Re: [PATCH 1/3] capabilities: user namespace capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5/17/24 04:55, Jonathan Calmels wrote:

On Fri, May 17, 2024 at 06:32:46AM GMT, Eric W. Biederman wrote:


Pointers please?

That sentence sounds about 5 years out of date.


The link referenced is from last year.
Here are some others often cited by distributions:

https://nvd.nist.gov/vuln/detail/CVE-2022-0185
https://nvd.nist.gov/vuln/detail/CVE-2022-1015
https://nvd.nist.gov/vuln/detail/CVE-2022-2078
https://nvd.nist.gov/vuln/detail/CVE-2022-24122
https://nvd.nist.gov/vuln/detail/CVE-2022-25636

Recent thread discussing this too:
https://seclists.org/oss-sec/2024/q2/128



they were used in 2020, 2021, and 2022 pwn2own exploits. Sorry I don't remember the exact numbers and will have to dig.

pwn2own 2023 4/5 hacks used them
https://www.zerodayinitiative.com/blog/2023/3/23/pwn2own-vancouver-2023-day-two-results
I will need to dig to find the CVEs associated with them.

pwn2own 2024 I can not discuss atm

but its not just pwn2own, the actual list of kernel CVEs that unprivileged user namespaces make exploitable is much larger.
[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux