ACK: [trusty, precise/lts-trusty CVE-2014-5206/CVE-2014-5207] remounts not properly validated in user namespaces
Brad Figg
brad.figg at canonical.com
Wed Aug 13 14:06:59 UTC 2014
On 08/13/2014 06:48 AM, Andy Whitcroft wrote:
> CVE-2014-5206
> Remounting a read-only bind mount read-only in a user namespace the
> MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
> to the remount a read-only mount read-write.
>
> CVE-2014-5207
> Mount flags MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime flags in
> addition to MNT_READONLY could be reset by less-privileged users when
> remounting filesystems.
>
> These two CVEs relate to validation of remount requests on mounts in user
> namespaces. Following this email are four patches which in combination
> fix these issues. The first is the fix for CVE-2014-5206, the second a
> defensive change to support the first, the third fixes CVE-2014-5207 and
> the last fixes semantic fallout from the third.
>
> Proposing for SRU to precise/lts-trusty and trusty. Utopic is also
> affected and these patches are already applied there for the next
> upload.
>
> -apw
>
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list