[trusty, precise/lts-trusty CVE-2014-5206/CVE-2014-5207] remounts not properly validated in user namespaces
Andy Whitcroft
apw at canonical.com
Wed Aug 13 13:48:34 UTC 2014
CVE-2014-5206
Remounting a read-only bind mount read-only in a user namespace the
MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
to the remount a read-only mount read-write.
CVE-2014-5207
Mount flags MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime flags in
addition to MNT_READONLY could be reset by less-privileged users when
remounting filesystems.
These two CVEs relate to validation of remount requests on mounts in user
namespaces. Following this email are four patches which in combination
fix these issues. The first is the fix for CVE-2014-5206, the second a
defensive change to support the first, the third fixes CVE-2014-5207 and
the last fixes semantic fallout from the third.
Proposing for SRU to precise/lts-trusty and trusty. Utopic is also
affected and these patches are already applied there for the next
upload.
-apw
More information about the kernel-team
mailing list