[lxc-devel] Security fix for CVE-2017-5985 (lxc-user-nic)

St├ęphane Graber stgraber at ubuntu.com
Thu Mar 9 16:51:01 UTC 2017


Today we're releasing security fixes for CVE-2017-5985.

This security issue was reported by Jann Horn from Google and has to do
with a lack of netns ownership check in lxc-user-nic, which would allow
any user with a lxc-usernet allocation to create network interfaces on
the host including choosing the name of that network interface.

The created interface wouldn't be UP so is unlikely to be automatically
brought up or get an address, but this issue could be used to squat the
name of a real system network interface before it appears.

The fix we're pushing today has lxc-user-nic drop privilege to the
requesting user at interface rename time. This will still allow users to
create veth pairs but it will not let them be renamed to whatever they

Original report: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676

We have fixes for all supported LXC branches:
 - stable-1.0: https://github.com/lxc/lxc/commit/c905f00ad78b78a5e9c0d67504b86e00dfe085ec
 - stable-2.0: https://github.com/lxc/lxc/commit/d512bd5efb0e407eba350c4e649c464a65b712a3
 - master: https://github.com/lxc/lxc/commit/16af238036a5464ae8f2420ed3af214f0de875f9

We also have a backported version of the fix for LXC 1.1 should anyone
still use this unsupported version of LXC:

Distributions have been notified ahead of this release so most of them
should have updated packages out already or will really soon.

This security fix will be included in the next round of LXC bugfix
releases, until then, people building by hand should be including the
fixes above.

St├ęphane Graber
Ubuntu developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170309/109be87f/attachment.sig>

More information about the lxc-devel mailing list