Re: Re: Summary of security bugs (now fixed) in user namespaces

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2013 11:34 AM, Andy Lutomirski wrote:
> On Tue, Apr 16, 2013 at 2:01 AM, Kurt Seifried
> <kseifried () redhat com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >
> > On 04/15/2013 04:45 PM, Andy Lutomirski wrote:
> > > On Mon, Apr 15, 2013 at 3:34 PM, Brian Martin 
> > > <brian () opensecurityfoundation org> wrote:
> > > > Andy;
> > > >
> > > > : I previously reported these bugs privatley.  I'm
> > > > summarizing them for
> > > >
> > > > : the historical record.  These bugs were never exploitable
> > > > on a : default-configured released kernel, but some 3.8
> > > > versions are : vulnerable depending on configuration.
> > > >
> > > > Do you know if these were patched, and therefore possibly 
> > > > disclosed via the commits? With these details, it is
> > > > difficult to line them up to existing reports.
> > >
> > > Bug 1 should be fixed in:
> > >
> > > commit 3151527ee007b73a0ebd296010f1c0454a919c7d Author: Eric
> > > W. Biederman <ebiederm () xmission com> Date:   Fri Mar 15
> > > 01:45:51 2013 -0700
> > >
> > > userns:  Don't allow creation if the user is chrooted
> >
> > Can you confirm this has no CVE?

Please use CVE-2013-1956 for Linux Kernel namespaces userns:  Don't
allow creation if the user is chrooted

> > > Bug 2 is should be fixed by these:
> > >
> > > commit 90563b198e4c6674c63672fae1923da467215f45 Author: Eric
> > > W. Biederman <ebiederm () xmission com> Date:   Fri Mar 22
> > > 03:10:15 2013 -0700
> > >
> > > vfs: Add a mount flag to lock read only bind mounts
> > >
> > > commit 132c94e31b8bca8ea921f9f96a57d684fa4ae0a9 Author: Eric
> > > W. Biederman <ebiederm () xmission com> Date:   Fri Mar 22
> > > 04:08:05 2013 -0700
> > >
> > > vfs: Carefully propogate mounts across user namespaces
> >
> > Can you confirm this has no CVE?

Please use CVE-2013-1957 for Linux Kernel namespaces vfs: Carefully
propogate mounts across user namespaces


> > > Bug 3 should be fixed in:
> > >
> > > commit 92f28d973cce45ef5823209aab3138eb45d8b349 Author: Eric
> > > W. Biederman <ebiederm () xmission com> Date:   Fri Mar 15
> > > 01:03:33 2013 -0700
> > >
> > > scm: Require CAP_SYS_ADMIN over the current pidns to spoof
> > > pids.
> >
> > Can you confirm this has no CVE?

Please use CVE-2013-1958 for Linux Kernel namespaces scm: Require
CAP_SYS_ADMIN over the current pidns to spoof pids


As for the fourth bug he sent me details privately and a CVE was assigned.

> --Andy


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRbZxuAAoJEBYNRVNeJnmTBf0P/iSfWW//lBQGsljdiadvlbsN
RwFJMk5K1E/fIRm6OOHZljrpsMelxQMHZHMZvyo1RE8HEHjO/v7XuWLzewFFKB3b
N4ALuNXl3pA6fJmSCfo0WCO17ilBRiliLVcGyaW9ChHEvUQXZqwUs69wFu6uluPr
AJjRXUbEiUI3/7SfKD7QjlAAHAuZ6EHO6zWej8Apc5LnDlyxOnEEgUfYaRulgevw
iAb0w5e3wA+MMjuqPdxrS9hhjQTWTzUHTm+b4kXaD++5OypI/cEwNU7iuwcYEE/i
T1WKgsDu+babpu+Izo3XjSlQIFHURB4cMyKlaNESJ+h0Rnm1l/OT+VEEWE3inWK/
UEaFoFBUxe58oqCt+f9wouIFYB5z9fbg+mlcbtnFpb29j6xUI/hJzcbmjxwlxMp8
0cgfYEea6dqyRxpkYoQKlowUtlfBx3omjieCLiAifY+WnGvmWgvd1FzC3zZ2nBFn
kjwnnaFFxI9y6pX3QnXT+MFPqxNUHyVwNwc4GJErza0WfZuUBzZZk+Dfr6ZGLLGw
FKJq2OmhI/nUES7PWGuech/UpvRrW9mJQWUnHEwyYSjCNz0pCa6UiS442pL7mutw
G3Hs8JDMCWBHsVsetYKhEsSbdIr0qGLaVKDJKdbFN9NelZTXqgp/NRegtFNNMci3
nU/3Fi8qsBf3m3aquJBZ
=RRBe
-----END PGP SIGNATURE-----