Hi Daniel, Hi Moritz, Attached is proposed debdiff (not yet uploaded to security-master) for jessie-security itself. Just compile-tested so far.
Built packages for amd64: https://people.debian.org/~carnil/tmp/lxc/ Regards, Salvatore
diff -Nru lxc-1.0.6/debian/changelog lxc-1.0.6/debian/changelog --- lxc-1.0.6/debian/changelog 2015-01-05 19:25:09.000000000 +0100 +++ lxc-1.0.6/debian/changelog 2015-07-22 18:13:01.000000000 +0200 @@ -1,3 +1,16 @@ +lxc (1:1.0.6-6+deb8u1) jessie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Add 0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch. + CVE-2015-1331: Directory traversal flaw that allows arbitrary file + creation as the root user. (Closes: #793298) + * Add 0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch. + CVE-2015-1334: Processes intended to be run inside of confined LXC + containers could escape their AppArmor or SELinux confinement. + (Closes: #793298) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 22 Jul 2015 18:12:27 +0200 + lxc (1:1.0.6-6) unstable; urgency=low * Use http.debian.net instead of cdn.debian.net (Closes: #774204, diff -Nru lxc-1.0.6/debian/patches/0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch lxc-1.0.6/debian/patches/0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch --- lxc-1.0.6/debian/patches/0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch 1970-01-01 01:00:00.000000000 +0100 +++ lxc-1.0.6/debian/patches/0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch 2015-07-22 18:13:01.000000000 +0200 @@ -0,0 +1,104 @@ +From f547349ea7ef3a6eae6965a95cb5986cd921bd99 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hal...@ubuntu.com> +Date: Fri, 3 Jul 2015 09:26:17 -0500 +Subject: [PATCH] CVE-2015-1331: lxclock: use /run/lxc/lock rather than + /run/lock/lxc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This prevents an unprivileged user to use LXC to create arbitrary file +on the filesystem. + +Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> +Signed-off-by: Tyler Hicks <tyhi...@canonical.com> +Acked-by: St??phane Graber <stgra...@ubuntu.com> +--- + src/lxc/lxclock.c | 38 ++++++++++---------------------------- + src/tests/locktests.c | 2 +- + 2 files changed, 11 insertions(+), 29 deletions(-) + +diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c +index 0cd09be..92fbb50 100644 +--- a/src/lxc/lxclock.c ++++ b/src/lxc/lxclock.c +@@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n) + char *rundir; + + /* lockfile will be: +- * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root ++ * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root + * or +- * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root ++ * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root + */ + +- /* length of "/lock/lxc/" + $lxcpath + "/" + $lxcname + '\0' */ +- len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 2; ++ /* length of "/lxc/lock/" + $lxcpath + "/" + $lxcname + '\0' */ ++ len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 2; + rundir = get_rundir(); + if (!rundir) + return NULL; +@@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, const char *n) + return NULL; + } + +- ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p); ++ ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p); + if (ret < 0 || ret >= len) { + free(dest); + free(rundir); +@@ -128,31 +128,13 @@ static char *lxclock_name(const char *p, const char *n) + } + ret = mkdir_p(dest, 0755); + if (ret < 0) { +- /* fall back to "/tmp/" $(id -u) "/lxc/" $lxcpath / $lxcname + '\0' */ +- int l2 = 33 + strlen(n) + strlen(p); +- if (l2 > len) { +- char *d; +- d = realloc(dest, l2); +- if (!d) { +- free(dest); +- free(rundir); +- return NULL; +- } +- len = l2; +- dest = d; +- } +- ret = snprintf(dest, len, "/tmp/%d/lxc/%s", geteuid(), p); +- if (ret < 0 || ret >= len) { +- free(dest); +- free(rundir); +- return NULL; +- } +- ret = snprintf(dest, len, "/tmp/%d/lxc/%s/%s", geteuid(), p, n); +- } else +- ret = snprintf(dest, len, "%s/lock/lxc/%s/%s", rundir, p, n); ++ free(dest); ++ free(rundir); ++ return NULL; ++ } + ++ ret = snprintf(dest, len, "%s/lxc/lock/%s/%s", rundir, p, n); + free(rundir); +- + if (ret < 0 || ret >= len) { + free(dest); + return NULL; +diff --git a/src/tests/locktests.c b/src/tests/locktests.c +index dd3393a..233ca12 100644 +--- a/src/tests/locktests.c ++++ b/src/tests/locktests.c +@@ -122,7 +122,7 @@ int main(int argc, char *argv[]) + exit(1); + } + struct stat sb; +- char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/"; ++ char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/"; + ret = stat(pathname, &sb); + if (ret != 0) { + fprintf(stderr, "%d: filename %s not created\n", __LINE__, +-- +2.4.6 + diff -Nru lxc-1.0.6/debian/patches/0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch lxc-1.0.6/debian/patches/0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch --- lxc-1.0.6/debian/patches/0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch 1970-01-01 01:00:00.000000000 +0100 +++ lxc-1.0.6/debian/patches/0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch 2015-07-22 18:13:01.000000000 +0200 @@ -0,0 +1,182 @@ +From 15ec0fd9d490dd5c8a153401360233c6ee947c24 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> +Date: Thu, 16 Jul 2015 16:37:51 -0400 +Subject: [PATCH] CVE-2015-1334: Don't use the container's /proc during attach +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A user could otherwise over-mount /proc and prevent the apparmor profile +or selinux label from being written which combined with a modified +/bin/sh or other commonly used binary would lead to unconfined code +execution. + +Reported-by: Roman Fiedler +Signed-off-by: St??phane Graber <stgra...