Summary: | <app-emulation/lxc-{2.1.1-r1,3.0.1-r1}: lxc-user-nic allows unprivileged users to open arbitrary files (CVE-2018-6556) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | vdupras | ||||
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B4 [glsa+ cve] | ||||||
Package list: |
=app-emulation/lxc-2.1.1-r1
=app-emulation/lxc-3.0.1-r1
|
Runtime testing required: | --- | ||||
Attachments: |
|
Description
Thomas Deutschmann (RETIRED)
2018-08-04 15:29:48 UTC
The patched ebuilds are ready to push on my machine. Waiting the end of the embargo. Created attachment 542532 [details, diff]
Security patch for current LXC ebuilds
Pushed at https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29dedb39a6a6587a6d71b11444de28f24a98b0bb Can we unlock this bug so we can start stabilization? amd64, ppc64, x86, please stabilize: =app-emulation/lxc-2.1.1-r1 =app-emulation/lxc-3.0.1-r1 Thanks! I have an LXC/LXD production environment. I will do a great runtime test tomorrow. x86 stable amd64 stable ppc64, status? This bug has a security status of "B1", which means that our target delay is 5 days. I'll soon be forced to proceed to cleanup even if it means dropping the stable ppc64 keyword. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6083e4cfd2b9d5cdcd94c58a40b08f3ad8eb33d commit f6083e4cfd2b9d5cdcd94c58a40b08f3ad8eb33d Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-13 00:55:29 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-13 00:55:29 +0000 app-emulation/lxc: remove old and vulnerable Bug: https://bugs.gentoo.org/662780 Package-Manager: Portage-2.3.45, Repoman-2.3.10 app-emulation/lxc/lxc-2.1.1.ebuild | 214 ------------------------------------- app-emulation/lxc/lxc-3.0.1.ebuild | 162 ---------------------------- 2 files changed, 376 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0946d4577f5c2bc7e123465c1e8c3224ac477f0f commit 0946d4577f5c2bc7e123465c1e8c3224ac477f0f Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-13 00:46:44 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-13 00:53:48 +0000 profiles: mask app-emulation/lxc revdeps on ppc64 ppc64 stabilization is too long and make us miss our security target delay on bug #662780. Masking app-emulation/lxc and revdeps until it is stabilized. Bug: https://bugs.gentoo.org/662780 profiles/arch/powerpc/ppc64/package.mask | 7 +++++++ 1 file changed, 7 insertions(+) Security team: I've masked app-emulation/lxc and relevant revdeps on ppc64 and cleaned up old vulnerable versions. I'm not sure what your policies are in situations like this, but I'm guessing you could issue your GLSA. GLSA filed.Thanks Downgraded to B4 (information leak) because it is read-only. This issue was resolved and addressed in GLSA 201808-02 at https://security.gentoo.org/glsa/201808-02 by GLSA coordinator Thomas Deutschmann (whissi). |