Re: AW: CVE Request: Linux kernel: privilege escalation in user namespaces

[Marc Deslauriers <marc.deslauriers () canonical com>]

Hi,

On 2015-12-18 03:54 AM, Fiedler Roman wrote:
> Hi,
>
> > Von: John Johansen [mailto:john.johansen () canonical com]
> > Betreff: [oss-security] CVE Request: Linux kernel: privilege escalation in 
> > user
> > namespaces
> >
> > Hi,
> >
> > I haven't seen CVE request for this one yet so,
> >
> > Jann Horn reported a privilege escalation in user namespaces to the lkml
> > mailing list
> >
> > https://lkml.org/lkml/2015/12/12/259
> >
> > if a root-owned process wants to enter a user namespace for some reason
> > without knowing who owns it and therefore can't change to the namespace
> > owner's uid and gid before entering, as soon as it has entered the
> > namespace, the namespace owner can attach to it via ptrace and thereby
> > gain access to its uid and gid.
>
> Could it be, that this is identical to
>
> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050
>
> which led to
>
> https://bugs.launchpad.net/bugs/cve/2015-1334
>
> except, that combined with another timerace, this gives host uid 0 escalation 
> no matter how the target namespace looks like or target uid is known or not?
>
> The bug is marked as fixed, but looking at it, the very similar kernel issue 
> seems not be addressed and it is also still marked "private security" although 
> fix was released.
>
> I could ask Ubuntu Security if we should make that bug public or perhaps could 
> add accounts to the list of authorized users when told the Launchpad user name 
> to add.

I've just made the bug public. It was an oversight that we hadn't made it public
once the fix got released.

Marc.