ChangeLog: o security bugfix - test mnt_ns in open(2) for fuse branch, reported by halfdog. - copy-up resets ACL, reported by halfdog. VCS: commit d783b9a5cff6fa2fedc80cfe781d40cd05fb09c4 Author: J. R. Okajima <hooanon05g@gmail.com> Date: Tue Feb 16 04:28:09 2016 +0900 aufs: security bugfix, copy-up resets ACL In ACL world, a dir can have its "default ACL" which will be applied to all future children. It means that the copied-up entry will have its original ACL (set on the lower RO branch) plus the parent dir's default one (set on the upper RW branch). This mixture may cause a security problem, and this commit resets all ACL in copy-up, which will prevent inheriting the ACL from its parent dir. Reported-by: halfdog <me@halfdog.net> Signed-off-by: J. R. Okajima <hooanon05g@gmail.com> @security, please fix the subject that it fits better.
VCS: aufs: security bugfix, test mnt_ns in open(2) for fuse branch Under a special condition, an executable on a malicous FUSE branch could escalate its privilege via aufs. In order to prevent this, here adds a test about mnt_ns into open(2) for FUSE branch only. (How can I describe the security detail before the issue will be opened on the coordinated release date (CRD)?) Reported-by: halfdog <me@halfdog.net> Signed-off-by: J. R. Okajima <hooanon05g@gmail.com>
commit c00d69f9133ba7cccdd27b70a9d7b817178f09e7 Author: Justin Lecher <jlec@gentoo.org> Date: Fri Feb 19 09:48:01 2016 +0100 sys-kernel/aufs-sources: Bump to latest aufs, genpatches and linux release * Drop vulnerable versions Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=575122 Package-Manager: portage-2.2.27 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c00d69f9133ba7cccdd27b70a9d7b817178f09e7 commit 37b6efdafc262d8f17f97fc4f3c96fe08fff0326 Author: Justin Lecher <jlec@gentoo.org> Date: Fri Feb 19 09:08:51 2016 +0100 sys-fs/aufs4: Bump to latest aufs release * Bump to EAPI=6 * Bump to nextgen readme.gentoo eclass * Try to break lines at 80 chars Package-Manager: portage-2.2.27 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37b6efdafc262d8f17f97fc4f3c96fe08fff0326 commit fc3670df2edeeca5e7958313230fe40e5580f630 Author: Justin Lecher <jlec@gentoo.org> Date: Fri Feb 19 08:56:16 2016 +0100 sys-fs/aufs4: Drop old Package-Manager: portage-2.2.27 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc3670df2edeeca5e7958313230fe40e5580f630 commit acdb79aa45f78d7d2fe9592d7d352bdf59c2ac3e Author: Justin Lecher <jlec@gentoo.org> Date: Fri Feb 19 08:53:51 2016 +0100 sys-fs/aufs3: Bump to latest aufs release * Bump to EAPI=6 * Try to wrap lines at 80 chars Package-Manager: portage-2.2.27 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acdb79aa45f78d7d2fe9592d7d352bdf59c2ac3e commit f73da9da310d0422eb866464d413b5e02e97a7df Author: Justin Lecher <jlec@gentoo.org> Date: Fri Feb 19 08:48:10 2016 +0100 sys-fs/aufs3: Drop old Package-Manager: portage-2.2.27 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f73da9da310d0422eb866464d413b5e02e97a7df
@arches, please stabilize sys-fs/aufs3-3_p20160219
amd64 stable
x86 stable. Maintainer(s), please cleanup.
commit ac28ea95507c55d0409097fc9347fa7dc2850776 Author: Justin Lecher <jlec@gentoo.org> Date: Sat Jul 2 18:30:13 2016 +0000 sys-fs/aufs3: Drop vulnerable version Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=575122 Package-Manager: portage-2.3.0 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac28ea95507c55d0409097fc9347fa7dc2850776
CVE-2016-2854 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2854): The aufs module for the Linux kernel 3.x and 4.x does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory. CVE-2016-2853 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2853): The aufs module for the Linux kernel 3.x and 4.x does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an aufs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.
I marked the overall bug unstable. sys-fs/aufs3 will require a GLSA considering it is stable. Thanks for all of the work, Justin. New GLSA Request filed for sys-fs/aufs3 only.
This was the first stable request for this package. As such, all previous versions are not supported by security. Apologize for the confusion. Closing.
