CVE-2016-1575
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Medium
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-armadaxp (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-flo (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-goldfish (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-lts-quantal (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-lts-raring (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-lts-saucy (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-lts-trusty (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-lts-utopic (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-lts-vivid (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-lts-wily (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-lts-xenial (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-mako (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-manta (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-raspi2 (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-snapdragon (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned | |||
linux-ti-omap4 (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Medium
|
Unassigned | |||
Trusty |
Medium
|
Unassigned | |||
Vivid |
Undecided
|
Unassigned | |||
Wily |
Medium
|
Unassigned | |||
Xenial |
Medium
|
Unassigned | |||
Yakkety |
Medium
|
Unassigned |
Bug Description
On Ubuntu Trusty but also Ubuntu Wily, following sequence allows to gain group privileges of arbitrary groups that created directories with properties to be found using "find / -perm -02020", e.g.
/usr/local/
/var/lib/libuuid libuuid.libuuid
/var/local root.staff
/var/mail root.mail
For Ubuntu Trusty, following sequence can be used to reproduce the problem:
* In user/mount namespace:
rm -rf Mnt Test
mkdir Mnt Test
mount -t overlayfs -o lowerdir=
* Outside namespace
setfacl -m d:u:[your unpriv uid]:rwx Test
* Inside:
chmod 02777 Mnt/mail
umount Mnt
* Outside:
~/CreateSetgidB
Test/mail/escalate ~/ReportUidGidCwd
For Ubuntu Wily:
* Inside:
mkdir Mnt Test Work
mount -t overlayfs -o lowerdir=
* Outside:
setfacl -m d:u::rwx,d:u:[your unpriv uid]:rwx Work/work
* Inside:
chmod 02777 Mnt/mail
umount Mnt
* Outside:
~/CreateSetgidB
Test/mail/escalate ~/ReportUidGidCwd
CreateSetgidBinary is from http://
See also http://
Seth Forshee (sforshee) wrote : | #1 |
Seth Forshee (sforshee) wrote : | #2 |
I did reproduce on trusty.
I tried again on wily/xenial. If I run the steps to completion I do end up with a suid/sgid escalate executable owned by ubuntu:mail, but './Test/
Seth Arnold (seth-arnold) wrote : | #3 |
You may wish to try a different end executable than the shells; I think they (all? most?) include mitigations against setuid exploits.
Thanks
halfdog (halfdog) wrote : | #4 |
I tried wily with
# apt-cache policy linux-image-
linux-image-
Installed: 4.2.0-25.30
Candidate: 4.2.0-25.30
Version table:
*** 4.2.0-25.30 0
500 http://
500 http://
100 /var/lib/
And was able to to reproduce. I guess on wily /bin/sh might drop EUID for security reasons, I think bash is doing that.
Changed in linux (Ubuntu): | |
status: | New → Incomplete |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
J. R. Okajima (hooanon05) wrote : | #6 |
FYI
The security bug hunter "halfdog" kindly told me that this problem can reproduce with AUFS.
I've confirmed and fixed. Here is aufs's approach hoping with a little help for overlayfs.
In copy-up, the internal sequence is
- create an entry on the upper writable layer.
- copy the all attributes from the inode on the lower readonly branch.
The essential fix is inserting vfs_removexattr
For dirs, XATTR_NAME_
But removing all ACL_ACCESS may cause another problem since some fs (for example, NFS) may want ACL which is equivalent to the permission bits. So just after removing XATTR, posix_acl_chmod() should be called.
Seth Forshee (sforshee) wrote : Re: [Bug 1534961] Re: insecure overlayfs xattrs handling in copy_up | #7 |
On Wed, Feb 17, 2016 at 06:20:57AM -0000, J. R. Okajima wrote:
> FYI
>
> The security bug hunter "halfdog" kindly told me that this problem can reproduce with AUFS.
> I've confirmed and fixed. Here is aufs's approach hoping with a little help for overlayfs.
