Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 556310 (CVE-2015-1331, CVE-2015-1334) - <app-emulation/lxc-1.0.8: Multiple vulnerabilities
Summary: <app-emulation/lxc-1.0.8: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2015-1331, CVE-2015-1334
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-1335
  Show dependency tree
 
Reported: 2015-07-30 10:27 UTC by Agostino Sarubbo
Modified: 2017-02-22 10:55 UTC (History)
4 users (show)

See Also:
Package list:
=app-emulation/lxc-1.0.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-07-30 10:27:03 UTC
From ${URL} :

Two security issues were found in LXC:

* Roman Fiedler discovered a directory traversal flaw that allows
  arbitrary file creation as the root user. A local attacker must set up
  a symlink at /run/lock/lxc/var/lib/lxc/<CONTAINER>, prior to an admin
  ever creating an LXC container on the system. If an admin then creates
  a container with a name matching <CONTAINER>, the symlink will be
  followed and LXC will create an empty file at the symlink's target as
  the root user. 
  - CVE-2015-1331
  - Affects LXC 1.0.0 and higher
  - https://launchpad.net/bugs/1470842
  - https://github.com/lxc/lxc/commit/72cf81f6a3404e35028567db2c99a90406e9c6e6 (master)
  - https://github.com/lxc/lxc/commit/61ecf69d7834921cc078e14d1b36c459ad8f91c7 (stable-1.1)
  - https://github.com/lxc/lxc/commit/f547349ea7ef3a6eae6965a95cb5986cd921bd99 (stable-1.0)

* Roman Fiedler discovered a flaw that allows processes intended to be
  run inside of confined LXC containers to escape their AppArmor or
  SELinux confinement. A malicious container can create a fake proc
  filesystem, possibly by mounting tmpfs on top of the container's
  /proc, and wait for a lxc-attach to be ran from the host environment.
  lxc-attach incorrectly trusts the container's
  /proc/PID/attr/{current,exec} files to set up the AppArmor profile and
  SELinux domain transitions which may result in no confinement being
  used.
  - CVE-2015-1334
  - Affects LXC 0.9.0 and higher
  - https://launchpad.net/bugs/1475050
  - https://github.com/lxc/lxc/commit/5c3fcae78b63ac9dd56e36075903921bd9461f9e (master)
  - https://github.com/lxc/lxc/commit/659e807c8dd1525a5c94bdecc47599079fad8407 (stable-1.1)
  - https://github.com/lxc/lxc/commit/15ec0fd9d490dd5c8a153401360233c6ee947c24 (stable-1.0)



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 16:29:34 UTC
Fix for 1.0-stable:
$ git tag --contains 15ec0fd9d490dd5c8a153401360233c6ee947c24
lxc-1.0.8


@ Arches,

please test and mark stable: =app-emulation/lxc-1.0.8
Comment 2 Agostino Sarubbo gentoo-dev 2016-11-25 18:29:18 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-25 18:56:07 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-18 10:04:26 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-01-24 08:51:07 UTC
https://github.com/gentoo/gentoo/pull/3619
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 00:48:55 UTC
GLSA Vote: No
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-02-22 10:50:20 UTC
tree is clean