Re: Re: Summary of security bugs (now fixed) in user namespaces

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/15/2013 04:45 PM, Andy Lutomirski wrote:
> On Mon, Apr 15, 2013 at 3:34 PM, Brian Martin 
> <brian () opensecurityfoundation org> wrote:
> > Andy;
> >
> > : I previously reported these bugs privatley.  I'm summarizing
> > them for
> >
> > : the historical record.  These bugs were never exploitable on a 
> > : default-configured released kernel, but some 3.8 versions are :
> > vulnerable depending on configuration.
> >
> > Do you know if these were patched, and therefore possibly
> > disclosed via the commits? With these details, it is difficult to
> > line them up to existing reports.
>
> Bug 1 should be fixed in:
>
> commit 3151527ee007b73a0ebd296010f1c0454a919c7d Author: Eric W.
> Biederman <ebiederm () xmission com> Date:   Fri Mar 15 01:45:51 2013
> -0700
>
> userns:  Don't allow creation if the user is chrooted

Can you confirm this has no CVE?

> Bug 2 is should be fixed by these:
>
> commit 90563b198e4c6674c63672fae1923da467215f45 Author: Eric W.
> Biederman <ebiederm () xmission com> Date:   Fri Mar 22 03:10:15 2013
> -0700
>
> vfs: Add a mount flag to lock read only bind mounts
>
> commit 132c94e31b8bca8ea921f9f96a57d684fa4ae0a9 Author: Eric W.
> Biederman <ebiederm () xmission com> Date:   Fri Mar 22 04:08:05 2013
> -0700
>
> vfs: Carefully propogate mounts across user namespaces

Can you confirm this has no CVE?

> Bug 3 should be fixed in:
>
> commit 92f28d973cce45ef5823209aab3138eb45d8b349 Author: Eric W.
> Biederman <ebiederm () xmission com> Date:   Fri Mar 15 01:03:33 2013
> -0700
>
> scm: Require CAP_SYS_ADMIN over the current pidns to spoof pids.

Can you confirm this has no CVE?

> Bug 4 isn't yet public... (it's unpatched so far and it's
> considerably more severe than any of these).
>
> --Andy

Sorry bug #4? not public yet I assume means no details publicly
officially? I can't do a CVE with no details (you can ask for one from
me privately).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRbRNvAAoJEBYNRVNeJnmTPPMQALMGm16U5aHQFSTXUCQWy7SX
+2qX+Y3TjiLqt/QN5s/nzMQf9Oj4VRjY2iyXSgX7achWDQn8tN8YOdN/ySeUaXmx
4ZIzn+0IzRTsLPiCVLce9dWIO/jIPgmwKVYfk/uWjONq6kjA1CudQg0AxXrzEbKo
SadbekIdouxJWzTBnnvTuxFVFLv6JhAPrJjllv5mXcfOhWSSPOoXr88M9OIEPWPc
+2r/diOmJPirQbixwMOCk6AoWQmqAk8s7yrQ4HXI4cgWlaSNHoIFVCVL4hODuxYy
RdfPOVQQGfIOmJY/qSUEidhSpXMix9iNwGO7B9QQ3WtCU4DrKxKxm3Pgt0YDy6pi
OWpNxb7xtGl2O5SvxzkAvDcOXKrYs3nYS3T7d8E92pyhj8E9EJNfoORGSJZjFM2C
/8VobBGBVDGSxOLiMKNbXdGnd6sxdvuzHs2c9JvdbCp4zIxYaBA6o8Envue+htMS
4toQuDrXUm7Xi9oeckokMZIJwA89S36Q0BlJ2uvOlN1FvrxH1r7jZ15O4xPfiaZT
btdMecpHxbfJ0AxAzXUKHut+qWtPlvuPtwbMTgAicmjEVwSocz1qyup0L+hXzfXG
GsNP5gRk2Rnpa0fvVPNof2CKCXYnwUKgsZTBHCxJzR7xqwOZBKX8wBxKfjbB1OWw
Sl0m7dyNR3NcUvCL0LOm
=QIkR
-----END PGP SIGNATURE-----