Debian Bug report logs -
#845465
lxc: CVE-2016-8649: attach: do not send procfd to attached process
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 23 Nov 2016 18:09:01 UTC
Severity: important
Tags: patch, security, upstream
Found in versions lxc/1:1.0.6-6+deb8u4, lxc/1:2.0.5-3, lxc/1:1.0.6-6+deb8u3
Fixed in versions lxc/1:2.0.6-1, lxc/1:1.0.6-6+deb8u5
Done: Evgeni Golov <evgeni@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, pkg-lxc <pkg-lxc-devel@lists.alioth.debian.org>:
Bug#845465; Package src:lxc.
(Wed, 23 Nov 2016 18:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, pkg-lxc <pkg-lxc-devel@lists.alioth.debian.org>.
(Wed, 23 Nov 2016 18:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lxc
Version: 1:2.0.5-3
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for lxc.
CVE-2016-8649[0]:
lxc-attach to malicious container allows access to host
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-8649
[1] https://github.com/lxc/lxc/commit/81f466d05f2a89cb4f122ef7f593ff3f279b165c
[2] https://launchpad.net/bugs/1639345
[3] http://www.openwall.com/lists/oss-security/2016/11/23/6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions lxc/1:1.0.6-6+deb8u3.
Request was from Evgeni Golov <evgeni@debian.org>
to control@bugs.debian.org.
(Thu, 24 Nov 2016 07:45:02 GMT) (full text, mbox, link).
Marked as found in versions lxc/1:1.0.6-6+deb8u4.
Request was from Evgeni Golov <evgeni@debian.org>
to control@bugs.debian.org.
(Thu, 24 Nov 2016 07:45:05 GMT) (full text, mbox, link).
Reply sent
to Evgeni Golov <evgeni@debian.org>:
You have taken responsibility.
(Thu, 24 Nov 2016 07:51:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 24 Nov 2016 07:51:12 GMT) (full text, mbox, link).
Message #14 received at 845465-close@bugs.debian.org (full text, mbox, reply):
Source: lxc
Source-Version: 1:2.0.6-1
We believe that the bug you reported is fixed in the latest version of
lxc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 845465@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Evgeni Golov <evgeni@debian.org> (supplier of updated lxc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 24 Nov 2016 08:07:02 +0100
Source: lxc
Binary: lxc lxc-dev lxc-tests liblxc1 python3-lxc lua-lxc
Architecture: source
Version: 1:2.0.6-1
Distribution: unstable
Urgency: high
Maintainer: pkg-lxc <pkg-lxc-devel@lists.alioth.debian.org>
Changed-By: Evgeni Golov <evgeni@debian.org>
Description:
liblxc1 - Linux Containers userspace tools (library)
lua-lxc - Linux Containers userspace tools (Lua bindings)
lxc - Linux Containers userspace tools
lxc-dev - Linux Containers userspace tools (development)
lxc-tests - Linux Containers userspace tools (test binaries)
python3-lxc - Linux Containers userspace tools (Python 3.x bindings)
Closes: 844086 845465
Changes:
lxc (1:2.0.6-1) unstable; urgency=high
.
* New upstream version 2.0.6
+ attach: do not send procfd to attached process
Closes: #845465
CVE-2016-8649
* liblxc1: add depends on cgroupfs-mount | systemd (Closes: #844086)
* drop patches applied/imported upstream
* debian/tests: add iptables to tests depends
Checksums-Sha1:
8f448b9149d9476ffc66320b56adf7bf10db0c4a 2602 lxc_2.0.6-1.dsc
d69a6652ea0a5093337e5b5ef0d71e42f15fddfc 1300046 lxc_2.0.6.orig.tar.gz
28181919b4fc08cb1ae2c06049e3fd191e8837ab 82712 lxc_2.0.6-1.debian.tar.xz
Checksums-Sha256:
df109fc74c5fe859133d0be7609e03c359996141e11530be3be3abadb05f9d67 2602 lxc_2.0.6-1.dsc
7c292cd0055dac1a0e6fbb6a7740fd12b6ffb204603c198faf37c11c9d6dcd7a 1300046 lxc_2.0.6.orig.tar.gz
a65861f37bf1b92e98ebc08228b7a22c5641c1f4a5137888edf8641f9ef1f6b6 82712 lxc_2.0.6-1.debian.tar.xz
Files:
8083b6ae51a17471c9b1252599133ffb 2602 admin optional lxc_2.0.6-1.dsc
5fd4b7af8026e8ae20b3065ee18fe974 1300046 admin optional lxc_2.0.6.orig.tar.gz
7bd32a48e88afba989506c83971f58e5 82712 admin optional lxc_2.0.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExXWpV+gZuhi/B+dmobCbQjM5YegFAlg2ltcACgkQobCbQjM5
Yeh8YxAAjcN9Iw63oZ0xnI38GnaynZ8qnlomng9yc6HUM7sQsxNCs718u/p1KQ4i
Q6v1h0alUxkJhVQth+xd9oYHS/lFKbvYbc4BBrDneB3eJv24vyMSJGqd3ad69HVw
h4HPt5RaAti24SfoDaZ0ErOZYp4GeUYvQaONP5/hg+/etbkDabzFf8kSOB17AYon
QvNPoY7Dg9S0jej6NzZbXTmnmsD2rIhSODyEelfB243EYosh+t6AQtc/9z1SWRB4
RjsiLQzyO1xJ3+qGE4aOcBruZUHs6v9DaFqyUixMi+Nj3GVLstAxgkhDVVoZ7+oF
gk+2hvqTu7juU+UJFA/KF7W7UXbD5iYkuEebH/AtoQO3floryxKm0Bu01oNshI/j
gd/C+KbYzSGa43xVwkWvHqTiYt1pJTIIAL9F+YaPLmU3cUmgv2ny9s+/o1L3ERZJ
ZzASEXqcfS4ZNsG0tflYXSQwySqiUo1Wbioyjiusx7P+FHRgoRLw2tQABbHvDddG
MEED19HZaR0WFjqGFPoZkZ4IZQPlnTybltzc8W/gLmrt3I10dssRg0lg266POnvE
A0kiSbujimivO0mAFx0flmNaD1glQycoVJIWe2Z006xtCYDvoJ8/QaNf/HAJfDO6
WialtANnWV1tdgyIF0jQqxEgPZJU+4JHcZ2UKSnRx8aduwqQrqc=
=IR8F
-----END PGP SIGNATURE-----
Reply sent
to Evgeni Golov <evgeni@debian.org>:
You have taken responsibility.
