Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 560522 (CVE-2015-6927) - <sys-cluster/vzctl-4.9.4: gaining control over simfs containers (CVE-2015-6927)
Summary: <sys-cluster/vzctl-4.9.4: gaining control over simfs containers (CVE-2015-6927)
Status: RESOLVED FIXED
Alias: CVE-2015-6927
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-15 09:55 UTC by Agostino Sarubbo
Modified: 2017-01-11 12:47 UTC (History)
1 user (show)

See Also:
Package list:
=sys-cluster/vzctl-4.9.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-15 09:55:43 UTC
From ${URL} :

It was discovered that vzctl, a set of control tools for the OpenVZ server virtualisation solution, 
determined the storage layout of containers based on the presense of an XML file inside the 
container. An attacker with local root privileges in a simfs-based container could gain control 
over ploop-based containers. Further information on the prerequites of such an attack can be found 
at:

https://src.openvz.org/projects/OVZL/repos/vzctl/commits/9e98ea630ac0e88b44e3e23c878a5166aeb74e1c

Debian advisory:

https://lists.debian.org/debian-security-announce/2015/msg00256.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-01-08 22:22:10 UTC
$ git tag --contains 9e98ea630ac0e88b44e3e23c878a5166aeb74e1c
vzctl-4.10
vzctl-4.9.4

v4.9.4 in tree since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=193f98bc6b92ba557ddc9cded11df78510d56333



@ Arches,

please test and mark stable: =sys-cluster/vzctl-4.9.4
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-10 10:01:11 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-10 15:23:11 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-01-10 16:29:58 UTC
New GLSA request filed.

@ Maintainer(s): Please cleanup and drop =sys-cluster/vzctl-4.9.1!

Created a PR because package currently has no maintainer: https://github.com/gentoo/gentoo/pull/3421
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-01-11 00:54:35 UTC
Cleaned up via 957d48bcaba8eac530f1857964976d3aa77f6d7f
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:47:23 UTC
This issue was resolved and addressed in
 GLSA 201701-30 at https://security.gentoo.org/glsa/201701-30
by GLSA coordinator Aaron Bauman (b-man).