Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2015-1331 CVE-2015-1334

Related Vulnerabilities: CVE-2015-1331   CVE-2015-1334  

Source

Debian Bug report logs - #793298
CVE-2015-1331 CVE-2015-1334

version graph

Package: lxc; Maintainer for lxc is pkg-lxc <pkg-lxc-devel@lists.alioth.debian.org>; Source for lxc is src:lxc (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Wed, 22 Jul 2015 15:15:01 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version lxc/1:1.0.6-6

Fixed in versions 1:1.0.7-4, lxc/1:1.0.6-6+deb8u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Daniel Baumann <mail@daniel-baumann.ch>:
Bug#793298; Package lxc. (Wed, 22 Jul 2015 15:15:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Daniel Baumann <mail@daniel-baumann.ch>. (Wed, 22 Jul 2015 15:15:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2015-1331 CVE-2015-1334
Date: Wed, 22 Jul 2015 17:13:29 +0200
Package: lxc
Severity: grave
Tags: security

These two security issues were reported by Tyler Hicks on
oss-security:

* Roman Fiedler discovered a directory traversal flaw that allows
  arbitrary file creation as the root user. A local attacker must set
  up a symlink at /run/lock/lxc/var/lib/lxc/<CONTAINER>, prior to an
  admin ever creating an LXC container on the system. If an admin then
  creates a container with a name matching <CONTAINER>, the symlink will be
  followed and LXC will create an empty file at the symlink's target as
  the root user.
  - CVE-2015-1331
  - Affects LXC 1.0.0 and higher
  - https://launchpad.net/bugs/1470842
  - https://github.com/lxc/lxc/commit/72cf81f6a3404e35028567db2c99a90406e9c6e6 (master)
  - https://github.com/lxc/lxc/commit/61ecf69d7834921cc078e14d1b36c459ad8f91c7
    (stable-1.1)
  - https://github.com/lxc/lxc/commit/f547349ea7ef3a6eae6965a95cb5986cd921bd99
    (stable-1.0)

* Roman Fiedler discovered a flaw that allows processes intended to be
  run inside of confined LXC containers to escape their AppArmor or
  SELinux confinement. A malicious container can create a fake proc
  filesystem, possibly by mounting tmpfs on top of the container's
  /proc, and wait for a lxc-attach to be ran from the host environment.
  lxc-attach incorrectly trusts the container's
  /proc/PID/attr/{current,exec} files to set up the AppArmor profile and
  SELinux domain transitions which may result in no confinement being
  used.
  - CVE-2015-1334
  - Affects LXC 0.9.0 and higher
  - https://launchpad.net/bugs/1475050
  - https://github.com/lxc/lxc/commit/5c3fcae78b63ac9dd56e36075903921bd9461f9e
    (master)
  - https://github.com/lxc/lxc/commit/659e807c8dd1525a5c94bdecc47599079fad8407
    (stable-1.1)
  - https://github.com/lxc/lxc/commit/15ec0fd9d490dd5c8a153401360233c6ee947c24
    (stable-1.0)

Can you prepare an update for jessie-security?

Cheers,
        Moritz

Marked as found in versions lxc/1:1.0.6-6. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 22 Jul 2015 15:21:11 GMT) (full text, mbox, link).

Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 22 Jul 2015 15:21:12 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <mail@daniel-baumann.ch>:
Bug#793298; Package lxc. (Wed, 22 Jul 2015 16:21:14 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <mail@daniel-baumann.ch>. (Wed, 22 Jul 2015 16:21:14 GMT) (full text, mbox, link).

Message #14 received at 793298@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 793298@bugs.debian.org
Subject: Re: Bug#793298: CVE-2015-1331 CVE-2015-1334
Date: Wed, 22 Jul 2015 18:18:33 +0200
[Message part 1 (text/plain, inline)]
Hi Daniel, Hi Moritz,

Attached is proposed debdiff (not yet uploaded to security-master) for
jessie-security itself. Just compile-tested so far.

Built packages for amd64: https://people.debian.org/~carnil/tmp/lxc/

Regards,
Salvatore

[lxc_1.0.6-6+deb8u1.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <mail@daniel-baumann.ch>:
Bug#793298; Package lxc. (Wed, 22 Jul 2015 16:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to daniel.baumann@progress-technologies.net:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <mail@daniel-baumann.ch>. (Wed, 22 Jul 2015 16:39:04 GMT) (full text, mbox, link).

Message #19 received at 793298@bugs.debian.org (full text, mbox, reply):

From: Daniel Baumann <daniel.baumann@progress-technologies.net>
To: Salvatore Bonaccorso <carnil@debian.org>, Moritz Muehlenhoff <jmm@debian.org>
Cc: 793298@bugs.debian.org
Subject: Re: Bug#793298: CVE-2015-1331 CVE-2015-1334
Date: Wed, 22 Jul 2015 18:35:46 +0200
I'm uploading to sid as we speak..

-- 
Address:        Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email:          daniel.baumann@progress-technologies.net
Internet:       http://people.progress-technologies.net/~daniel.baumann/

Marked as fixed in versions 1:1.0.7-4. Request was from Daniel Baumann <daniel.baumann@progress-technologies.net> to control@bugs.debian.org. (Wed, 22 Jul 2015 16:57:08 GMT) (full text, mbox, link).

