The overlayfs implementation in the Linux kernel through 4.5.2 does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an overlayfs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ubuntu_core | Canonical | 15.04 (including) | 15.04 (including) |
| Ubuntu_linux | Canonical | 12.04 (including) | 12.04 (including) |
| Ubuntu_linux | Canonical | 14.04 (including) | 14.04 (including) |
| Ubuntu_linux | Canonical | 15.10 (including) | 15.10 (including) |
| Ubuntu_linux | Canonical | 16.04 (including) | 16.04 (including) |
| Ubuntu_linux | Canonical | 16.10 (including) | 16.10 (including) |
| Ubuntu_touch | Canonical | 15.04 (including) | 15.04 (including) |
| Linux | Ubuntu | esm-infra-legacy/trusty | * |
| Linux | Ubuntu | precise | * |
| Linux | Ubuntu | trusty | * |
| Linux | Ubuntu | trusty/esm | * |
| Linux | Ubuntu | upstream | * |
| Linux | Ubuntu | vivid | * |
| Linux | Ubuntu | vivid/ubuntu-core | * |
| Linux | Ubuntu | wily | * |
| Linux-armadaxp | Ubuntu | precise | * |
| Linux-armadaxp | Ubuntu | upstream | * |
| Linux-aws | Ubuntu | upstream | * |
| Linux-flo | Ubuntu | trusty | * |
| Linux-flo | Ubuntu | upstream | * |
| Linux-flo | Ubuntu | vivid | * |
| Linux-flo | Ubuntu | vivid/stable-phone-overlay | * |
| Linux-flo | Ubuntu | wily | * |
| Linux-flo | Ubuntu | xenial | * |
| Linux-flo | Ubuntu | yakkety | * |
| Linux-gke | Ubuntu | upstream | * |
| Linux-goldfish | Ubuntu | trusty | * |
| Linux-goldfish | Ubuntu | upstream | * |
| Linux-goldfish | Ubuntu | vivid | * |
| Linux-goldfish | Ubuntu | wily | * |
| Linux-goldfish | Ubuntu | xenial | * |
| Linux-goldfish | Ubuntu | yakkety | * |
| Linux-goldfish | Ubuntu | zesty | * |
| Linux-grouper | Ubuntu | trusty | * |
| Linux-grouper | Ubuntu | upstream | * |
| Linux-hwe | Ubuntu | upstream | * |
| Linux-hwe-edge | Ubuntu | upstream | * |
| Linux-linaro-omap | Ubuntu | precise | * |
| Linux-linaro-omap | Ubuntu | upstream | * |
| Linux-linaro-shared | Ubuntu | precise | * |
| Linux-linaro-shared | Ubuntu | upstream | * |
| Linux-linaro-vexpress | Ubuntu | precise | * |
| Linux-linaro-vexpress | Ubuntu | upstream | * |
| Linux-lts-quantal | Ubuntu | precise | * |
| Linux-lts-quantal | Ubuntu | precise/esm | * |
| Linux-lts-quantal | Ubuntu | upstream | * |
| Linux-lts-raring | Ubuntu | precise | * |
| Linux-lts-raring | Ubuntu | precise/esm | * |
| Linux-lts-raring | Ubuntu | upstream | * |
| Linux-lts-saucy | Ubuntu | precise | * |
| Linux-lts-saucy | Ubuntu | precise/esm | * |
| Linux-lts-saucy | Ubuntu | upstream | * |
| Linux-lts-trusty | Ubuntu | precise | * |
| Linux-lts-trusty | Ubuntu | precise/esm | * |
| Linux-lts-trusty | Ubuntu | upstream | * |
| Linux-lts-utopic | Ubuntu | trusty | * |
| Linux-lts-utopic | Ubuntu | upstream | * |
| Linux-lts-vivid | Ubuntu | trusty | * |
| Linux-lts-vivid | Ubuntu | upstream | * |
| Linux-lts-wily | Ubuntu | trusty | * |
| Linux-lts-wily | Ubuntu | upstream | * |
| Linux-lts-xenial | Ubuntu | upstream | * |
| Linux-maguro | Ubuntu | trusty | * |
| Linux-maguro | Ubuntu | upstream | * |
| Linux-mako | Ubuntu | trusty | * |
| Linux-mako | Ubuntu | upstream | * |
| Linux-mako | Ubuntu | vivid | * |
| Linux-mako | Ubuntu | vivid/stable-phone-overlay | * |
| Linux-mako | Ubuntu | wily | * |
| Linux-mako | Ubuntu | xenial | * |
| Linux-mako | Ubuntu | yakkety | * |
| Linux-manta | Ubuntu | trusty | * |
| Linux-manta | Ubuntu | upstream | * |
| Linux-manta | Ubuntu | vivid | * |
| Linux-manta | Ubuntu | wily | * |
| Linux-qcm-msm | Ubuntu | precise | * |
| Linux-qcm-msm | Ubuntu | upstream | * |
| Linux-raspi2 | Ubuntu | upstream | * |
| Linux-raspi2 | Ubuntu | vivid/ubuntu-core | * |
| Linux-raspi2 | Ubuntu | wily | * |
| Linux-snapdragon | Ubuntu | upstream | * |
| Linux-ti-omap4 | Ubuntu | precise | * |
| Linux-ti-omap4 | Ubuntu | upstream | * |
References
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9f57ebcba563e0cd532926cab83c92bb4d79360
- http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1576.html
- http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/
- http://www.openwall.com/lists/oss-security/2016/02/24/8
- http://www.openwall.com/lists/oss-security/2021/10/18/1
- https://bugs.launchpad.net/bugs/1535150
- https://launchpadlibrarian.net/235300093/0005-overlayfs-Be-more-careful-about-copying-up-sxid-file.patch
- https://launchpadlibrarian.net/235300225/0006-overlayfs-Propogate-nosuid-from-lower-and-upper-moun.patch
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9f57ebcba563e0cd532926cab83c92bb4d79360
- http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1576.html
- http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/
- http://www.openwall.com/lists/oss-security/2016/02/24/8
- http://www.openwall.com/lists/oss-security/2021/10/18/1
- https://bugs.launchpad.net/bugs/1535150
- https://launchpadlibrarian.net/235300093/0005-overlayfs-Be-more-careful-about-copying-up-sxid-file.patch
- https://launchpadlibrarian.net/235300225/0006-overlayfs-Propogate-nosuid-from-lower-and-upper-moun.patch