[3.3] lxc: lxc-start symlink vulnerabilities may allow guest to read host filesystem (CVE-2015-1335)
Roman Fiedler discovered a directory traversal flaw that can occur
lxc-start is initially setting up the mounts for a container.
If an attacker constructs a malicious symlink in the target path of a
container mount point, the symlink could be mishandled the next time the
container is started and the mount operation may be performed at an
undesired target location.
Additionally, if the source path of the mount is a malicious symlink
relative to the container, the symlink could be mishandled to bind mount
an undesired file or directory into the container.
Direct modification of the host’s mount table is not possible since a
slave copy of the mount table is used.
An example of an attack that is made possible by this flaw is a user
inside of the container could leave behind a malicious symlink, at a
mount point target under their control, that would cause /proc/self/attr
to be mounted over. lxc-start would then unknowingly write to a “fake”
/proc/self/attr/current file, prior to launching the container init, to
perform an AppArmor profile transition. The profile transition would not
occur and the container init would run under incorrect confinement.
The fix for LXC 1.0 is:
The fix for LXC 1.1 is:
The fix for LXC master is:
(from redmine: issue id 4684, created on 2015-09-30, closed on 2015-12-04)
- parent #4683 (closed)