>
> In copy-up, the internal sequence is
> - create an entry on the upper writable layer.
> - copy the all attributes from the inode on the lower readonly branch.
>
> The essential fix is inserting vfs_removexattr
> For dirs, XATTR_NAME_
> But removing all ACL_ACCESS may cause another problem since some fs (for example, NFS) may want ACL which is equivalent to the permission bits. So just after removing XATTR, posix_acl_chmod() should be called.
Does your AUFS fix do this universally? I see no reason to remove the
xattrs if the mount was done by real root.
In Ubuntu an unprivileged user is allowed to mount overlayfs in a user
namespace, and that's where we run into problems as it allows a user to
create files with privileged xattrs or sxid to another user where they
could not have done so otherwise. These patches make it so that the copy
up will fail if the mounter could not have otherwise created the file in
upperdir with those attrs/xattrs.
Your approach is less extreme, but I have a few concerns. First, it
works for xattrs but not for sxid or seemingly for file capabilities
(though I assume it could be extended to do so). Second (and somewhat
related), there are more privileged xattrs than just ACLs (e.g.
trusted.* or security.* for some LSMs) and so it would appear that it
should be extended to filter those as well, but that seems to be
redundant with other checks in the kernel. And finally, this seems to be
inconsistent with standard behavior where setxid/setcap is cleared on
write and not on open.
This is CVE-2016-1575
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package linux - 4.2.0-30.35
---------------
linux (4.2.0-30.35) wily; urgency=low
[ Seth Forshee ]
* SAUCE: cred: Add clone_cred() interface
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Use mounter's credentials instead of selectively
raising caps
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
xattrs
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Be more careful about copying up sxid files
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
linux (4.2.0-29.34) wily; urgency=low
[ Luis Henriques ]
* Release Tracking Bug
- LP: #1543167
[ Brad Figg ]
* Revert "SAUCE: apparmor: fix sleep from invalid context"
- LP: #1542049
[ Upstream Kernel Changes ]
* Revert "af_unix: Revert 'lock_interrupt
- LP: #1540731
linux (4.2.0-28.33) wily; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1540634
[ Brad Figg ]
* CONFIG: CONFIG_
[ J. R. Okajima ]
* SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
- LP: #1533043
* SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
- LP: #1533043
[ John Johansen ]
* SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
being shutdown
- LP: #1446906
* SAUCE: apparmor: fix sleep from invalid context
- LP: #1539349
[ Tim Gardner ]
* [Config] Add pvpanic to virtual flavour
- LP: #1537923
[ Upstream Kernel Changes ]
* Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
- LP: #1540532
* tools: Add a "make all" rule
- LP: #1536370
* vf610_adc: Fix internal temperature calculation
- LP: #1536370
* iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
- LP: #1536370
* iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
- LP: #1536370
* iio: ad5064: Fix ad5629/ad5669 shift
- LP: #1536370
* iio:ad7793: Fix ad7785 product ID
- LP: #1536370
* iio: adc: vf610_adc: Fix division by zero error
- LP: #1536370
* mmc: mmc: Improve reliability of mmc_select_hs200()
- LP: #1536370
* mmc: mmc: Fix HS setting in mmc_select_hs400()
- LP: #1536370
* mmc: mmc: Move mmc_switch_status()
- LP: #1536370
* mmc: mmc: Improve reliability of mmc_select_hs400()
- LP: #1536370
* crypto: qat - don't use userspace pointer
- LP: #1536370
* iio: si7020: Swap data byte order
- LP: #1536370
* iio: adc: xilinx: Fix VREFN scale
- LP: #1536370
* ipmi: Start the timer and thread on internal msgs
- LP: #1536370
* drm/i915: quirk backlight present on Macbook 4, 1
- LP: #1536370
* drm/i915: get runtime PM reference around GEM set_caching IOCTL
- LP: #1536370
* drm/radeon: Disable uncacheable CPU mappings of GTT with RV6xx
- LP: #1536370
*...
