On Tue, 2020-11-17 at 11:18 -0500, Antoine Beaupré wrote: [...] > Could we get a little more hard data about the attack vectors here? I > totally trust the security team's "gut feeling" on this, but it would be > great to be able to evaluate more concretely what we're talking about > here. > > Local root privilege escalation, basically? Can we get a sense of what > those vulerabilities are, say with some example CVEs?
Yes, local privilege escalation. From the advisories I've prepared, I think these are all LPEs that were mitigated by our current patch: CVE-2015-2041 CVE-2015-8709 CVE-2016-3134 CVE-2016-8655 CVE-2017-6346 CVE-2017-7184 CVE-2017-7308 CVE-2017-11600 CVE-2017-15649 CVE-2017-16939 CVE-2017-18509 CVE-2017-1000111 CVE-2018-16884 CVE-2019-15666 CVE-2020-14386 They seem to have slowed to a trickle at this point. And there are sadly lots of other LPE bugs that it has no effect on. > I'm asking because my main concern with security these days is with the > web browser. It's this huge gaping hole: every measure we can take to > sandbox that thing is become more and more critical, so I wonder if the > our tradeoff's evaluation is well adjusted here, especially considering > a lot of user_ns consumers are bypassing those restrictions by running > as root anyways... I tend to agree with this. Ben. > It seems that, in those cases, we're getting the worst of both worlds... > > a. -- Ben Hutchings Usenet is essentially a HUGE group of people passing notes in class. - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'
signature.asc
Description: This is a digitally signed message part