@ubuntu.com> +--- + src/lxc/attach.c | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 93 insertions(+), 4 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index ed6ea8d..16d942c 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -76,6 +76,82 @@ + + lxc_log_define(lxc_attach, lxc); + ++int lsm_set_label_at(int procfd, int on_exec, char* lsm_label) { ++ int labelfd = -1; ++ int ret = 0; ++ const char* name; ++ char* command = NULL; ++ ++ name = lsm_name(); ++ ++ if (strcmp(name, "nop") == 0) ++ goto out; ++ ++ if (strcmp(name, "none") == 0) ++ goto out; ++ ++ /* We don't support on-exec with AppArmor */ ++ if (strcmp(name, "AppArmor") == 0) ++ on_exec = 0; ++ ++ if (on_exec) { ++ labelfd = openat(procfd, "self/attr/exec", O_RDWR); ++ } ++ else { ++ labelfd = openat(procfd, "self/attr/current", O_RDWR); ++ } ++ ++ if (labelfd < 0) { ++ SYSERROR("Unable to open LSM label"); ++ ret = -1; ++ goto out; ++ } ++ ++ if (strcmp(name, "AppArmor") == 0) { ++ int size; ++ ++ command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1); ++ if (!command) { ++ SYSERROR("Failed to write apparmor profile"); ++ ret = -1; ++ goto out; ++ } ++ ++ size = sprintf(command, "changeprofile %s", lsm_label); ++ if (size < 0) { ++ SYSERROR("Failed to write apparmor profile"); ++ ret = -1; ++ goto out; ++ } ++ ++ if (write(labelfd, command, size + 1) < 0) { ++ SYSERROR("Unable to set LSM label"); ++ ret = -1; ++ goto out; ++ } ++ } ++ else if (strcmp(name, "SELinux") == 0) { ++ if (write(labelfd, lsm_label, strlen(lsm_label) + 1) < 0) { ++ SYSERROR("Unable to set LSM label"); ++ ret = -1; ++ goto out; ++ } ++ } ++ else { ++ ERROR("Unable to restore label for unknown LSM: %s", name); ++ ret = -1; ++ goto out; ++ } ++ ++out: ++ free(command); ++ ++ if (labelfd != -1) ++ close(labelfd); ++ ++ return ret; ++} ++ + static struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid) + { + struct lxc_proc_context_info *info = calloc(1, sizeof(*info)); +@@ -588,6 +664,7 @@ struct attach_clone_payload { + struct lxc_proc_context_info* init_ctx; + lxc_attach_exec_t exec_function; + void* exec_payload; ++ int procfd; + }; + + static int attach_child_main(void* data); +@@ -640,6 +717,7 @@ int lxc_attach(const char* name, const c + char* cwd; + char* new_cwd; + int ipc_sockets[2]; ++ int procfd; + signed long personality; + + if (!options) +@@ -849,6 +927,13 @@ int lxc_attach(const char* name, const c + rexit(-1); + } + ++ procfd = open("/proc", O_DIRECTORY | O_RDONLY); ++ if (procfd < 0) { ++ SYSERROR("Unable to open /proc"); ++ shutdown(ipc_sockets[1], SHUT_RDWR); ++ rexit(-1); ++ } ++ + /* attach now, create another subprocess later, since pid namespaces + * only really affect the children of the current process + */ +@@ -876,7 +961,8 @@ int lxc_attach(const char* name, const c + .options = options, + .init_ctx = init_ctx, + .exec_function = exec_function, +- .exec_payload = exec_payload ++ .exec_payload = exec_payload, ++ .procfd = procfd + }; + /* We use clone_parent here to make this subprocess a direct child of + * the initial process. Then this intermediate process can exit and +@@ -914,6 +1000,7 @@ static int attach_child_main(void* data) + { + struct attach_clone_payload* payload = (struct attach_clone_payload*)data; + int ipc_socket = payload->ipc_socket; ++ int procfd = payload->procfd; + lxc_attach_options_t* options = payload->options; + struct lxc_proc_context_info* init_ctx = payload->init_ctx; + #if HAVE_SYS_PERSONALITY_H +@@ -1039,12 +1126,11 @@ static int attach_child_main(void* data) + close(ipc_socket); + + /* set new apparmor profile/selinux context */ +- if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM)) { ++ if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) { + int on_exec; + + on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; +- ret = lsm_process_label_set(init_ctx->lsm_label, 0, on_exec); +- if (ret < 0) { ++ if (lsm_set_label_at(procfd, on_exec, init_ctx->lsm_label) < 0) { + rexit(-1); + } + } +@@ -1095,6 +1181,9 @@ static int attach_child_main(void* data) + } + } + ++ /* we don't need proc anymore */ ++ close(procfd); ++ + /* we're done, so we can now do whatever the user intended us to do */ + rexit(payload->exec_function(payload->exec_payload)); + } +-- +2.4.6 + diff -Nru lxc-1.0.6/debian/patches/series lxc-1.0.6/debian/patches/series --- lxc-1.0.6/debian/patches/series 2015-01-05 19:25:05.000000000 +0100 +++ lxc-1.0.6/debian/patches/series 2015-07-22 18:13:01.000000000 +0200 @@ -15,3 +15,5 @@ 0015-lxc-debian-systemd.patch 0016-lxc-debian-init.patch 0017-lxc-debian-mirror.patch +0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch +0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch