oss-sec mailing list archives
CVE-2014-4014: Linux kernel user namespace bug
From: Andy Lutomirski <luto () amacapital net>
Date: Tue, 10 Jun 2014 14:49:03 -0700
The internal function inode_capable was used inappropriately. Depending on configuration, this may be usable to escalate privileges. A cursory inspection of my Fedora box suggests that it is not vulnerable to the obvious way to exploit this bug. The fix should appear in Linus' -master shortly, and it's tagged for stable. In the mean time, I've attached it here. I'll follow up in a day or two with a description of the actual bug, or one of you can try to beat me to it. --Andy
Attachment:
0001-fs-userns-Change-inode_capable-to-capable_wrt_inode_.patch
Description:
Current thread:
- CVE-2014-4014: Linux kernel user namespace bug Andy Lutomirski (Jun 10)
- Re: CVE-2014-4014: Linux kernel user namespace bug Andy Lutomirski (Jun 17)
- Re: Re: CVE-2014-4014: Linux kernel user namespace bug Sven Kieske (Jun 18)
- Re: CVE-2014-4014: Linux kernel user namespace bug Andy Lutomirski (Jun 23)
- Re: Re: CVE-2014-4014: Linux kernel user namespace bug Sven Kieske (Jun 18)
- Re: CVE-2014-4014: Linux kernel user namespace bug Andy Lutomirski (Jun 17)