On Tue, 5 Jul 2022 at 16:22 Philippe Cerfon <philc...@gmail.com> wrote:
> Say welcome to CVE-2022-32250, the next root security hole which
apparently have been mitigated if Debian were to ship sane defaults.
I'm sorry that you didn't read the actual CVE. This wasn't a bug with
user namespaces, but rather a bug in netfilter that was exploitable
through user namespaces. Of course, this wouldn't really have been
exploitable had user namespaces since root using an exploit to elevate
its privileges to root is... silly. The bug would've still existed
without user namespaces, which is still bad, it just would've been
It's pretty funny, actually; from what I'm able to undertstand, most,
if not all the CVEs you listed in your original report weren't really
bugs with user namespaces *at all*, they were really just bugs in
components *around* user namespaces. Instead, how about we disable
netfilter et al. for being buggy? ;)
I really don't think the morale of the story here is "user namespaces
are dangerous", but rather "code in Linux tends to be buggy and should
fixed", and I don't see why user namespaces should be disabled when it's
other components that are buggy dangerous.
Do correct me if I'm wrong, though.