[kernel-sec-discuss] r4193 - active

Ben Hutchings benh at moszumanska.debian.org
Sat Feb 27 09:34:35 UTC 2016 

Author: benh
Date: 2016-02-27 09:34:35 +0000 (Sat, 27 Feb 2016)
New Revision: 4193

Modified:
   active/CVE-2016-1575
   active/CVE-2016-1576
Log:
Add more details about CVE-2016-157{5,6}

Modified: active/CVE-2016-1575
===================================================================
--- active/CVE-2016-1575	2016-02-27 07:37:54 UTC (rev 4192)
+++ active/CVE-2016-1575	2016-02-27 09:34:35 UTC (rev 4193)
@@ -1,6 +1,12 @@
-Description:
+Description: Privilege escalation through userns, overlay mounts and setgid flag
 References:
+ http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/
 Notes:
+ bwh> The exploit depends on unprivileged users being able to create user
+ bwh> namespaces (disallowed by default in Debian) and being able to mount
+ bwh> overlayfs within a user namespace (only allowed in Ubuntu).  But it's
+ bwh> possible that an administrator might accidentally set up a
+ bwh> configuration that is exploitable.
 Bugs:
 upstream:
 3.16-upstream-stable: N/A "Vulnerable code not present, introduced in e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c (v3.18-rc2)"

Modified: active/CVE-2016-1576
===================================================================
--- active/CVE-2016-1576	2016-02-27 07:37:54 UTC (rev 4192)
+++ active/CVE-2016-1576	2016-02-27 09:34:35 UTC (rev 4193)
@@ -1,6 +1,12 @@
-Description:
+Description: Privilege escalation through overlay and FUSE mounts
 References:
+ http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/
 Notes:
+ bwh> The exploit depends on unprivileged users being able to create user
+ bwh> namespaces (disallowed by default in Debian) and being able to mount
+ bwh> overlayfs and FUSE within a user namespace (only allowed in Ubuntu).
+ bwh> But it's possible that an administrator might accidentally set up a
+ bwh> configuration that is exploitable.
 Bugs:
 upstream:
 3.16-upstream-stable: N/A "Vulnerable code not present, introduced in e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c (v3.18-rc2)"

More information about the kernel-sec-discuss mailing list