Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 20 Jan 2016 09:06:03 -0600
From: Tyler Hicks <>
Cc: Jann Horn <>
Subject: Security issue in eCryptfs-utils (CVE-2016-1572)

Jann Horn discovered[1] that the setuid-root mount.ecryptfs_private
helper would mount over any target directory that the user owns. This
included procfs. A user could mount over the /proc/<PID> of a process
that they own and maliciously craft files in that mount point with the
intent to confuse privileged processes that interact with those files.
Once the crafted mount point was set up, the reporter used the newuidmap
program (also setuid-root) to escalate his privileges by confusing it
with the files in the crafted mount point.

This issue was assigned CVE-2016-1572.

The upstream fix[2] prevents the attack by creating a whitelist of mount
target filesystem types that mount.ecryptfs_private can safely
mount over.



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