the usn-2847-1 mention of "and potentially gain access outside of the namespace" is a realistic concern. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWhYUBAAoJEL54rhJi8gl5clsQAJ0zSFW9FO3915URxP2n8G8o ZhSK+jSGkt2LyKDA6pUooumSsK0AcFyHickeGcvpQwG3QVhgAhMXAafcgmPxA6yo H1lagz87clNL96IRK4IqQF9Go8ESqxDay+lUidazRPpIvGUSx+0/qQ0OlRWixGmW CeumSsAP2bHTEf/r6LVliPU5+2/nRdvRsSa+OXF4z6vJerzHGJAMvipaXf3otts+ VQzco/jc8R5zODFTc7xqVmIBbzyCPtP47BvmPXDJaVelt9kPima+qLOFC4ahEdw8 qChsbHH8Ab1Tv5WATqopWJ6oLQ6g4yFihrtfPr1w9JaDMoFPs3s8OKXji+RkR09F om+7qSXTMft25wdeBoh1eTyceLD5ZdjB82cwhxLxthjyYjQTmKcQU5HBXD9xZee9 SVs03pBTYXyo0rt+z1mvaL7rsuXn6NXLRt3mwDHO7qpwKJKU3nJjt9OOdan+Cipb Fj8/ypwFLvOBeEMC3Ymi8yhb7JOGtMetKI/q/nvouscovNeM7rfYeFIrNAup71du PNn2to5riQHeK/XsxBYi3VUK2wHm2MyKvcwaq5wzyw0GKBCdPXYnGKYQ8k8KnT7/ b1SPmfL/8GpYENEAjtXbPNp18CwY5pXE/+u7HrX+GsBUjpapayx3o2Jsjr12/4x7 36dwQ8gGQoWfBFgofWSs =YkNx -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