[Secure-testing-team] Bug#793298: CVE-2015-1331 CVE-2015-1334
Moritz Muehlenhoff
jmm at debian.org
Wed Jul 22 15:13:29 UTC 2015
Package: lxc
Severity: grave
Tags: security
These two security issues were reported by Tyler Hicks on
oss-security:
* Roman Fiedler discovered a directory traversal flaw that allows
arbitrary file creation as the root user. A local attacker must set
up a symlink at /run/lock/lxc/var/lib/lxc/<CONTAINER>, prior to an
admin ever creating an LXC container on the system. If an admin then
creates a container with a name matching <CONTAINER>, the symlink will be
followed and LXC will create an empty file at the symlink's target as
the root user.
- CVE-2015-1331
- Affects LXC 1.0.0 and higher
- https://launchpad.net/bugs/1470842
- https://github.com/lxc/lxc/commit/72cf81f6a3404e35028567db2c99a90406e9c6e6 (master)
- https://github.com/lxc/lxc/commit/61ecf69d7834921cc078e14d1b36c459ad8f91c7
(stable-1.1)
- https://github.com/lxc/lxc/commit/f547349ea7ef3a6eae6965a95cb5986cd921bd99
(stable-1.0)
* Roman Fiedler discovered a flaw that allows processes intended to be
run inside of confined LXC containers to escape their AppArmor or
SELinux confinement. A malicious container can create a fake proc
filesystem, possibly by mounting tmpfs on top of the container's
/proc, and wait for a lxc-attach to be ran from the host environment.
lxc-attach incorrectly trusts the container's
/proc/PID/attr/{current,exec} files to set up the AppArmor profile and
SELinux domain transitions which may result in no confinement being
used.
- CVE-2015-1334
- Affects LXC 0.9.0 and higher
- https://launchpad.net/bugs/1475050
- https://github.com/lxc/lxc/commit/5c3fcae78b63ac9dd56e36075903921bd9461f9e
(master)
- https://github.com/lxc/lxc/commit/659e807c8dd1525a5c94bdecc47599079fad8407
(stable-1.1)
- https://github.com/lxc/lxc/commit/15ec0fd9d490dd5c8a153401360233c6ee947c24
(stable-1.0)
Can you prepare an update for jessie-security?
Cheers,
Moritz
More information about the Secure-testing-team
mailing list