(Wed, 14 Dec 2016 21:06:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 14 Dec 2016 21:06:11 GMT) (full text, mbox, link).
Message #19 received at 845465-close@bugs.debian.org (full text, mbox, reply):
Source: lxc
Source-Version: 1:1.0.6-6+deb8u5
We believe that the bug you reported is fixed in the latest version of
lxc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 845465@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Evgeni Golov <evgeni@debian.org> (supplier of updated lxc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 24 Nov 2016 08:14:36 +0100
Source: lxc
Binary: lxc lxc-dbg
Architecture: source amd64
Version: 1:1.0.6-6+deb8u5
Distribution: jessie
Urgency: medium
Maintainer: Daniel Baumann <mail@daniel-baumann.ch>
Changed-By: Evgeni Golov <evgeni@debian.org>
Description:
lxc - Linux Containers userspace tools
lxc-dbg - Linux Containers userspace tools (debug)
Closes: 845465
Changes:
lxc (1:1.0.6-6+deb8u5) jessie; urgency=medium
.
* attach: do not send procfd to attached process
Closes: #845465
CVE-2016-8649
Checksums-Sha1:
46934dc754f05f9d49de798395710a9538f80851 2096 lxc_1.0.6-6+deb8u5.dsc
4e54a6f3e4d8a47da9d5b56cc8c8ac1f545e668f 38832 lxc_1.0.6-6+deb8u5.debian.tar.xz
4a0470f184a50e8b2ae422696921d0bd1d7211fd 626464 lxc_1.0.6-6+deb8u5_amd64.deb
c73f98355070c4ce9ef8fae50f973b85963400bc 774306 lxc-dbg_1.0.6-6+deb8u5_amd64.deb
Checksums-Sha256:
dd0bf86b4ecf2afea298fe011276bd9273485e941c600bee9df17a51378a5020 2096 lxc_1.0.6-6+deb8u5.dsc
ef8fb16916aa78a1f902a5fd465610f6901944e76fbb359e3c131180b8954d64 38832 lxc_1.0.6-6+deb8u5.debian.tar.xz
75c3e39fd3d86a087c2ea3e5a6f4e4e87581f9d3546cc31f954d242c50c7da82 626464 lxc_1.0.6-6+deb8u5_amd64.deb
cd32792c96b70aab46b37b3d75a80975e94908d543fe922ef03ff2a3a3eb42e2 774306 lxc-dbg_1.0.6-6+deb8u5_amd64.deb
Files:
f1de463853b312181de134632218592f 2096 admin optional lxc_1.0.6-6+deb8u5.dsc
4da0ce5d2cfb870b0b2a3d4203c9f1b7 38832 admin optional lxc_1.0.6-6+deb8u5.debian.tar.xz
5eb94e3bdfd758e62d4215a122101fda 626464 admin optional lxc_1.0.6-6+deb8u5_amd64.deb
0232a1ff861631bcce9cf0a5504d0ab3 774306 debug extra lxc-dbg_1.0.6-6+deb8u5_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAlhOpQQACgkQ/A2xu81G
C96Cug/7Bpjika+M9y9dstR0I/V/TOIHjsWJm0t2c1dOlWBgAZProLnqDPd+YxFB
wxykBE5y3Adn3IVZkq5w94vyZW2FGZPKKdajEBz63KmCMEeqWm0yCOmpzv+b10S4
ObMkDmYxXLoXY1kN4/ILa8iNwmPzrw981F47XrHGjFox6l7osmjHrT9HEgAPemsl
RqYEss9M6dnNmUKQt1KcBrjF8Qx15e+4LrlW+rjJmVD2zjGo/ZQ10A4brrtpUpK5
dQKpeugs6O2o9UqM+o5fqRAB+iHALHrLmCsf3g6yH9a+DtHiMlm3coWXPXubEXwq
KMjEH6fy30GX24KmYhiup8RGKHcP1NjidXYp7FLSIumLShDIlHTJu6qOTfpBKDLM
ez74Mhz3F0UTg/eBUN6Ed3u12PaCxxVQJqNVir96jmSmhA9XItVpP1g3JTRFf1xC
iqFtooKqYTFCOWw/PSmr+alHCYl/wRfD/1TqYaHi0VWCe9tbsRgDgCLxfZmpwGXg
gKpd3c5dE1VE/Ah4GwLYsUia51nld3rD/Kb2MI5stqrnhMbO98rplJ6shMk/g9nG
P08W5VrtrdsT78p/sOi7q/0otTu4/xtjjufxz/IHdqais3r2rlzEadDitJCCuUYp
C0bi4/F8PoJKzVlrIMhEvnfkaMWk2X3uaqEy3yY/yuE2hvsgtX0=
=uEya
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 10:33:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:37:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon