CVE-2016-2853

Bug #1547400 reported by halfdog
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Low
Unassigned
Precise
Won't Fix
Low
Unassigned
Trusty
New
Low
Unassigned
Wily
New
Low
Unassigned
Xenial
Confirmed
Low
Unassigned
Yakkety
Won't Fix
Low
Unassigned
linux-armadaxp (Ubuntu)
Invalid
Low
Unassigned
Precise
Won't Fix
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned
linux-flo (Ubuntu)
New
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
New
Low
Unassigned
Xenial
New
Low
Unassigned
Yakkety
New
Low
Unassigned
linux-goldfish (Ubuntu)
New
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
New
Low
Unassigned
Xenial
New
Low
Unassigned
Yakkety
New
Low
Unassigned
linux-lts-quantal (Ubuntu)
Invalid
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned
linux-lts-raring (Ubuntu)
Invalid
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned
linux-lts-saucy (Ubuntu)
Invalid
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned
linux-lts-trusty (Ubuntu)
Invalid
Low
Unassigned
Precise
Won't Fix
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned
linux-lts-utopic (Ubuntu)
Invalid
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
New
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned
linux-lts-vivid (Ubuntu)
Invalid
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
New
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned
linux-lts-wily (Ubuntu)
Invalid
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
New
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned
linux-lts-xenial (Ubuntu)
Invalid
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
New
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned
linux-mako (Ubuntu)
New
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
New
Low
Unassigned
Xenial
New
Low
Unassigned
Yakkety
New
Low
Unassigned
linux-manta (Ubuntu)
Invalid
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
New
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned
linux-raspi2 (Ubuntu)
New
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
New
Low
Unassigned
Xenial
New
Low
Unassigned
Yakkety
New
Low
Unassigned
linux-snapdragon (Ubuntu)
New
Low
Unassigned
Precise
Invalid
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
New
Low
Unassigned
Yakkety
New
Low
Unassigned
linux-ti-omap4 (Ubuntu)
Invalid
Low
Unassigned
Precise
Won't Fix
Low
Unassigned
Trusty
Invalid
Low
Unassigned
Wily
Invalid
Low
Unassigned
Xenial
Invalid
Low
Unassigned
Yakkety
Invalid
Low
Unassigned

Bug Description

When aufs module is loaded with "modprobe aufs allow_userns", unprivileged user can use xattrs on the working directory or aufs mount over a fuse mount to create SUID/SGID binaries, thus escalating privileges. These errors are quite similar to those on overlayfs:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1535150
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534961

aufs developers have already confirmed and issued a fix:

https://sourceforge.net/p/aufs/mailman/message/34864744/

Specific reproducers can be found at:

http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/
InvitedOnly AkgY8iqF

# lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10

# apt-cache policy linux-image-4.2.0-27-generic
linux-image-4.2.0-27-generic:
  Installed: 4.2.0-27.32
  Candidate: 4.2.0-27.32
  Version table:
 *** 4.2.0-27.32 0
        500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
        100 /var/lib/dpkg/status

CVE References

halfdog (halfdog)
Changed in linux:
status: New → Confirmed
tags: added: kernel-da-key
Revision history for this message
Tyler Hicks (tyhicks) wrote :
information type: Private Security → Public Security
Changed in linux (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Note that the severity of this issue is lower than the similar issue that was discovered in overlayfs since the aufs module has to be loaded with the 'allow_userns' parameter.

Steve Beattie (sbeattie)
tags: added: kernel-cve-skip-description
Changed in linux-lts-trusty (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-lts-trusty (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-trusty (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-trusty (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-wily (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-wily (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-wily (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-wily (Ubuntu Trusty):
importance: Undecided → Low
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-quantal (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-quantal (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux (Ubuntu Precise):
importance: Undecided → Low
Changed in linux (Ubuntu Wily):
importance: Undecided → Low
Changed in linux (Ubuntu Xenial):
importance: Medium → Low
Changed in linux (Ubuntu Trusty):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-raring (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-raring (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-xenial (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-xenial (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-xenial (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-xenial (Ubuntu Trusty):
importance: Undecided → Low
Steve Beattie (sbeattie)
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-saucy (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-saucy (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-manta (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-manta (Ubuntu Wily):
importance: Undecided → Low
Changed in linux-manta (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-manta (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-vivid (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-vivid (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-vivid (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-vivid (Ubuntu Trusty):
importance: Undecided → Low
Changed in linux-raspi2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-raspi2 (Ubuntu Wily):
importance: Undecided → Low
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-raspi2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-mako (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-mako (Ubuntu Wily):
importance: Undecided → Low
Changed in linux-mako (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-mako (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-utopic (Ubuntu Trusty):
importance: Undecided → Low
Changed in linux-goldfish (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-goldfish (Ubuntu Wily):
importance: Undecided → Low
Changed in linux-goldfish (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-goldfish (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-flo (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-flo (Ubuntu Wily):
importance: Undecided → Low
Changed in linux-flo (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-flo (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Steve Beattie (sbeattie)
Changed in linux-manta (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie)
Changed in linux-snapdragon (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-snapdragon (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-snapdragon (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-snapdragon (Ubuntu Yakkety):
importance: Undecided → Low
Changed in linux-snapdragon (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Steve Beattie (sbeattie)
tags: added: kernel-cve-tracking-bug
Mathew Hodson (mhodson)
summary: - aufs fails to handle sanitize xattrs in workdir, copies SUID binaries
- from no-suid fuse mounts
+ CVE-2016-2853
affects: linux → ubuntu-translations
Changed in ubuntu-translations:
status: Confirmed → New
no longer affects: ubuntu-translations
Revision history for this message
Andy Whitcroft (apw) wrote : Closing unsupported series nomination.

This bug was nominated against a series that is no longer supported, ie yakkety. The bug task representing the yakkety nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu Yakkety):
status: Confirmed → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in linux (Ubuntu Precise):
status: New → Won't Fix
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Won't Fix
Changed in linux-lts-trusty (Ubuntu Precise):
status: New → Won't Fix
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.