Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 6 Aug 2018 12:27:03 -0400
From: Stéphane Graber <stgraber@...ntu.com>
To: lxc-devel@...ts.linuxcontainers.org,
	lxc-users@...ts.linuxcontainers.org
Cc: oss-security@...ts.openwall.com, Matthias Gerstner <mgerstner@...e.de>
Subject: CVE-2018-6556: lxc-user-nic allows for open() of arbitrary paths

Hello,

This is a notice for a security issue affecting the following LXC versions:
 - 2.0.9 and higher
 - 3.0.0 and higher


Description of the issue:
  lxc-user-nic (setuid) when asked to delete a network interface will
  unconditionally open a user provided path.

  This code path may be used by an unprivileged user to check for
  the existence of a path which they wouldn't otherwise be able to reach.

  It may also be used to trigger side effects by causing a (read-only) open
  of special kernel files (ptmx, proc, sys).

This was reported to us by Matthias Gerstner from SUSE and Christian
Brauner on the LXC team took care of finding a workable solution and
preparing the needed updates.


Fixes:
 - stable-2.0: https://github.com/lxc/lxc/commit/5eb45428b312e978fb9e294dde16efb14dd9fa4d
 - stable-3.0: https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032
 - master: https://github.com/lxc/lxc/commit/f26dc127bf5d66e8c29f8584c64bd97c9bbbc574

Linux distributions were privately notified with about a week notice and
so should have security updates ready for this already, or will shortly.

We will not be issuing emergency release tarballs for this issue so if
you're maintaining your own build, you should be cherry-picking one of
the fixes above. We do however intend to release LXC 3.0.2 very shortly
which will include this fix among other traditional bugfixes.

References:
 - https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591
 - https://bugzilla.suse.com/show_bug.cgi?id=988348

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.