[lxc-users] LXC security issues - affects all supported releases

[Stéphane Graber]

Hello,

During a security audit of LXC by Roman Fiedler, two security issues
with LXC have been found and now fixed.

CVE 2015-1331:
    This issue is related to LXC's use of /run/lock and /tmp as places
    to write the container lockfile. As those two paths are world writable,
    an attacker could write a symlink at the location LXC would use to write
    its lock file, leading to the potentially privileged LXC process to
    create the target file.

    This was introduced with LXC 1.0.0 with the following commit:
    https://github.com/lxc/lxc/commit/71b0fed669a088675c1344ed68b250e87414c998

    The fix for LXC 1.0 is:
    https://github.com/lxc/lxc/commit/f547349ea7ef3a6eae6965a95cb5986cd921bd99

    The fix for LXC 1.1 is:
    https://github.com/lxc/lxc/commit/61ecf69d7834921cc078e14d1b36c459ad8f91c7

    The fix for LXC master is:
    https://github.com/lxc/lxc/commit/72cf81f6a3404e35028567db2c99a90406e9c6e6

CVE 2015-1334:
    This issue is related to LXC's setting of AppArmor profiles and
    SELinux labels during attach. The code was trusting /proc in the
    container which an attacker with root access to the container could
    overmount, leading to attach running user controlled code (as is usually
    the case) but without any LSM protection.

    This was introduced in LXC 0.9.0 with the following commit:
    https://github.com/lxc/lxc/commit/9958532bff244ddca65503b42d31c8a4b90b11b1

    The fix for LXC 1.0 is:
    https://github.com/lxc/lxc/commit/15ec0fd9d490dd5c8a153401360233c6ee947c24

    The fix for LXC 1.1 is:
    https://github.com/lxc/lxc/commit/659e807c8dd1525a5c94bdecc47599079fad8407

    The fix for LXC master is:
    https://github.com/lxc/lxc/commit/5c3fcae78b63ac9dd56e36075903921bd9461f9e

    LXC 0.9 is out of support so we will not be issuing patches or
    updated tarballs for it.


Both fixes will be included in the upcoming stable releases for both
branches. We expect LXC 1.1.3 to be tagged over the next few days and
LXC 1.0.8 in the next month or so. So we very strongly recommend
distributions grab the above fixes in the meantime.

The delay in releasing updated tarballs comes from us having a pretty
significant backlog of fixes in both branches that require significant
testing before we can release.

The security teams from the various Linux distributions have been
informed of those security issues ahead of time and so should have or
soon will be pushing security updates to their supported releases.


I'd like to thank Roman for his great work at finding and responsibly
disclosing those issues to us.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150722/a491a64d/attachment.sig>