Bug 938523 - (CVE-2015-1334) VUL-0: CVE-2015-1334: lxc: AppArmor or SELinux confinement escape
VUL-0: CVE-2015-1334: lxc: AppArmor or SELinux confinement escape
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other openSUSE 13.2
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-07-17 07:51 UTC by Andreas Stieger
Modified: 2017-11-15 15:01 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Andreas Stieger 2015-07-17 08:45:20 UTC
Checked the code, 1.0 is the first version containing vulnerable code. This means that SLE is not affected.

openSUSE:13.2 with 1.0.6 and Tumbleweed the only affected products.

As this issue is under embargo, do not use patches in OBS before this bug is updated to indicate that the embargo is lifted.

The security team will assign the bug to the community maintainer at that point.
Comment 3 Swamp Workflow Management 2015-07-18 21:59:46 UTC
bugbot adjusting priority
Comment 4 Andreas Stieger 2015-07-20 12:23:19 UTC
The 0.9 part of this issue does not affect SLE.
Comment 5 Andreas Stieger 2015-07-22 14:41:17 UTC
public at http://seclists.org/oss-sec/2015/q3/165

* Roman Fiedler discovered a flaw that allows processes intended to be
  run inside of confined LXC containers to escape their AppArmor or
  SELinux confinement. A malicious container can create a fake proc
  filesystem, possibly by mounting tmpfs on top of the container's
  /proc, and wait for a lxc-attach to be ran from the host environment.
  lxc-attach incorrectly trusts the container's
  /proc/PID/attr/{current,exec} files to set up the AppArmor profile and
  SELinux domain transitions which may result in no confinement being
  - CVE-2015-1334
  - Affects LXC 0.9.0 and higher
  - https://launchpad.net/bugs/1475050
  - https://github.com/lxc/lxc/commit/5c3fcae78b63ac9dd56e36075903921bd9461f9e (master)
  - https://github.com/lxc/lxc/commit/659e807c8dd1525a5c94bdecc47599079fad8407 (stable-1.1)
  - https://github.com/lxc/lxc/commit/15ec0fd9d490dd5c8a153401360233c6ee947c24 (stable-1.0)

from LXC 0.9.0, please submit update for openSUSE 13.1 and 13.2
Comment 6 Jiri Slaby 2015-07-23 09:27:24 UTC
Fix submitted to 13.2 and factory.
Comment 7 Andreas Stieger 2015-07-23 09:44:16 UTC
This affects openSUSE 13.1 as well.
Comment 8 Jiri Slaby 2015-07-23 11:00:27 UTC
Ok, to 13.1 too.
Comment 9 Andreas Stieger 2015-07-23 11:03:23 UTC
(In reply to Jiri Slaby from comment #8)
> Ok, to 13.1 too.

thanks, is running
Comment 10 Swamp Workflow Management 2015-07-30 10:07:55 UTC
openSUSE-SU-2015:1315-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 938522,938523
CVE References: CVE-2015-1331,CVE-2015-1334
Sources used:
openSUSE 13.2 (src):    lxc-1.0.6-3.1
Comment 11 Swamp Workflow Management 2015-07-30 12:08:09 UTC
openSUSE-SU-2015:1317-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 938523
CVE References: CVE-2015-1334
Sources used:
openSUSE 13.1 (src):    lxc-0.9.0-3.8.1
Comment 12 Marcus Meissner 2015-08-10 07:41:52 UTC
Comment 13 Bernhard Wiedemann 2017-11-15 15:01:52 UTC
This is an autogenerated message for OBS integration:
This bug (938523) was mentioned in
https://build.opensuse.org/request/show/542066 15.0 / lxc