Changed in linux (Ubuntu Wily): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package linux - 3.19.0-51.57
---------------
linux (3.19.0-51.57) vivid; urgency=low
[ Seth Forshee ]
* SAUCE: cred: Add clone_cred() interface
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Use mounter's credentials instead of selectively
raising caps
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
xattrs
- LP: #1531747, #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Be more careful about copying up sxid files
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
linux (3.19.0-50.56) vivid; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1540576
[ J. R. Okajima ]
* SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
- LP: #1533043
* SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
- LP: #1533043
[ John Johansen ]
* SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
being shutdown
- LP: #1446906
[ Upstream Kernel Changes ]
* drivers/
ppc64
- LP: #1463654
* sched/wait: Fix signal handling in bit wait helpers
- LP: #1537859
* sched/wait: Fix the signal handling fix
- LP: #1537859
* ARC: Fix silly typo in MAINTAINERS file
- LP: #1537859
* ip6mr: call del_timer_sync() in ip6mr_free_table()
- LP: #1537859
* gre6: allow to update all parameters via rtnl
- LP: #1537859
* atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
- LP: #1537859
* sctp: use the same clock as if sock source timestamps were on
- LP: #1537859
* sctp: update the netstamp_needed counter when copying sockets
- LP: #1537859
* sctp: also copy sk_tsflags when copying the socket
- LP: #1537859
* net: qca_spi: fix transmit queue timeout handling
- LP: #1537859
* ipv6: sctp: clone options to avoid use after free
- LP: #1537859
* net: add validation for the socket syscall protocol argument
- LP: #1537859
* sh_eth: fix kernel oops in skb_put()
- LP: #1537859
* net: fix IP early demux races
- LP: #1537859
* vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
- LP: #1537859
* skbuff: Fix offset error in skb_reorder_
- LP: #1537859
* pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
- LP: #1537859
* bluetooth: Validate socket address length in sco_sock_bind().
- LP: #1537859
* fou: clean up socket with kfree_rcu
- LP: #1537859
* af_unix: Revert 'lock_interrupt
- LP: #1537859
* KEYS: Fix race between read and revoke
- LP: #1537859
* tools: Add a "make all" rule
- LP: #1537859
* efi: Disable interrupts around EFI calls, not in the epilog/prolog
calls
- LP: #1537859
* fuse: break infinite loop in fuse_fill_
- LP: #1537859
* usb: gadget: pxa2...
Changed in linux (Ubuntu Vivid): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package linux - 3.13.0-79.123
---------------
linux (3.13.0-79.123) trusty; urgency=low
[ Seth Forshee ]
* SAUCE: cred: Add clone_cred() interface
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Use mounter's credentials instead of full kernel
credentials
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
xattrs
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Be more careful about copying up sxid files
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
* SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
- LP: #1534961, #1535150
- CVE-2016-1575 CVE-2016-1576
linux (3.13.0-78.122) trusty; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1540559
[ Eric Dumazet ]
* SAUCE: (no-up) udp: properly support MSG_PEEK with truncated buffers
- LP: #1527902
[ J. R. Okajima ]
* SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
- LP: #1533043
* SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
- LP: #1533043
[ Upstream Kernel Changes ]
* Revert "[stable-only] net: add length argument to
skb_
- LP: #1538756
* unregister_
- LP: #1525324
* rtnetlink: delay RTM_DELLINK notification until after ndo_uninit()
- LP: #1525324
* Drivers: hv: Eliminate the channel spinlock in the callback path
- LP: #1519897
* Drivers: hv: vmbus: Implement per-CPU mapping of relid to channel
- LP: #1519897
* Drivers: hv: vmbus: Suport an API to send pagebuffers with additional
control
- LP: #1519897
* Drivers: hv: vmbus: Suport an API to send packet with additional
control
- LP: #1519897
* Drivers: hv: vmbus: Export the vmbus_sendpacke
- LP: #1519897
* Drivers: hv: vmbus: Fix a siganlling host signalling issue
- LP: #1519897
* Drivers: hv: vmbus: Fix a Host signaling bug
- LP: #1519897
* ARC: Fix silly typo in MAINTAINERS file
- LP: #1538756
* ip6mr: call del_timer_sync() in ip6mr_free_table()
- LP: #1538756
* gre6: allow to update all parameters via rtnl
- LP: #1538756
* atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
- LP: #1538756
* sctp: use the same clock as if sock source timestamps were on
- LP: #1538756
* sctp: update the netstamp_needed counter when copying sockets
- LP: #1538756
* ipv6: sctp: clone options to avoid use after free
- LP: #1538756
* net: add validation for the socket syscall protocol argument
- LP: #1538756
* sh_eth: fix kernel oops in skb_put()
- LP: #1538756
* pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
- LP: #1538756
* bluetooth: Validate socket address length in sco_sock_bind().
