Bug 1129662 (CVE-2014-5206, CVE-2014-5207)

Summary: CVE-2014-5206 CVE-2014-5207 kernel: mount flags handling during remount
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, aquini, bhu, carnil, ccoleman, davej, dhoward, dmcphers, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jialiu, jkacur, jokerman, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kseifried, lgoncalv, lmeyer, lwang, madhu.chinakonda, matt, mchehab, mcressma, mmccomas, mmcgrath, nmurray, pholasek, plougher, pmatouse, rt-maint, rvrbovsk, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-13 13:52:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1129669, 1129670, 1129672    
Bug Blocks: 1129668    

Description Vasyl Kaigorodov 2014-08-13 12:43:05 UTC 
It was discovered that a privileged user in the user namespace with access to a bind mount can clear certain mount flags by calling "mount --bind -o remount,... ...".

Proposed patches:

https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=a6138db815df5ee542d848318e5dae681590fccd
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=07b645589dcda8b7a5249e096fece2a67556f0f4
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=9566d6742852c527bf5af38af5cbb878dad75705
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=db181ce011e3c033328608299cd6fac06ea50130

References:
http://seclists.org/oss-sec/2014/q3/357
Comment 1 Vasyl Kaigorodov 2014-08-13 12:47:46 UTC 
Statement:

Not vulnerable.

This issue did not affect the versions of kernel as shipped with Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise Linux MRG 2.
Comment 3 Vasyl Kaigorodov 2014-08-13 12:49:00 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1129669]
Comment 4 Fedora Update System 2014-08-16 22:30:45 UTC 
kernel-3.15.10-200.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-08-19 07:08:56 UTC 
kernel-3.14.17-100.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.