Bug 946744 - (CVE-2015-1335) VUL-0 : CVE-2015-1335: lxc: directory traversal flaw while lxc-start is initially setting up the mounts for a container.
(CVE-2015-1335)
VUL-0 : CVE-2015-1335: lxc: directory traversal flaw while lxc-start is init...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2015-1335:7.2:(AV:L/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-21 14:13 UTC by Victor Pereira
Modified: 2017-11-15 15:01 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch (22.28 KB, patch)
2015-09-21 14:13 UTC, Victor Pereira
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-09-21 14:13:51 UTC
Created attachment 648268 [details]
patch

A private security bug was reported by Roman Fiedler against LXC.

The issue is embargoed and has not been disclosed publicly. We are
requesting a coordinated release date (CRD) of
<2015-09-29 14:00:00 UTC>. We ask that you keep this issue embargoed
until the CRD[1]. If nobody requests another date, Ubuntu and upstream
LXC will make the issue public on the CRD.

CVE-2015-1335 (https://launchpad.net/bugs/1476662) is a directory
traversal flaw that can occur while lxc-start is initially setting up
the mounts for a container.

If an attacker constructs a malicious symlink in the target path of a
container mount point, the symlink could be mishandled the next time the
container is started and the mount operation may be performed at an
undesired target location.

Additionally, if the source path of the mount is a malicious symlink
relative to the container, the symlink could be mishandled to bind mount
an undesired file or directory into the container.

Direct modification of the host's mount table is not possible since a
slave copy of the mount table is used.

An example of an attack that is made possible by this flaw is a user
inside of the container could leave behind a malicious symlink, at a
mount point target under their control, that would cause /proc/self/attr
to be mounted over. lxc-start would then unknowingly write to a "fake"
/proc/self/attr/current file, prior to launching the container init, to
perform an AppArmor profile transition. The profile transition would not
occur and the container init would run under incorrect confinement.

I've attached the fix from upstream LXC which applies against their git
master branch. Backported patches against the 1.1 and 1.0 trees will be
available upon request.

Tyler

[1] Please do not release a fix, make public revision control commits,
    comment in public bug reports or otherwise disclose information
    about this issue until the coordinated release date. This gives all
    affected parties a chance to release a fix at the same time.
Comment 3 Swamp Workflow Management 2015-09-21 22:00:26 UTC
bugbot adjusting priority
Comment 7 Andreas Stieger 2015-10-01 12:37:26 UTC
On OSS-sec:
http://seclists.org/oss-sec/2015/q3/648

Fix commit:
https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be

Upstream announcement:
https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-September/012434.html

More analysis:
https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html

The patch does not apply cleanly to 0.6.5,0.7.5,0.8.0 used in production. So this fix needs back-porting work as some code has changed.
Comment 11 Bernhard Wiedemann 2015-10-02 13:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (946744) was mentioned in
https://build.opensuse.org/request/show/335914 Leap:42.1 / lxc
Comment 12 Bernhard Wiedemann 2015-10-02 14:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (946744) was mentioned in
https://build.opensuse.org/request/show/335917 13.2 / lxc
Comment 13 Bernhard Wiedemann 2015-10-02 16:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (946744) was mentioned in
https://build.opensuse.org/request/show/335941 13.1 / lxc
Comment 14 Cédric Bosdonnat 2015-10-05 18:27:53 UTC
Patch landed in all distros but Leap 42.1, just a matter of time now.
Comment 16 Swamp Workflow Management 2015-10-10 13:09:38 UTC
openSUSE-SU-2015:1717-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 946744
CVE References: CVE-2015-1335
Sources used:
openSUSE 13.2 (src):    lxc-1.0.6-9.1
openSUSE 13.1 (src):    lxc-0.9.0-3.11.1
Comment 17 Andreas Stieger 2015-10-20 12:55:22 UTC
Test script:
https://gist.github.com/cloudnull/2c8c6ee285e1fe213833
Comment 18 Swamp Workflow Management 2015-10-27 11:10:29 UTC
SUSE-SU-2015:1829-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 946744
CVE References: CVE-2015-1335
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    lxc-0.8.0-0.25.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    lxc-0.8.0-0.25.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    lxc-0.8.0-0.25.1
SUSE Linux Enterprise Server 11-SP4 (src):    lxc-0.8.0-0.25.1
SUSE Linux Enterprise Server 11-SP3 (src):    lxc-0.8.0-0.25.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    lxc-0.8.0-0.25.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    lxc-0.8.0-0.25.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    lxc-0.8.0-0.25.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    lxc-0.8.0-0.25.1
Comment 19 Marcus Meissner 2015-12-08 14:29:35 UTC
released
Comment 20 Bernhard Wiedemann 2017-11-15 15:01:56 UTC
This is an autogenerated message for OBS integration:
This bug (946744) was mentioned in
https://build.opensuse.org/request/show/542066 15.0 / lxc