- LP: #1538756
* af_unix: Revert 'lock_interrupt
- LP: #1538756
* KEYS: Fix race between read and revoke
- LP: #1538756
* tools: Add a "make all" rule
- LP: #1538...
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Released |
information type: | Private Security → Public Security |
tags: | added: kernel-cve-skip-description |
Changed in linux-lts-trusty (Ubuntu Precise): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in linux-lts-trusty (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-trusty (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-trusty (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Trusty): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Xenial): | |
importance: | High → Medium |
Changed in linux (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Trusty): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Wily): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Trusty): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Launchpad Janitor (janitor) wrote : | #12 |
This bug was fixed in the package linux - 4.4.0-8.23
---------------
linux (4.4.0-8.23) xenial; urgency=low
* cgroup namespace mounts broken in containers (LP: #1549398)
- SAUCE: kernfs: Always set super block owner to init_user_ns
* 4.4.0-7.22 no longer boots on arm64 (LP: #1547718)
- arm64: mm: avoid calling apply_to_page_range on empty range
- UBUNTU SAUCE: arm: mm: avoid calling apply_to_page_range on empty range
* kernel install failed /bin/cp: cannot stat ‘/boot/
- [Config] postinst -- handle recreating symlinks when a real file is present
* insecure overlayfs xattrs handling in copy_up (LP: #1534961)
- SAUCE: cred: Add clone_cred() interface
- SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
- SAUCE: overlayfs: Be more careful about copying up sxid files
- SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
* overlayfs over fuse should refuse copy_up of files if uid/gid not mapped (LP: #1535150)
- SAUCE: cred: Add clone_cred() interface
- SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
- SAUCE: overlayfs: Be more careful about copying up sxid files
- SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
* overlay: mkdir fails if directory exists in lowerdir in a user namespace (LP: #1531747)
- SAUCE: cred: Add clone_cred() interface
- SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
* Update Intel ethernet drivers to Fortville SW5 (LP: #1547674)
- net: bulk free infrastructure for NAPI context, use napi_consume_skb
- net: Add eth_platform_
- i40e: Add mac_filter_element at the end of the list instead of HEAD
- i40e/i40evf: Fix RSS rx-flow-hash configuration through ethtool
- i40e: Replace X722 mac check in ethtool get_settings
- i40evf: allow channel bonding of VFs
- i40e: define function capabilities in only one place
- i40evf: null out ring pointers on free
- i40e: Cleanup the code with respect to restarting autoneg
- i40e: update features with right offload
- i40e: bump version to 1.4.10
- i40e: add new device IDs for X722
- i40e: Extend ethtool RSS hooks for X722
- i40e/i40evf: Fix for UDP/TCP RSS for X722
- i40evf: add new write-back mode
- i40e/i40evf: Use private workqueue
- i40e: add new proxy-wol bit for X722
- i40e: Limit DCB FW version checks to X710/XL710 devices
- i40e: AQ Add Run PHY Activity struct
- i40e: AQ Geneve cloud tunnel type
- i40e: AQ Add external power class to get link status
- i40e: add 100Mb ethtool reporting
- ixgbe: bulk free SKBs during TX completion cleanup cycle
- igb: Remove unnecessary flag setting in igb_set_
- igb: Unpair the queues when changing the number of queues...
