[lxc-users] Security fix for CVE-2017-5985 (lxc-user-nic)

[Stéphane Graber]

Hello,

Today we're releasing security fixes for CVE-2017-5985.

This security issue was reported by Jann Horn from Google and has to do
with a lack of netns ownership check in lxc-user-nic, which would allow
any user with a lxc-usernet allocation to create network interfaces on
the host including choosing the name of that network interface.

The created interface wouldn't be UP so is unlikely to be automatically
brought up or get an address, but this issue could be used to squat the
name of a real system network interface before it appears.


The fix we're pushing today has lxc-user-nic drop privilege to the
requesting user at interface rename time. This will still allow users to
create veth pairs but it will not let them be renamed to whatever they
want.

Original report: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676


We have fixes for all supported LXC branches:
 - stable-1.0: https://github.com/lxc/lxc/commit/c905f00ad78b78a5e9c0d67504b86e00dfe085ec
 - stable-2.0: https://github.com/lxc/lxc/commit/d512bd5efb0e407eba350c4e649c464a65b712a3
 - master: https://github.com/lxc/lxc/commit/16af238036a5464ae8f2420ed3af214f0de875f9

We also have a backported version of the fix for LXC 1.1 should anyone
still use this unsupported version of LXC:
https://github.com/lxc/lxc/commit/7e678d3d2a297abe8a6e2d673a7ada3994ebe4e5


Distributions have been notified ahead of this release so most of them
should have updated packages out already or will really soon.

This security fix will be included in the next round of LXC bugfix
releases, until then, people building by hand should be including the
fixes above.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170309/109be87f/attachment.sig>