Bug 454388 (CVE-2008-2931) - CVE-2008-2931 kernel: missing check before setting mount propagation
Summary: CVE-2008-2931 kernel: missing check before setting mount propagation
Alias: CVE-2008-2931
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 454389 454390 454391 454392 454393
TreeView+ depends on / blocked
Reported: 2008-07-08 06:32 UTC by Eugene Teo (Security Response)
Modified: 2021-11-12 19:50 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-12-21 17:20:50 UTC

Attachments (Terms of Use)
Proposed backported patch for RHEL-5.3 (742 bytes, patch)
2008-07-10 07:20 UTC, Eugene Teo (Security Response)
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0885 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-09-24 18:45:31 UTC

Description Eugene Teo (Security Response) 2008-07-08 06:32:00 UTC
The do_change_type routine has a missing check for capable(CAP_SYS_ADMIN). Even
though the mount command restricts the changing of mountpoint type to only root
users, it is possible for local unprivileged users to bypass and abuse this.

Comment 1 Eugene Teo (Security Response) 2008-07-08 06:37:14 UTC
Created attachment 311232 [details]
Upstream patch for this issue

Comment 6 Eugene Teo (Security Response) 2008-07-08 09:59:48 UTC
It is possible for a normal user to mark a mount unbindable which cannot be
rebounded, and deny the administrator from bind mounting it to somewhere else.
It is also possible for a normal user to mark a private mount shared silently,
such that if the administrator decides to bind mount it, it will become a
sharable mount, even though the administrator may not intend it to be sharable.

Comment 7 Eugene Teo (Security Response) 2008-07-10 07:20:04 UTC
Created attachment 311453 [details]
Proposed backported patch for RHEL-5.3

Comment 10 Vincent Danen 2010-12-21 17:20:50 UTC
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0885)

Note You need to log in before you can comment on or make changes to this bug.