[trusty, precise/lts-trusty CVE-2014-5206/CVE-2014-5207] remounts not properly validated in user namespaces

Andy Whitcroft apw at canonical.com
Wed Aug 13 13:48:34 UTC 2014


CVE-2014-5206
 Remounting a read-only bind mount read-only in a user namespace the
 MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
 to the remount a read-only mount read-write.

CVE-2014-5207
 Mount flags MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime flags in
 addition to MNT_READONLY could be reset by less-privileged users when
 remounting filesystems.

These two CVEs relate to validation of remount requests on mounts in user
namespaces.  Following this email are four patches which in combination
fix these issues.  The first is the fix for CVE-2014-5206, the second a
defensive change to support the first, the third fixes CVE-2014-5207 and
the last fixes semantic fallout from the third.

Proposing for SRU to precise/lts-trusty and trusty.  Utopic is also
affected and these patches are already applied there for the next
upload.

-apw




More information about the kernel-team mailing list