[kernel-sec-discuss] r4193 - active
Ben Hutchings
benh at moszumanska.debian.org
Sat Feb 27 09:34:35 UTC 2016
Author: benh
Date: 2016-02-27 09:34:35 +0000 (Sat, 27 Feb 2016)
New Revision: 4193
Modified:
active/CVE-2016-1575
active/CVE-2016-1576
Log:
Add more details about CVE-2016-157{5,6}
Modified: active/CVE-2016-1575
===================================================================
--- active/CVE-2016-1575 2016-02-27 07:37:54 UTC (rev 4192)
+++ active/CVE-2016-1575 2016-02-27 09:34:35 UTC (rev 4193)
@@ -1,6 +1,12 @@
-Description:
+Description: Privilege escalation through userns, overlay mounts and setgid flag
References:
+ http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/
Notes:
+ bwh> The exploit depends on unprivileged users being able to create user
+ bwh> namespaces (disallowed by default in Debian) and being able to mount
+ bwh> overlayfs within a user namespace (only allowed in Ubuntu). But it's
+ bwh> possible that an administrator might accidentally set up a
+ bwh> configuration that is exploitable.
Bugs:
upstream:
3.16-upstream-stable: N/A "Vulnerable code not present, introduced in e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c (v3.18-rc2)"
Modified: active/CVE-2016-1576
===================================================================
--- active/CVE-2016-1576 2016-02-27 07:37:54 UTC (rev 4192)
+++ active/CVE-2016-1576 2016-02-27 09:34:35 UTC (rev 4193)
@@ -1,6 +1,12 @@
-Description:
+Description: Privilege escalation through overlay and FUSE mounts
References:
+ http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/
Notes:
+ bwh> The exploit depends on unprivileged users being able to create user
+ bwh> namespaces (disallowed by default in Debian) and being able to mount
+ bwh> overlayfs and FUSE within a user namespace (only allowed in Ubuntu).
+ bwh> But it's possible that an administrator might accidentally set up a
+ bwh> configuration that is exploitable.
Bugs:
upstream:
3.16-upstream-stable: N/A "Vulnerable code not present, introduced in e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c (v3.18-rc2)"
More information about the kernel-sec-discuss
mailing list