[lxc-devel] CVE-2018-6556: lxc-user-nic allows for open() of arbitrary paths
Stéphane Graber
stgraber at ubuntu.com
Mon Aug 6 16:27:03 UTC 2018
Hello,
This is a notice for a security issue affecting the following LXC versions:
- 2.0.9 and higher
- 3.0.0 and higher
Description of the issue:
lxc-user-nic (setuid) when asked to delete a network interface will
unconditionally open a user provided path.
This code path may be used by an unprivileged user to check for
the existence of a path which they wouldn't otherwise be able to reach.
It may also be used to trigger side effects by causing a (read-only) open
of special kernel files (ptmx, proc, sys).
This was reported to us by Matthias Gerstner from SUSE and Christian
Brauner on the LXC team took care of finding a workable solution and
preparing the needed updates.
Fixes:
- stable-2.0: https://github.com/lxc/lxc/commit/5eb45428b312e978fb9e294dde16efb14dd9fa4d
- stable-3.0: https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032
- master: https://github.com/lxc/lxc/commit/f26dc127bf5d66e8c29f8584c64bd97c9bbbc574
Linux distributions were privately notified with about a week notice and
so should have security updates ready for this already, or will shortly.
We will not be issuing emergency release tarballs for this issue so if
you're maintaining your own build, you should be cherry-picking one of
the fixes above. We do however intend to release LXC 3.0.2 very shortly
which will include this fix among other traditional bugfixes.
References:
- https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591
- https://bugzilla.suse.com/show_bug.cgi?id=988348
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180806/426b1f1b/attachment.sig>
More information about the lxc-devel
mailing list