← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #115462

[Bug 1509752] Re: Bug in ensure_not_symlink() from 0003-CVE-2015-1335.patch

  Thread PreviousDate PreviousThread Next 
Hello Steve, or anyone else affected,

Accepted lxc into trusty-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/lxc/1.0.7-0ubuntu0.10
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: lxc (Ubuntu)
       Status: Fix Released => Invalid

** Changed in: lxc (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: lxc (Ubuntu Trusty)
       Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1509752

Title:
  Bug in ensure_not_symlink() from 0003-CVE-2015-1335.patch

Status in lxc package in Ubuntu:
  Invalid
Status in lxc source package in Trusty:
  Fix Committed

Bug description:
  =======================================================================
  SRU Justification
  Impact: cannot start containers with lxc.mount.entries which are recursive bind mounts
  Regression potential: this makes assumptions about the ordering of /proc/self/mountinfo, but no more so than the original CVE patch.  So it should not regress from the previous lxc version.
  Test case:

  #!/bin/sh
  set -ex
  cleanup() {
          umount /mnt/etc /mnt/proc || true
          lxc-stop -n t1 -k || true
          lxc-destroy -n t1  || true
  }
  trap cleanup EXIT
  mkdir -p /mnt/etc /mnt/proc
  mount --bind /etc /mnt/etc
  mount --bind /proc /mnt/proc
  lxc-create -t download -n t1 -- -d ubuntu -r trusty -a amd64
  cat >> /var/lib/lxc/t1/config << EOF
  lxc.mount.entry = /mnt hostmnt none rbind,create=dir
  EOF
  lxc-start -n t1 -F -l trace -o /dev/stdout
  echo "DONE"

  =======================================================================
  This bug/limitation is present in lxc from 1.0.7-0ubuntu0.5 through 1.0.7-0ubuntu0.9 (or anything that incorporates 0003-CVE-2015-1335.patch).  Basically, the limitation is obvious when using recursive bind mounts because ensure_not_symlink() only checks the last line of /proc/self/mountinfo which will be a submount so will always fail the test and trigger:

  ensure_not_symlink: 1413 Mount onto /usr/lib/x86_64-linux-
  gnu/lxc/storage resulted in /usr/lib/x86_64-linux-
  gnu/lxc/storage/submount, not /usr/lib/x86_64-linux-gnu/lxc/storage

  Sorry if this is a duplicate, I did spend quite some time trying to
  find a similar report.

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1509752/+subscriptions

References

  Thread PreviousDate PreviousThread Next