Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAG48ez3sBak6JSO6p=qZ8S3mo8kARevAmUOY2TtFawaxXBk3wA@mail.gmail.com>
Date: Fri, 16 Nov 2018 00:38:18 +0100
From: Jann Horn <jannh@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: broken uid/gid mapping for nested user namespaces with
 >5 ranges (CVE-2018-18955; since 4.15; fixed in 4.18.19 and 4.19.2)

NOTE: I have requested a CVE identifier, and I'm sending this message,
to make tracking of the fix easier; however, to avoid missing security
fixes without CVE identifiers, you should *NOT* be cherry-picking a
specific patch in response to a notification about a kernel security
bug.

In Linux kernel versions since 4.15, map_write() in
kernel/user_namespace.c handles nested user namespaces with more than
5 UID or GID ranges incorrectly. This can allow a user who has
CAP_SYS_ADMIN in a user namespace which maps at least 6 UIDs or GIDs
to bypass access controls on resources outside the namespace.

This is CVE-2018-18955.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2
https://bugs.chromium.org/p/project-zero/issues/detail?id=1712

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.