Changed in linux (Ubuntu Xenial): | |
status: | Confirmed → Fix Released |
Changed in linux-lts-xenial (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in linux-raspi2 (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-manta (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-snapdragon (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-snapdragon (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-snapdragon (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-snapdragon (Ubuntu Yakkety): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-snapdragon (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
tags: | added: kernel-cve-tracking-bug |
Changed in linux (Ubuntu Vivid): | |
importance: | Undecided → Medium |
summary: |
- insecure overlayfs xattrs handling in copy_up + CVE-2016-1575 |
Changed in linux (Ubuntu Yakkety): | |
status: | Fix Released → Invalid |
Changed in linux (Ubuntu Yakkety): | |
status: | Invalid → Fix Committed |
Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package linux - 4.8.0-11.12
---------------
linux (4.8.0-11.12) yakkety; urgency=low
* change_hat is logging failures during expected hat probing (LP: #1615893)
- SAUCE: apparmor: Fix auditing behavior for change_hat probing
* deleted files outside of the namespace are not being treated as
disconnected
(LP: #1615892)
- SAUCE: apparmor: deleted dentries can be disconnected
* stacking to unconfined in a child namespace confuses mediation
(LP: #1615890)
- SAUCE: apparmor: special case unconfined when determining the mode
* apparmor module parameters can be changed after the policy is locked
(LP: #1615895)
- SAUCE: apparmor: fix: parameters can be changed after policy is locked
* AppArmor profile reloading causes an intermittent kernel BUG (LP:
#1579135)
- SAUCE: apparmor: fix vec_unique for vectors larger than 8
* label vec reductions can result in reference labels instead of direct
access
to labels (LP: #1615889)
- SAUCE: apparmor: reduction of vec to single entry is just that entry
* profiles from different namespaces can block other namespaces from being
able to load a profile (LP: #1615887)
- SAUCE: apparmor: profiles in one ns can affect mediation in another ns
* The label build for onexec when stacking is wrong (LP: #1615881)
- SAUCE: apparmor: Fix label build for onexec stacking.
* The inherit check for new to old label comparison for domain transitions
is
wrong (LP: #1615880)
- SAUCE: apparmor: Fix new to old label comparison for domain transitions
* warning stack trace while playing with apparmor namespaces (LP: #1593874)
- SAUCE: apparmor: fix stack trace when removing namespace with profiles
* __label_update proxy comparison test is wrong (LP: #1615878)
- SAUCE: apparmor: Fix __label_update proxy comparison test
* reading /sys/kernel/
(LP: #1560583)
- SAUCE: apparmor: Allow ns_root processes to open profiles file
- SAUCE: apparmor: Consult sysctl when reading profiles in a user ns
* policy namespace stacking (LP: #1379535)
- SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
- SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading
* Miscellaneous Ubuntu changes
- [Debian] Dynamically determine linux udebs package name
- [Debian] d-i -- fix dtb handling in new kernel-wedge form
- SAUCE: apparmor: Fix FTBFS due to bad include path
- SAUCE: apparmor: add data query support
- [Config] Set CONFIG_
* Miscellaneous upstream changes
- fixup backout policy view capable for forward port
- apparmor: fix: Rework the iter loop for label_update
- apparmor: add more assertions for updates/merges to help catch errors
- apparmor: Make pivot root transitions work with stacking
- apparmor: convert delegating deleted files to mediate deleted files
- apparmor: add missing parens. not a bug fix but highly recommended
- apparmor: add a stack_version file to allow detection of bug fixes
- apparmor: push path looku...
