Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict

[Kurt Seifried <kseifried () redhat com>]

On 10/26/2011 09:53 AM, Vasiliy Kulikov wrote:
> Hi,
>
> On Wed, Oct 26, 2011 at 09:26 -0600, Kurt Seifried wrote:
> > On 10/26/2011 09:16 AM, Petr Matousek wrote:
> > > When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the
> > > kernel ring buffer. But a root user without CAP_SYS_ADMIN is able
> > > to reset dmesg_restrict to 0.
> > >
> > > This is an issue when e.g.  LXC (Linux Containers) are used and complete
> > > user space is running without CAP_SYS_ADMIN.  A unprivileged and jailed
> > > root user can bypass the dmesg_restrict protection.
> > >
> > > Introduced by:
> > > eaf06b241b091357e72b76863ba16e89610d31bd
> > >
> > > Fixed by:
> > > bfdc0b497faa82a0ba2f9dddcf109231dd519fcc
> > >
> > > Thanks,
> > Please use CVE-2011-4080 for this issue.
> Why does it worth CVE?  
This allows an attacker to bypass a security boundary. The root user is
able to gain privileges they shouldn't have.

-- 

-Kurt Seifried / Red Hat Security Response Team