Bugzilla – Bug 946744
VUL-0 : CVE-2015-1335: lxc: directory traversal flaw while lxc-start is initially setting up the mounts for a container.
Last modified: 2017-11-15 15:01:56 UTC
Created attachment 648268 [details] patch A private security bug was reported by Roman Fiedler against LXC. The issue is embargoed and has not been disclosed publicly. We are requesting a coordinated release date (CRD) of <2015-09-29 14:00:00 UTC>. We ask that you keep this issue embargoed until the CRD[1]. If nobody requests another date, Ubuntu and upstream LXC will make the issue public on the CRD. CVE-2015-1335 (https://launchpad.net/bugs/1476662) is a directory traversal flaw that can occur while lxc-start is initially setting up the mounts for a container. If an attacker constructs a malicious symlink in the target path of a container mount point, the symlink could be mishandled the next time the container is started and the mount operation may be performed at an undesired target location. Additionally, if the source path of the mount is a malicious symlink relative to the container, the symlink could be mishandled to bind mount an undesired file or directory into the container. Direct modification of the host's mount table is not possible since a slave copy of the mount table is used. An example of an attack that is made possible by this flaw is a user inside of the container could leave behind a malicious symlink, at a mount point target under their control, that would cause /proc/self/attr to be mounted over. lxc-start would then unknowingly write to a "fake" /proc/self/attr/current file, prior to launching the container init, to perform an AppArmor profile transition. The profile transition would not occur and the container init would run under incorrect confinement. I've attached the fix from upstream LXC which applies against their git master branch. Backported patches against the 1.1 and 1.0 trees will be available upon request. Tyler [1] Please do not release a fix, make public revision control commits, comment in public bug reports or otherwise disclose information about this issue until the coordinated release date. This gives all affected parties a chance to release a fix at the same time.
bugbot adjusting priority
On OSS-sec: http://seclists.org/oss-sec/2015/q3/648 Fix commit: https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be Upstream announcement: https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-September/012434.html More analysis: https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html The patch does not apply cleanly to 0.6.5,0.7.5,0.8.0 used in production. So this fix needs back-porting work as some code has changed.
This is an autogenerated message for OBS integration: This bug (946744) was mentioned in https://build.opensuse.org/request/show/335914 Leap:42.1 / lxc
This is an autogenerated message for OBS integration: This bug (946744) was mentioned in https://build.opensuse.org/request/show/335917 13.2 / lxc
This is an autogenerated message for OBS integration: This bug (946744) was mentioned in https://build.opensuse.org/request/show/335941 13.1 / lxc
Patch landed in all distros but Leap 42.1, just a matter of time now.
openSUSE-SU-2015:1717-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 946744 CVE References: CVE-2015-1335 Sources used: openSUSE 13.2 (src): lxc-1.0.6-9.1 openSUSE 13.1 (src): lxc-0.9.0-3.11.1
Test script: https://gist.github.com/cloudnull/2c8c6ee285e1fe213833
SUSE-SU-2015:1829-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 946744 CVE References: CVE-2015-1335 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): lxc-0.8.0-0.25.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): lxc-0.8.0-0.25.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): lxc-0.8.0-0.25.1 SUSE Linux Enterprise Server 11-SP4 (src): lxc-0.8.0-0.25.1 SUSE Linux Enterprise Server 11-SP3 (src): lxc-0.8.0-0.25.1 SUSE Linux Enterprise Desktop 11-SP4 (src): lxc-0.8.0-0.25.1 SUSE Linux Enterprise Desktop 11-SP3 (src): lxc-0.8.0-0.25.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): lxc-0.8.0-0.25.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): lxc-0.8.0-0.25.1
released
This is an autogenerated message for OBS integration: This bug (946744) was mentioned in https://build.opensuse.org/request/show/542066 15.0 / lxc