Changed in linux (Ubuntu Yakkety): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #14 |
This bug was fixed in the package linux-raspi2 - 4.10.0-1001.3
---------------
linux-raspi2 (4.10.0-1001.3) zesty; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1673826
* Rebased against Ubuntu-4.10.0-14.16
* Updated BSP from https:/
to commit 8703162f0a3d04c
* msleep() bug causes Nuvoton I2C TPM device driver delays (LP: #1667567)
- tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver
- SAUCE: tpm: add sleep only for retry in i2c_nuvoton_
* C++ demangling support missing from perf (LP: #1396654)
- [Config] added binutils-dev to Build-deps
* dm-queue-length module is not included in installer/initramfs (LP: #1673350)
- [Config] d-i: Also add dm-queue-length to multipath modules
* move aufs.ko from -extra to linux-image package (LP: #1673498)
- [config] aufs.ko moved to linux-image package
* Using an NVMe drive causes huge power drain (LP: #1664602)
- nvme: Add a quirk mechanism that uses identify_ctrl
- nvme: Enable autonomous power state transitions
* Broadcom bluetooth modules sometimes fail to initialize (LP: #1483101)
- Bluetooth: btbcm: Add a delay for module reset
* Need support of Broadcom bluetooth device [413c:8143] (LP: #1166113)
- Bluetooth: btusb: Add support for 413c:8143
* Zesty update to v4.10.3 stable release (LP: #1673118)
- serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards
- KVM: s390: Disable dirty log retrieval for UCONTROL guests
- KVM: VMX: use correct vmcs_read/write for guest segment selector/base
- Bluetooth: Add another AR3012 04ca:3018 device
- phy: qcom-ufs: Don't kfree devres resource
- phy: qcom-ufs: Fix misplaced jump label
- s390/qdio: clear DSCI prior to scanning multiple input queues
- s390/dcssblk: fix device size calculation in dcssblk_
- s390/kdump: Use "LINUX" ELF note name instead of "CORE"
- s390/chsc: Add exception handler for CHSC instruction
- s390: TASK_SIZE for kernel threads
- s390/topology: correct allocation of topology information
- s390: make setup_randomness work
- s390: use correct input data address for setup_randomness
- net: mvpp2: fix DMA address calculation in mvpp2_txq_inc_put()
- cxl: Prevent read/write to AFU config space while AFU not configured
- cxl: fix nested locking hang during EEH hotplug
- brcmfmac: fix incorrect event channel deduction
- mnt: Tuck mounts under others instead of creating shadow/side mounts.
- IB/ipoib: Fix deadlock between rmmod and set_mode
- IB/IPoIB: Add destination address when re-queue packet
- IB/mlx5: Fix out-of-bound access
- IB/SRP: Avoid using IB_MR_TYPE_SG_GAPS
- IB/srp: Avoid that duplicate responses trigger a kernel bug
- IB/srp: Fix race conditions related to task management
- Btrfs: fix data loss after truncate when using the no-holes feature
- orangefs: Use RCU for destroy_inode
- memory/atmel-ebi: Fix ns <-> cycles conversions
- tracing: Fix return value check in trace_benchmark
- ktest: Fix child exi...
Changed in linux-raspi2 (Ubuntu): | |
status: | Invalid → Fix Released |
This bug was nominated against a series that is no longer supported, ie vivid. The bug task representing the vivid nomination is being closed as Won't Fix.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.
Changed in linux-armadaxp (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-flo (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-goldfish (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-quantal (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-trusty (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-utopic (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-vivid (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-wily (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-raspi2 (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-ti-omap4 (Ubuntu Vivid): | |
status: | New → Won't Fix |
I've tried reproducing this in up-to-date wily and xenial without success. I get to the "chmod 02777 Mnt/mail" step and get EPERM. Perhaps this was fixed by the same commit which fixed the other setattr-related CVE?