Name | CVE-2016-2853 |
Description | The aufs module for the Linux kernel 3.x and 4.x does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an aufs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
linux (PTS) | jessie, jessie (lts) | 3.16.84-1 | vulnerable |
| stretch (security) | 4.9.320-2 | fixed |
| stretch (lts), stretch | 4.9.320-3 | fixed |
| buster (security), buster, buster (lts) | 4.19.316-1 | fixed |
| bullseye | 5.10.223-1 | fixed |
| bullseye (security) | 5.10.226-1 | fixed |
| bookworm | 6.1.115-1 | fixed |
| bookworm (security) | 6.1.119-1 | fixed |
| trixie | 6.12.5-1 | fixed |
| sid | 6.12.6-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
linux | source | wheezy | (not affected) | | | |
linux | source | (unstable) | 3.18-1~exp1 | | | |
Notes
[jessie] - linux <ignored> (Not exploitable in default configuration)
[wheezy] - linux <not-affected> (Vulnerable code is not present)
http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/
https://sourceforge.net/p/aufs/mailman/message/34864744/
This depends on a user namespace creator being able to mount aufs.
jessie: Unprivileged users are not allowed to create user namespaces by default; aufs is not allowed to be mounted from a new user namespace by default.
wheezy: User namespaces are non-functional.