Re: Summary of security bugs (now fixed) in user namespaces

[Andy Lutomirski <luto () amacapital net>]

On Mon, Apr 15, 2013 at 3:34 PM, Brian Martin
<brian () opensecurityfoundation org> wrote:
> Andy;
>
> : I previously reported these bugs privatley.  I'm summarizing them for
>
> : the historical record.  These bugs were never exploitable on a
> : default-configured released kernel, but some 3.8 versions are
> : vulnerable depending on configuration.
>
> Do you know if these were patched, and therefore possibly disclosed via the
> commits? With these details, it is difficult to line them up to existing
> reports.

Bug 1 should be fixed in:

commit 3151527ee007b73a0ebd296010f1c0454a919c7d
Author: Eric W. Biederman <ebiederm () xmission com>
Date:   Fri Mar 15 01:45:51 2013 -0700

    userns:  Don't allow creation if the user is chrooted

Bug 2 is should be fixed by these:

commit 90563b198e4c6674c63672fae1923da467215f45
Author: Eric W. Biederman <ebiederm () xmission com>
Date:   Fri Mar 22 03:10:15 2013 -0700

    vfs: Add a mount flag to lock read only bind mounts

commit 132c94e31b8bca8ea921f9f96a57d684fa4ae0a9
Author: Eric W. Biederman <ebiederm () xmission com>
Date:   Fri Mar 22 04:08:05 2013 -0700

    vfs: Carefully propogate mounts across user namespaces

Bug 3 should be fixed in:

commit 92f28d973cce45ef5823209aab3138eb45d8b349
Author: Eric W. Biederman <ebiederm () xmission com>
Date:   Fri Mar 15 01:03:33 2013 -0700

    scm: Require CAP_SYS_ADMIN over the current pidns to spoof pids.

Bug 4 isn't yet public... (it's unpatched so far and it's considerably
more severe than any of these).

--Andy