From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from wtarreau.pck.nerim.net ([62.212.114.60]:40462 "EHLO 1wt.eu"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750788AbbJAXIb (ORCPT <rfc822;stable@vger.kernel.org>);
	Thu, 1 Oct 2015 19:08:31 -0400
Date: Fri, 2 Oct 2015 01:08:29 +0200
From: Willy Tarreau <w@1wt.eu>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: stable@vger.kernel.org
Subject: Re: [PATCHES] Bind mount escape fixes (CVE-2015-2925)
Message-ID: <20151001230829.GF30371@1wt.eu>
References: <87a8s2a7kc.fsf@x220.int.ebiederm.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87a8s2a7kc.fsf@x220.int.ebiederm.org>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

[ trimmed CC list ]

On Thu, Oct 01, 2015 at 11:15:47AM -0500, Eric W. Biederman wrote:
> 
> With a strategically placed rename bind mounts can be tricked into
> giving processes access to the entire filesystem instead of just a piece
> of it.  This misfeature has existed since bind mounts were introduced
> into the kernel.  This issue has been fixed in Linus's tree and below
> are my tested backports of the fixes to 4.2.1, 4.1.8, 3.18.21, 3.14.53,
> 3.12.48, 3.10.89, 3.4.109, 3.2.71, 2.6.32.68.  All of the kernels 
> currently listed as being active.
(...)

queued for 2.6.32, much appreciated, thanks Eric!

Willy