CVE-2016-2853

Bug #1547400 reported by halfdog on 2016-02-19
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-armadaxp (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-flo (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-goldfish (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-lts-quantal (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-lts-raring (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-lts-saucy (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-lts-trusty (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-lts-utopic (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-lts-vivid (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-lts-wily (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-lts-xenial (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-mako (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-manta (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-raspi2 (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-snapdragon (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
linux-ti-omap4 (Ubuntu)
Low
Unassigned
Precise
Low
Unassigned
Trusty
Low
Unassigned
Wily
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned

Bug Description

When aufs module is loaded with "modprobe aufs allow_userns", unprivileged user can use xattrs on the working directory or aufs mount over a fuse mount to create SUID/SGID binaries, thus escalating privileges. These errors are quite similar to those on overlayfs:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1535150
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534961

aufs developers have already confirmed and issued a fix:

https://sourceforge.net/p/aufs/mailman/message/34864744/

Specific reproducers can be found at:

http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/
InvitedOnly AkgY8iqF

# lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10

# apt-cache policy linux-image-4.2.0-27-generic
linux-image-4.2.0-27-generic:
  Installed: 4.2.0-27.32
  Candidate: 4.2.0-27.32
  Version table:
 *** 4.2.0-27.32 0
        500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
        100 /var/lib/dpkg/status

CVE References

halfdog (halfdog) on 2016-02-19
Changed in linux:
status: New → Confirmed
tags: added: kernel-da-key
Tyler Hicks (tyhicks) wrote :
information type: Private Security → Public Security
Changed in linux (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Tyler Hicks (tyhicks) wrote :

Note that the severity of this issue is lower than the similar issue that was discovered in overlayfs since the aufs module has to be loaded with the 'allow_userns' parameter.

Steve Beattie (sbeattie) on 2016-03-07
tags: added: kernel-cve-skip-description
Changed in linux-lts-trusty (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-lts-trusty (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-trusty (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-trusty (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-wily (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-wily (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-wily (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-wily (Ubuntu Trusty):
importance: Undecided → Low
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-quantal (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-quantal (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux (Ubuntu Precise):
importance: Undecided → Low
Changed in linux (Ubuntu Wily):
importance: Undecided → Low
Changed in linux (Ubuntu Xenial):
importance: Medium → Low
Changed in linux (Ubuntu Trusty):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-raring (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-raring (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Precise):
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-xenial (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-xenial (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-xenial (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-xenial (Ubuntu Trusty):
importance: Undecided → Low
Steve Beattie (sbeattie) on 2016-03-07
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-saucy (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-saucy (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-manta (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-manta (Ubuntu Wily):
importance: Undecided → Low
Changed in linux-manta (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-manta (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-vivid (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-vivid (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-vivid (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-vivid (Ubuntu Trusty):
importance: Undecided → Low
Changed in linux-raspi2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-raspi2 (Ubuntu Wily):
importance: Undecided → Low
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-raspi2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-mako (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-mako (Ubuntu Wily):
importance: Undecided → Low
Changed in linux-mako (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-mako (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Low
Changed in linux-lts-utopic (Ubuntu Trusty):
importance: Undecided → Low
Changed in linux-goldfish (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-goldfish (Ubuntu Wily):
importance: Undecided → Low
Changed in linux-goldfish (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-goldfish (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Changed in linux-flo (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-flo (Ubuntu Wily):
importance: Undecided → Low
Changed in linux-flo (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-flo (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Steve Beattie (sbeattie) on 2016-04-19
Changed in linux-manta (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie) on 2016-05-06
Changed in linux-snapdragon (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Low
Changed in linux-snapdragon (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Low
Changed in linux-snapdragon (Ubuntu Xenial):
importance: Undecided → Low
Changed in linux-snapdragon (Ubuntu Yakkety):
importance: Undecided → Low
Changed in linux-snapdragon (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Low
Steve Beattie (sbeattie) on 2016-06-07
tags: added: kernel-cve-tracking-bug
summary: - aufs fails to handle sanitize xattrs in workdir, copies SUID binaries
- from no-suid fuse mounts
+ CVE-2016-2853
affects: linux → ubuntu-translations
Changed in ubuntu-translations:
status: Confirmed → New
no longer affects: ubuntu-translations

This bug was nominated against a series that is no longer supported, ie yakkety. The bug task representing the yakkety nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu Yakkety):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers