Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662780 (CVE-2018-6556) - <app-emulation/lxc-{2.1.1-r1,3.0.1-r1}: lxc-user-nic allows unprivileged users to open arbitrary files (CVE-2018-6556)
Summary: <app-emulation/lxc-{2.1.1-r1,3.0.1-r1}: lxc-user-nic allows unprivileged user...
Status: RESOLVED FIXED
Alias: CVE-2018-6556
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-04 15:29 UTC by Thomas Deutschmann
Modified: 2018-10-12 19:23 UTC (History)
1 user (show)

See Also:
Package list:
=app-emulation/lxc-2.1.1-r1 =app-emulation/lxc-3.0.1-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
Security patch for current LXC ebuilds (0001-app-emulation-lxc-fix-CVE-2018-6556.patch,21.58 KB, patch)
2018-08-06 11:07 UTC, Virgil Dupras (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2018-08-04 15:29:48 UTC
Incoming details.
Comment 1 Virgil Dupras (RETIRED) gentoo-dev 2018-08-05 15:58:26 UTC
The patched ebuilds are ready to push on my machine. Waiting the end of the embargo.
Comment 2 Virgil Dupras (RETIRED) gentoo-dev 2018-08-06 11:07:39 UTC
Created attachment 542532 [details, diff]
Security patch for current LXC ebuilds
Comment 3 Virgil Dupras (RETIRED) gentoo-dev 2018-08-06 16:13:55 UTC
Pushed at https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29dedb39a6a6587a6d71b11444de28f24a98b0bb

Can we unlock this bug so we can start stabilization?
Comment 4 Virgil Dupras (RETIRED) gentoo-dev 2018-08-06 16:26:14 UTC
amd64, ppc64, x86, please stabilize:

=app-emulation/lxc-2.1.1-r1
=app-emulation/lxc-3.0.1-r1

Thanks!
Comment 5 Agostino Sarubbo gentoo-dev 2018-08-06 19:07:47 UTC
I have an LXC/LXD production environment. I will do a great runtime test tomorrow.
Comment 6 Thomas Deutschmann gentoo-dev Security 2018-08-06 22:21:43 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2018-08-07 08:50:33 UTC
amd64 stable
Comment 8 Virgil Dupras (RETIRED) gentoo-dev 2018-08-11 23:31:22 UTC
ppc64, status? This bug has a security status of "B1", which means that our target delay is 5 days. I'll soon be forced to proceed to cleanup even if it means dropping the stable ppc64 keyword.
Comment 9 Larry the Git Cow gentoo-dev 2018-08-13 00:55:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6083e4cfd2b9d5cdcd94c58a40b08f3ad8eb33d

commit f6083e4cfd2b9d5cdcd94c58a40b08f3ad8eb33d
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-13 00:55:29 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-13 00:55:29 +0000

    app-emulation/lxc: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/662780
    Package-Manager: Portage-2.3.45, Repoman-2.3.10

 app-emulation/lxc/lxc-2.1.1.ebuild | 214 -------------------------------------
 app-emulation/lxc/lxc-3.0.1.ebuild | 162 ----------------------------
 2 files changed, 376 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0946d4577f5c2bc7e123465c1e8c3224ac477f0f

commit 0946d4577f5c2bc7e123465c1e8c3224ac477f0f
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-13 00:46:44 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-13 00:53:48 +0000

    profiles: mask app-emulation/lxc revdeps on ppc64
    
    ppc64 stabilization is too long and make us miss our security target
    delay on bug #662780. Masking app-emulation/lxc and revdeps until it is
    stabilized.
    
    Bug: https://bugs.gentoo.org/662780

 profiles/arch/powerpc/ppc64/package.mask | 7 +++++++
 1 file changed, 7 insertions(+)
Comment 10 Virgil Dupras (RETIRED) gentoo-dev 2018-08-13 00:58:20 UTC
Security team: I've masked app-emulation/lxc and relevant revdeps on ppc64 and cleaned up old vulnerable versions.

I'm not sure what your policies are in situations like this, but I'm guessing you could issue your GLSA.
Comment 11 Michael Boyle 2018-08-14 00:10:17 UTC
GLSA filed.Thanks
Comment 12 Thomas Deutschmann gentoo-dev Security 2018-08-22 17:33:18 UTC
Downgraded to B4 (information leak) because it is read-only.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 21:28:50 UTC
This issue was resolved and addressed in
 GLSA 201808-02 at https://security.gentoo.org/glsa/201808-02
by GLSA coordinator Thomas Deutschmann (whissi).