Bug 462172 (CVE-2013-1858)

Summary:	Kernel : CLONE_NEWUSER \| CLONE_FS chroot exploit (CVE-2013-1858)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Kernel	Assignee:	Gentoo Kernel Security <security-kernel>
Status:	RESOLVED FIXED
Severity:	normal	CC:	alexander, eric-f.garioud, kernel, kfm
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=921448
Whiteboard:	[linux >=3.8.0 <3.8.3] [linux >=3.9-rc1 <3.9-rc3]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2013-03-18 09:13:21 UTC

From $URL :

Linux kernels which support unprivileged user namespaces (CLONE_NEWUSER) and at the same time allow sharing file system information (CLONE_FS) between parent process and 
its newly clone(2)d child process in the new user namespace, are vulnerable to a privilege escalation flaw as presented by Sebastian Krahmer
in his chroot exploit [1].

  [1] http://stealth.openwall.net/xSports/clown-newuser.c

An unprivileged local user could use this flaw to gain root privileges on a system.

Upstream fix:
-------------
 -> https://git.kernel.org/linus/e66eded8309ebf679d3d3c1f5820d1f2ca332c71

Reference:
----------
 -> http://www.openwall.com/lists/oss-security/2013/03/13/8

Comment 1 Adrian Bassett 2013-03-18 10:00:18 UTC

The fix is already in 3.8.3 ...

Comment 2 Kerin Millar 2013-03-26 01:24:37 UTC

I'm defining the affected vanilla versions in the whiteboard field.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2013-04-11 16:59:28 UTC

CVE-2013-1858 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1858):
  The clone system-call implementation in the Linux kernel before 3.8.3 does
  not properly handle a combination of the CLONE_NEWUSER and CLONE_FS flags,
  which allows local users to gain privileges by calling chroot and leveraging
  the sharing of the / directory between a parent process and a child process.

Comment 4 John Helmert III archtester

2022-03-25 15:08:01 UTC

Fixed in 3.8.3.