[lxc-devel] LXC security issues - affects all supported releases

Hello, During a security audit of LXC by Roman Fiedler, two security issues with LXC have been found and now fixed. CVE 2015-1331: This issue is related to LXC's use of /run/lock and /tmp as places to write the container lockfile. As those two paths are world writable, an attacker could write a symlink at the location LXC would use to write its lock file, leading to the potentially privileged LXC process to create the target file. This was introduced with LXC 1.0.0 with the following commit: https://github.com/lxc/lxc/commit/71b0fed669a088675c1344ed68b250e87414c998 The fix for LXC 1.0 is: https://github.com/lxc/lxc/commit/f547349ea7ef3a6eae6965a95cb5986cd921bd99 The fix for LXC 1.1 is: https://github.com/lxc/lxc/commit/61ecf69d7834921cc078e14d1b36c459ad8f91c7 The fix for LXC master is: https://github.com/lxc/lxc/commit/72cf81f6a3404e35028567db2c99a90406e9c6e6 CVE 2015-1334: This issue is related to LXC's setting of AppArmor profiles and SELinux labels during attach. The code was trusting /proc in the container which an attacker with root access to the container could overmount, leading to attach running user controlled code (as is usually the case) but without any LSM protection. This was introduced in LXC 0.9.0 with the following commit: https://github.com/lxc/lxc/commit/9958532bff244ddca65503b42d31c8a4b90b11b1 The fix for LXC 1.0 is: https://github.com/lxc/lxc/commit/15ec0fd9d490dd5c8a153401360233c6ee947c24 The fix for LXC 1.1 is: https://github.com/lxc/lxc/commit/659e807c8dd1525a5c94bdecc47599079fad8407 The fix for LXC master is: https://github.com/lxc/lxc/commit/5c3fcae78b63ac9dd56e36075903921bd9461f9e LXC 0.9 is out of support so we will not be issuing patches or updated tarballs for it. Both fixes will be included in the upcoming stable releases for both branches. We expect LXC 1.1.3 to be tagged over the next few days and LXC 1.0.8 in the next month or so. So we very strongly recommend distributions grab the above fixes in the meantime. The delay in releasing updated tarballs comes from us having a pretty significant backlog of fixes in both branches that require significant testing before we can release. The security teams from the various Linux distributions have been informed of those security issues ahead of time and so should have or soon will be pushing security updates to their supported releases. I'd like to thank Roman for his great work at finding and responsibly disclosing those issues to us. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150722/a491a64d/attachment.sig>