Bug 454388 (CVE-2008-2931) - CVE-2008-2931 kernel: missing check before setting mount propagation
Summary: CVE-2008-2931 kernel: missing check before setting mount propagation
Status: CLOSED ERRATA
Alias: CVE-2008-2931
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20070508,reported=20070509,sou...
Keywords: Security
Depends On: 454389 454390 454391 454392 454393
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-08 06:32 UTC by Eugene Teo (Security Response)
Modified: 2010-12-21 17:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 17:20:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed backported patch for RHEL-5.3 (742 bytes, patch)
2008-07-10 07:20 UTC, Eugene Teo (Security Response)
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0885 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-09-24 18:45:31 UTC

Description Eugene Teo (Security Response) 2008-07-08 06:32:00 UTC
The do_change_type routine has a missing check for capable(CAP_SYS_ADMIN). Even
though the mount command restricts the changing of mountpoint type to only root
users, it is possible for local unprivileged users to bypass and abuse this.

Comment 1 Eugene Teo (Security Response) 2008-07-08 06:37:14 UTC
Created attachment 311232 [details]
Upstream patch for this issue

Comment 6 Eugene Teo (Security Response) 2008-07-08 09:59:48 UTC
It is possible for a normal user to mark a mount unbindable which cannot be
rebounded, and deny the administrator from bind mounting it to somewhere else.
It is also possible for a normal user to mark a private mount shared silently,
such that if the administrator decides to bind mount it, it will become a
sharable mount, even though the administrator may not intend it to be sharable.

Comment 7 Eugene Teo (Security Response) 2008-07-10 07:20:04 UTC
Created attachment 311453 [details]
Proposed backported patch for RHEL-5.3

Comment 10 Vincent Danen 2010-12-21 17:20:50 UTC
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0885)


Note You need to log in before you can comment on or make changes to this bug.