oss-sec mailing list archives
Re: CVE Request: ro bind mount bypass using user namespaces
From: Yves-Alexis Perez <corsac () debian org>
Date: Wed, 13 Aug 2014 17:35:23 +0200
On Tue, Aug 12, 2014 at 02:48:28PM -0700, Kenton Varda wrote:
Due to a bug in the Linux kernel's implementation of remount, on systems with unprivileged user namespaces enabled, it is possible for an unprivileged user to gain write access to any visible read-only bind mount. It is also possible to bypass flags like nodev, nosuid, and noexec.
So that means running with both USER_NS=y and kernel.unprivileged_userns_clone=1? Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE Request: ro bind mount bypass using user namespaces Kenton Varda (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 13)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces cve-assign (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Kenton Varda (Aug 13)
- Re: CVE Request: ro bind mount bypass using user namespaces Yves-Alexis Perez (Aug 13)
- Re: CVE Request: ro bind mount bypass using user namespaces Sven Kieske (Aug 13)
- <Possible follow-ups>
- Re: CVE Request: ro bind mount bypass using user namespaces Vitaly Nikolenko (Aug 14)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)