Bugzilla – Bug 1018892
VUL-0: CVE-2016-10124: lxc: escape to parent session via TIOCSTI ioctl in lxc-attach
Last modified: 2017-07-28 14:51:30 UTC
lxec when executing a program via lxc-attach, a nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the container.
bugbot adjusting priority
There is way too much difference between lxc master and our latest supported version (0.8.0) in SLES. This series can't be backported.
we have several TIOCSTI bugs ... bug 968674 is the one with some thoughts on how to address it.
But there is no good solution at this time in general.
if (ioctl(slave, TIOCSCTTY, NULL) < 0)
would be the core of the fix... so there is an approach, just the patch is very large :/
Andreas, I'm not planning to backport such a giant thing to the super old lxc that we have on SLE 11. It would be rather risky and complex. Could this bug be closed?
(In reply to Cédric Bosdonnat from comment #5)
No, unfortunately not. It's supported, so we need to fix it. Maybe we can go the route that Marcus proposed and use a minimal patch?
I'll prepare packages for openSUSE in the meantime, but my last submit request is still open...
This scenario is not supported in SLE 11 (see release notes) and fixing it would be a major effort and a high risk of introducing regression.s