[lxc-devel] LXC security issues - affects all supported releases
Stéphane Graber
stgraber at ubuntu.com
Wed Jul 22 14:29:47 UTC 2015
Hello,
During a security audit of LXC by Roman Fiedler, two security issues
with LXC have been found and now fixed.
CVE 2015-1331:
This issue is related to LXC's use of /run/lock and /tmp as places
to write the container lockfile. As those two paths are world writable,
an attacker could write a symlink at the location LXC would use to write
its lock file, leading to the potentially privileged LXC process to
create the target file.
This was introduced with LXC 1.0.0 with the following commit:
https://github.com/lxc/lxc/commit/71b0fed669a088675c1344ed68b250e87414c998
The fix for LXC 1.0 is:
https://github.com/lxc/lxc/commit/f547349ea7ef3a6eae6965a95cb5986cd921bd99
The fix for LXC 1.1 is:
https://github.com/lxc/lxc/commit/61ecf69d7834921cc078e14d1b36c459ad8f91c7
The fix for LXC master is:
https://github.com/lxc/lxc/commit/72cf81f6a3404e35028567db2c99a90406e9c6e6
CVE 2015-1334:
This issue is related to LXC's setting of AppArmor profiles and
SELinux labels during attach. The code was trusting /proc in the
container which an attacker with root access to the container could
overmount, leading to attach running user controlled code (as is usually
the case) but without any LSM protection.
This was introduced in LXC 0.9.0 with the following commit:
https://github.com/lxc/lxc/commit/9958532bff244ddca65503b42d31c8a4b90b11b1
The fix for LXC 1.0 is:
https://github.com/lxc/lxc/commit/15ec0fd9d490dd5c8a153401360233c6ee947c24
The fix for LXC 1.1 is:
https://github.com/lxc/lxc/commit/659e807c8dd1525a5c94bdecc47599079fad8407
The fix for LXC master is:
https://github.com/lxc/lxc/commit/5c3fcae78b63ac9dd56e36075903921bd9461f9e
LXC 0.9 is out of support so we will not be issuing patches or
updated tarballs for it.
Both fixes will be included in the upcoming stable releases for both
branches. We expect LXC 1.1.3 to be tagged over the next few days and
LXC 1.0.8 in the next month or so. So we very strongly recommend
distributions grab the above fixes in the meantime.
The delay in releasing updated tarballs comes from us having a pretty
significant backlog of fixes in both branches that require significant
testing before we can release.
The security teams from the various Linux distributions have been
informed of those security issues ahead of time and so should have or
soon will be pushing security updates to their supported releases.
I'd like to thank Roman for his great work at finding and responsibly
disclosing those issues to us.
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150722/a491a64d/attachment.sig>
More information about the lxc-devel
mailing list