Issue 909676 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	groeck@chromium.org
Closed:	Nov 28
Cc:	wonderfly@google.com zsm@chromium.org chromeos-kernel-security-bug-access@google.com
Components:	OS>Kernel
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	3
Type:	Bug-Security
Vomit Security_Severity-Medium Security_Impact-None CVE-2018-16597

CVE-2018-16597 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Nov 28

Issue description

VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2018-16597
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-16597
  CVSS severity score: 4.9/10.0
  Description:

An issue was discovered in the Linux kernel through 4.18.6. Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by groeck@chromium.org, Nov 28

Cc: wonderfly@google.com zsm@chromium.org
Labels: Security_Severity-Medium Security_Impact-None Pri-3
Owner: groeck@chromium.org
Status: WontFix (was: Untriaged)

Fixed with upstream commit c0ca3d70e8d3cf8 ("ovl: modify ovl_permission() to do checks on two inodes"). This patch was committed in 2016. The fix is present in chromeos-4.14 and chromeos-4.19. OVERLAY_FS is not enabled in chromeos-4.4 and earlier kernels. Marking as WontFix.

►

Issue 909676 link

Issue metadata

CVE-2018-16597 CrOS: Vulnerability reported in Linux kernel

Issue description

Comment 1 by groeck@chromium.org, Nov 28

Comment 1 Deleted

Sign in to add a comment