APPLIED: [PATCH 0/1][C/D] CVE-2018-6559 - Filename information disclosure in overlayfs
Stefan Bader
stefan.bader at canonical.com
Thu Nov 8 11:47:18 UTC 2018
On 19.10.18 18:44, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6559.html
> https://launchpad.net/bugs/1793458/
>
> The overlayfs implementation in the linux (aka Linux kernel) package in Ubuntu
> did not properly check permissions for read operations on directories in the
> lower filesystem directory, which allows local users to obtain names of files
> in which they would not normally be able to access by performing an overlayfs
> mount inside of a user namespace.
>
> I've tested this change with a QRT regression test that I wrote as well as the
> unionmount-testsuite:
>
> https://github.com/amir73il/unionmount-testsuite.git
>
> This issue is related to a portion of CVE-2015-1328 that was reintroduced into
> the Ubuntu kernel. This bug comment describes the situation:
>
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1793458/comments/4
>
> As mentioned above, I wrote a QRT test for this issue so that we don't
> accidentally drop our SAUCE patch in the future.
>
> Tyler
>
>
Applied to cosmic/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20181108/c5894a42/attachment.sig>
More information about the kernel-team
mailing list