[arch-security] Fwd: [lxc-users] LXC security issue - affects all supported releases

Leonid Isaev leonid.isaev at jila.colorado.edu
Tue Sep 29 18:35:03 UTC 2015


Hi,

	This is a heads-up about a recent CVE which affects our community/lxc,
please see the description below.

Cheers,
L.

----- Forwarded message from Stéphane Graber <stgraber at ubuntu.com> -----

Date: Tue, 29 Sep 2015 11:29:17 -0400
From: Stéphane Graber <stgraber at ubuntu.com>
To: lxc-devel at lists.linuxcontainers.org, lxc-users at lists.linuxcontainers.org
Subject: [lxc-users] LXC security issue - affects all supported releases
User-Agent: Mutt/1.5.23 (2014-03-12)
Reply-To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>

Hello,

During a recent security audit of LXC, Roman Fiedler identified a
security vulnerability in LXC.

CVE 2015-1335:
    When a container starts up, lxc sets up the container's inital fstree
    by doing a bunch of mounting, guided by the container configuration
    file.  The container config is owned by the admin or user on the host,
    so we do not try to guard against bad entries.  However, since the
    mount target is in the container, it's possible that the container admin
    could divert the mount with symbolic links.  This could bypass proper
    container startup (i.e. confinement of a root-owned container by the
    restrictive apparmor policy, by diverting the required write to
    /proc/self/attr/current), or bypass the (path-based) apparmor policy
    by diverting, say, /proc to /mnt in the container.

    To prevent this,
    1. do not allow mounts to paths containing symbolic links
    2. do not allow bind mounts from relative paths containing symbolic
    links.

    The fix for LXC 1.0 is:
    https://github.com/lxc/lxc/commit/6bbb8100c4dec4b1c71758c27104985a694a4eac

    The fix for LXC 1.1 is:
    https://github.com/lxc/lxc/commit/6de26af93d3dd87c8b21a42fdf20f30fa1c1948d

    The fix for LXC master is:
    https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be

    Patches for a few recent LXC releases are also attached to this e-mail.


The fix will be included in the upcoming stable releases for both
branches. That will be LXC 1.1.4 and LXC 1.0.8 which will both be
released very soon.

The security teams from the various Linux distributions have been
informed of those security issues ahead of time and so should have or
soon will be pushing security updates to their supported releases.


I'd like to thank Roman for his great work at finding and responsibly
disclosing those issues to us.

The fix for this issue has been developed by Serge Hallyn with the help
of Tyler Hicks and myself.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

----- End forwarded message -----

-- 
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6  20DF 9291 EE8A 043C B8C4
                  C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D


More information about the arch-security mailing list