[2.7] lxc: lxc-start symlink vulnerabilities may allow guest to read host filesystem (CVE-2015-1335)
Roman Fiedler discovered a directory traversal flaw that can occur
while
lxc-start is initially setting up the mounts for a container.
If an attacker constructs a malicious symlink in the target path of a
container mount point, the symlink could be mishandled the next time
the
container is started and the mount operation may be performed at an
undesired target location.
Additionally, if the source path of the mount is a malicious symlink
relative to the container, the symlink could be mishandled to bind
mount
an undesired file or directory into the container.
Direct modification of the host’s mount table is not possible since a
slave copy of the mount table is used.
An example of an attack that is made possible by this flaw is a user
inside of the container could leave behind a malicious symlink, at a
mount point target under their control, that would cause
/proc/self/attr
to be mounted over. lxc-start would then unknowingly write to a “fake”
/proc/self/attr/current file, prior to launching the container init,
to
perform an AppArmor profile transition. The profile transition would
not
occur and the container init would run under incorrect confinement.
Rererences:
https://security-tracker.debian.org/tracker/CVE-2015-1335
https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-September/012434.html
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662
https://marc.info/?l=oss-security&m=144354149523689&w=2
Patch:
The fix for LXC 1.0 is:
https://github.com/lxc/lxc/commit/6bbb8100c4dec4b1c71758c27104985a694a4eac
The fix for LXC 1.1 is:
https://github.com/lxc/lxc/commit/6de26af93d3dd87c8b21a42fdf20f30fa1c1948d
The fix for LXC master is:
https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be
(from redmine: issue id 4688, created on 2015-09-30, closed on 2015-12-02)
- Relations:
- parent #4683 (closed)