Our understanding so far is that the underlying problem is that the
original design didn't fully consider the ability of an attacker to
rename. Because of this, the rename implementation has been changed so
that it detects a violation of the intended security properties and
puts a countermeasure in place. This has been done in the fs/dcache.c
__d_move function. There is no commit available yet at

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/fs/dcache.c

Use CVE-2015-2925 for this issue.

As far as we can tell, the patches don't address a separate scenario
in which a ".." attack can occur but the underlying problem is
something other than rename handling. So, we don't think a second CVE
ID is needed.

(For purposes of CVE, a set of "possible to escape from bind mounts"
discoveries could have multiple IDs if the root cause of one issue
were the acceptability of the ".." syntax in a certain context, and
the root cause of another issue were unrelated to this.)

- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

We think your question is based on a misinterpretation of what we
wrote. To avoid that, we shouldn't have started a sentence with "As
far as we can tell, the patches don't address."
wasn't intended to mean:

The patches are inadequate because a separate scenario exists,
and that separate scenario is not addressed by the patches.

Instead, it was intended to mean:

We are not disputing that the patches are adequate. Also, in our
current understanding, all attack scenarios ultimately depend on the
previously incorrect handling of renames. Because there isn't a
second type of scenario, there isn't a second CVE ID.

- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Which apparently haven't landed in the kernel? The last commit
mentioning bind mounts I could find is 8f502d5b9e336297, which says:

The issue of being able to escape a bind mount has not yet been
addressed, as the fixes are not yet mature"

And the public security issue trackers of Debian, Ubuntu and Redhat
also say that the issue hasn't been fixed:

https://access.redhat.com/security/cve/CVE-2015-2925
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1441108
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2925
This issue now is nearly 5 months old. :/

I had Jann's message flagged as needing further attention, but I never
got back far enough in my stack of e-mails. Luckily, Jann was
persistent enough and tested OpenVZ for this issue, and found it
vulnerable, and reported the issue to OpenVZ developers. Thanks!

So, yes, OpenVZ simfs-based (but not ploop-based) containers turned out
to be affected by this issue, allowing an in-container root to access
outside files up to the mount point of the underlying filesystem (so
e.g. up to /vz if a separate filesystem is mounted on /vz on a server).

With proper bind mount(s) already precreated, a non-root in-container
user could exploit this as well, but that's uncommon.

OpenVZ bug:
https://bugzilla.openvz.org/show_bug.cgi?id=3256

OpenVZ/RHEL6 fix:
https://openvz.org/Download/kernel/rhel6-testing/042stab108.3

OpenVZ/RHEL5 fix:
https://openvz.org/Download/kernel/rhel5-testing/028stab119.2

(And a fix went into Owl last night.)

A slightly simpler variation of the attack, without a "d" directory:

cd /
mkdir a a/b c
mount -o bind a c
cd c/b
mv /a/b /
ls -l ../../../../../..

Alexander