This bug was fixed in the package linux - 5.4.0-42.46
---------------
linux (5.4.0-42.46) focal; urgency=medium
* focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069)
* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"
linux (5.4.0-41.45) focal; urgency=medium
* focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855)
* Packaging resync (LP: #1786013)
- update dkms package versions
* CVE-2019-19642
- kernel/relay.c: handle alloc_percpu returning NULL in relay_open
* CVE-2019-16089
- SAUCE: nbd_genl_status: null check for nla_nest_start
* CVE-2020-11935
- aufs: do not call i_readcount_inc()
* ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
kernel (LP: #1826848)
- selftests: net: ip_defrag: ignore EPERM
* Update lockdown patches (LP: #1884159)
- SAUCE: acpi: disallow loading configfs acpi tables when locked down
* seccomp_bpf fails on powerpc (LP: #1885757)
- SAUCE: selftests/seccomp: fix ptrace tests on powerpc
* Introduce the new NVIDIA 418-server and 440-server series, and update the
current NVIDIA drivers (LP: #1881137)
- [packaging] add signed modules for the 418-server and the 440-server
flavours
-- Khalid Elmously <khalid.elmou...@canonical.com> Thu, 09 Jul 2020
19:50:26 -0400
** Changed in: linux (Ubuntu Groovy)
Status: Confirmed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16089
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19642
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11935
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1879688
Title:
shiftfs: fix btrfs snapshot deletion
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Eoan:
Fix Released
Status in linux source package in Focal:
Fix Released
Status in linux source package in Groovy:
Fix Released
Bug description:
SRU Justification
Impact: Stéphane discovered a problem during NorthSec which makes
heavy use of shiftfs. In containers with a btrfs root filesystem that
make use of shiftfs userns root is not able to delete subvolumes that
have been created by another users which it would be able to do
otherwise. This makes it impossible for LXD to delete nested
containers.
To reproduce this as root in the container:
btrfs subvolume create my-subvol
chown 1000:1000 my-subvol
btrfs subvolume delete my-subvol
The deletion will fail when it should have succeeded.
Fix: For improved security we drop all capabilities before we forward
btrfs ioctls in shiftfs. To fix the above problem we can retain the
CAP_DAC_OVERRIDE capability only if we are userns root.
Regression Potential: Limited to shiftfs. Even though we drop all
capabilities in all capability sets we really mostly care about
dropping CAP_SYS_ADMIN and we mostly do this for ioctl that e.g. allow
you to traverse the btrfs filesystem and with CAP_SYS_ADMIN retained
in the underlay would allow you to list subvolumes you shouldn't be
able to list. This fix only retains CAP_DAC_OVERRIDE and only for the
deletion of subvolumes and only by userns root.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879688/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
