kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #162826
[Bug 1547400] Re: aufs fails to handle sanitize xattrs in workdir, copies SUID binaries from no-suid fuse mounts
This is now public:
http://openwall.com/lists/oss-security/2016/02/24/9
** Information type changed from Private Security to Public Security
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1547400
Title:
aufs fails to handle sanitize xattrs in workdir, copies SUID binaries
from no-suid fuse mounts
Status in Linux:
Confirmed
Status in linux package in Ubuntu:
Confirmed
Bug description:
When aufs module is loaded with "modprobe aufs allow_userns",
unprivileged user can use xattrs on the working directory or aufs
mount over a fuse mount to create SUID/SGID binaries, thus escalating
privileges. These errors are quite similar to those on overlayfs:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1535150
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534961
aufs developers have already confirmed and issued a fix:
https://sourceforge.net/p/aufs/mailman/message/34864744/
Specific reproducers can be found at:
http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/
InvitedOnly AkgY8iqF
# lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10
# apt-cache policy linux-image-4.2.0-27-generic
linux-image-4.2.0-27-generic:
Installed: 4.2.0-27.32
Candidate: 4.2.0-27.32
Version table:
*** 4.2.0-27.32 0
500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/linux/+bug/1547400/+subscriptions