Some of the recent -stable patches are (surprise!) security fixes.
These were disclosed on the distros list last week.
CVE-2013-1959: /proc/<pid>/uid_map has multiple incorrect privilege checks
Linux 3.8 and various 3.9 rcs are affected, depending on
configuration. This gives a root shell. (Actually, it gives a uid 0
shell with no capabilities, but that's easy to escalate to full root.)
Fixed by:
commit 935d8aabd4331f47a89c3e1daa5779d23cf244ee
Author: Linus Torvalds <torvalds () linux-foundation org>
Date: Sun Apr 14 10:06:31 2013 -0700
Add file_ns_capable() helper function for open-time capability checking
commit 6708075f104c3c9b04b23336bb0366ca30c3931b
Author: Eric W. Biederman <ebiederm () xmission com>
Date: Sun Apr 14 13:47:02 2013 -0700
userns: Don't let unprivileged users trick privileged users into
setting the id_map
commit e3211c120a85b792978bcb4be7b2886df18d27f0
Author: Andy Lutomirski <luto () amacapital net>
Date: Sun Apr 14 16:28:19 2013 -0700
userns: Check uid_map's opener's fsuid, not the current fsuid
All three patches are needed.
There's an exploit at the bottom of this email. To use it, you need
to supply the program "zerozeroone". Doing so is left as an exercise
to the reader. It can be done on stock installs of Fedora and Ubuntu
at least.
CVE-2013-1979: writes to unix sockets capture euid instead of uid
This appears to be a regression in 2.6.36, and the regression was
backported to various older stable series (2.6.35.11 at least). It is
almost certainly exploitable for root on most distributions, although
the vectors will vary. The fix is:
commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494
Author: Linus Torvalds <torvalds () linux-foundation org>
Date: Fri Apr 19 15:32:32 2013 +0000
net: fix incorrect credentials passing
I don't have an exploit, but there's a PoC below that demonstrates the issue.
There's another security buglet that probably has extremely low
impact. It doesn't have (and shouldn't need) a CVE number. It's
fixed here:
commit 41c21e351e79004dbb4efa4bc14a53a7e0af38c5
Author: Andy Lutomirski <luto () amacapital net>
Date: Sun Apr 14 11:44:04 2013 -0700
userns: Changing any namespace id mappings should require privileges