oss-sec mailing list archives

Re: Re: CVE-2014-4014: Linux kernel user namespace bug

From: Sven Kieske <S.Kieske () mittwald de>
Date: Wed, 18 Jun 2014 07:16:34 +0000

Am 17.06.2014 23:47, schrieb Andy Lutomirski:

On Tue, Jun 10, 2014 at 2:49 PM, Andy Lutomirski <luto () amacapital net> wrote:

The internal function inode_capable was used inappropriately.
Depending on configuration, this may be usable to escalate privileges.
A cursory inspection of my Fedora box suggests that it is not
vulnerable to the obvious way to exploit this bug.

The fix should appear in Linus' -master shortly, and it's tagged for
stable.  In the mean time, I've attached it here.


The commit that fixes this is:

23adbe12ef7d3d4195e80800ab36b37bee28cd03


Do you happen to know in which kernel version
this bug got introduced?

Thanks in advance!

-- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen

Current thread:

CVE-2014-4014: Linux kernel user namespace bug Andy Lutomirski (Jun 10)
- Re: CVE-2014-4014: Linux kernel user namespace bug Andy Lutomirski (Jun 17)
  - Re: Re: CVE-2014-4014: Linux kernel user namespace bug Sven Kieske (Jun 18)
    - Re: CVE-2014-4014: Linux kernel user namespace bug Andy Lutomirski (Jun 23)