Comment 4 for bug 1793458

This flaw is related to CVE-2015-1328:

  https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html

It was fixed by this patch:

  https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/commit/?id=98a3740920f8f3362c1ac50598af2dc632f5051a

Ubuntu carries a patch that allows overlayfs mounting inside of an unprivileged user namespace, so we were carrying the fix mentioned above as a delta against the upstream Linux kernel since the issue didn't affect upstream overlayfs. (It is worth noting that we did share the details of CVE-2015-1328 and the fix privately with upstream overlayfs)

At some point between Ubuntu 16.04 LTS and Ubuntu 18.04 LTS, the patch was incorrectly dropped. This was most likely due to upstream changes to address CVE-2018-16597:

  https://people.canonical.com/~ubuntu-security/cve/?cve=CVE-2018-16597

Here's the fix for that issue:

  https://git.kernel.org/linus/c0ca3d70e8d3cf81e2255a217f7ca402f5ed0862

In hindsight, the issues that CVE-2015-1328 represent were actually deserving of two CVEs instead of one. The first, and most severe, issue was the copy up permission check. The second issue was the readdir information disclosure. It looks like upstream actually was affected by an issue somewhat similar to the copy up aspect of CVE-2015-1328 and fixed it with the upstream commit c0ca3d70e8d3cf81e2255a217f7ca402f5ed0862 (which is different from the Ubuntu fix for the copy up aspect of CVE-2015-1328 but provides similar protections).

The readdir aspect of the CVE-2015-1328 fix needs to be forward ported to Ubuntu 18.04 LTS and newer kernels. I've done that work, created an Ubuntu kernel regression test so that this doesn't happen again, and now I'm consulting with the Ubuntu Security team as to whether or not a new CVE is needed.