From $URL : Linux kernels which support unprivileged user namespaces (CLONE_NEWUSER) and at the same time allow sharing file system information (CLONE_FS) between parent process and its newly clone(2)d child process in the new user namespace, are vulnerable to a privilege escalation flaw as presented by Sebastian Krahmer in his chroot exploit [1]. [1] http://stealth.openwall.net/xSports/clown-newuser.c An unprivileged local user could use this flaw to gain root privileges on a system. Upstream fix: ------------- -> https://git.kernel.org/linus/e66eded8309ebf679d3d3c1f5820d1f2ca332c71 Reference: ---------- -> http://www.openwall.com/lists/oss-security/2013/03/13/8
The fix is already in 3.8.3 ...
I'm defining the affected vanilla versions in the whiteboard field.
CVE-2013-1858 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1858): The clone system-call implementation in the Linux kernel before 3.8.3 does not properly handle a combination of the CLONE_NEWUSER and CLONE_FS flags, which allows local users to gain privileges by calling chroot and leveraging the sharing of the / directory between a parent process and a child process.
Fixed in 3.8.3.