| Summary: | <app-emulation/lxc-1.0.8: container mount is not protected against symlinks | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | dev-zero, flameeyes, hwoarang, stasibear, virtualization |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/09/29/4 | ||
| Whiteboard: | B4 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 556310 | ||
| Bug Blocks: | |||
It's been a while. A patched version was added to tree long time ago via https://gitweb.gentoo.org/repo/gentoo.git/commit/app-emulation/lxc?id=e5087471168deb08473cbbd2d1b62d4758e99110 @ maintainer(s): Please tell us how to proceed. Can we start to stabilize an unaffected version (i.e. >=app-emulation/lxc-1.0.8)? Stabilization handled in bug 556310. package is stable and tree is clean. |
From ${URL} : If an attacker constructs a malicious symlink in the target path of a container mount point, the symlink could be mishandled the next time the container is started and the mount operation may be performed at an undesired target location. Additionally, if the source path of the mount is a malicious symlink relative to the container, the symlink could be mishandled to bind mount an undesired file or directory into the container. Direct modification of the host's mount table is not possible since a slave copy of the mount table is used. An example of an attack that is made possible by this flaw is a user inside of the container could leave behind a malicious symlink, at a mount point target under their control, that would cause /proc/self/attr to be mounted over. lxc-start would then unknowingly write to a "fake" /proc/self/attr/current file, prior to launching the container init, to perform an AppArmor profile transition. The profile transition would not occur and the container init would run under incorrect confinement. CVE-2015-1335 Bug: https://launchpad.net/bugs/1476662 Fix: https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be Upstream announcement: https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-September/012434.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.