Commit b29b29c
CKI KWF Bot
Merge: CVE-2025-38498 fix permission checks for mount propagation change
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/7292
JIRA: https://issues.redhat.com/browse/RHEL-107304
CVE: CVE-2025-38498
An inconsistent application of capabilities checking was discovered in
the kernel.
An initial patch was proposed and merged but regressions were reported.
An additional patch was posted that makes this permission checking
consistent over the two areas it's used and eliminates the regression.
The risk was that the reported regression would almost certainly have
serious affects for our container products (at the least) so we needed
to wait for this second patch.
It's still possible this change will introduce a regression because it
adds a capability check. But this check is to ensure the process making
the propagation type change has the appropriate capability to do so and
that should be the case.
Signed-off-by: Ian Kent <ikent@redhat.com>
Approved-by: Miklos Szeredi <mszeredi@redhat.com>
Approved-by: Brian Foster <bfoster@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>
Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>1 file changed
+17
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2311 | 2311 | | |
2312 | 2312 | | |
2313 | 2313 | | |
| 2314 | + | |
| 2315 | + | |
| 2316 | + | |
| 2317 | + | |
| 2318 | + | |
| 2319 | + | |
| 2320 | + | |
| 2321 | + | |
| 2322 | + | |
| 2323 | + | |
| 2324 | + | |
| 2325 | + | |
| 2326 | + | |
2314 | 2327 | | |
2315 | 2328 | | |
2316 | 2329 | | |
| |||
2347 | 2360 | | |
2348 | 2361 | | |
2349 | 2362 | | |
| 2363 | + | |
| 2364 | + | |
| 2365 | + | |
| 2366 | + | |
2350 | 2367 | | |
2351 | 2368 | | |
2352 | 2369 | | |
| |||
0 commit comments