Marked Bug as done Request was from Daniel Baumann <daniel.baumann@progress-technologies.net> to control@bugs.debian.org. (Wed, 22 Jul 2015 16:57:09 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 22 Jul 2015 16:57:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <mail@daniel-baumann.ch>:
Bug#793298; Package lxc. (Thu, 23 Jul 2015 14:51:08 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <mail@daniel-baumann.ch>. (Thu, 23 Jul 2015 14:51:08 GMT) (full text, mbox, link).

Message #30 received at 793298@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: daniel.baumann@progress-technologies.net, 793298@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#793298: CVE-2015-1331 CVE-2015-1334
Date: Thu, 23 Jul 2015 16:48:06 +0200
Hi Daniel,

On Wed, Jul 22, 2015 at 06:35:46PM +0200, Daniel Baumann wrote:
> I'm uploading to sid as we speak..

Thanks a lot. I can handle the jessie-security upload based on the
debdiff proposed earlier.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <mail@daniel-baumann.ch>:
Bug#793298; Package lxc. (Thu, 23 Jul 2015 18:36:10 GMT) (full text, mbox, link).

Acknowledgement sent to daniel.baumann@progress-technologies.net:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <mail@daniel-baumann.ch>. (Thu, 23 Jul 2015 18:36:10 GMT) (full text, mbox, link).

Message #35 received at 793298@bugs.debian.org (full text, mbox, reply):

From: Daniel Baumann <daniel.baumann@progress-technologies.net>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 793298@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#793298: CVE-2015-1331 CVE-2015-1334
Date: Thu, 23 Jul 2015 20:34:16 +0200
On 07/23/2015 04:48 PM, Salvatore Bonaccorso wrote:
> I can handle the jessie-security upload based on the
> debdiff proposed earlier.

thanks.

-- 
Address:        Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email:          daniel.baumann@progress-technologies.net
Internet:       http://people.progress-technologies.net/~daniel.baumann/

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Thu, 30 Jul 2015 21:21:34 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Thu, 30 Jul 2015 21:21:34 GMT) (full text, mbox, link).

Message #40 received at 793298-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 793298-close@bugs.debian.org
Subject: Bug#793298: fixed in lxc 1:1.0.6-6+deb8u1
Date: Thu, 30 Jul 2015 21:17:41 +0000
Source: lxc
Source-Version: 1:1.0.6-6+deb8u1

We believe that the bug you reported is fixed in the latest version of
lxc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 793298@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated lxc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 22 Jul 2015 18:12:27 +0200
Source: lxc
Binary: lxc lxc-dbg
Architecture: source
Version: 1:1.0.6-6+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Daniel Baumann <mail@daniel-baumann.ch>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 lxc        - Linux Containers userspace tools
 lxc-dbg    - Linux Containers userspace tools (debug)
Closes: 793298
Changes:
 lxc (1:1.0.6-6+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 0018-CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch.
     CVE-2015-1331: Directory traversal flaw that allows arbitrary file
     creation as the root user. (Closes: #793298)
   * Add 0019-CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch.
     CVE-2015-1334: Processes intended to be run inside of confined LXC
     containers could escape their AppArmor or SELinux confinement.
     (Closes: #793298)
Checksums-Sha1:
 ed81cd8a0e58e66bcd11e2f826c2a0dec0d86632 2082 lxc_1.0.6-6+deb8u1.dsc
 6ea61825e4edc71ddec56d3899d4f0e9dce1c509 508868 lxc_1.0.6.orig.tar.xz
 84024f4d20b12d31825673cff81d6389e0f5a6a1 29668 lxc_1.0.6-6+deb8u1.debian.tar.xz
Checksums-Sha256:
 f89c2f20af1a5068a5b66eb9edea99cf42bc36dedec75ae7a01617dc8227a713 2082 lxc_1.0.6-6+deb8u1.dsc
 4a794c57ee852bcbb8f3d543eace6a86e75156c5681c9daf1b01d79407a70c74 508868 lxc_1.0.6.orig.tar.xz
 7bfeab59ab2b111ca03096d1b7cf9a87314d94389b657a90ad90dda0ccaa1520 29668 lxc_1.0.6-6+deb8u1.debian.tar.xz
Files:
 d26f8b7df14a407e28832986572e25a8 2082 admin optional lxc_1.0.6-6+deb8u1.dsc
 30a70dfbbb7fa016febd26b33f12e20d 508868 admin optional lxc_1.0.6.orig.tar.xz
 13e6e2ac25600e77b147941a81a2099b 29668 admin optional lxc_1.0.6-6+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVsSLfAAoJEAVMuPMTQ89EUdYP/RD2lWhpwngDGlaShshaBMyI
u9j7LtbIaPUxmw8YCTiYrZHqdZWh7+4SsCq1GTBqEDzUTjqUR6Eb9iFSm53d01jS
3F/YGz1Mn3XkIFb0NrnUPs5u+YWeteIMxkVC8PwG8pMqk+7R1N77Ap8q1e0IA2jt
bFQmLsuhboPDyPgCL5NwtEg6kZmLo3GRxOkAw/0b9aK/LT4d2pqBgV6xO2lDIOc1
DXJ6CqCTAdD+HtbV1rQOd+1jqK7DDioVFTFNhk21XPvl8GQ3K3kpjGZlbDZOz5+d
pwFjVfmL9HS+pnlLqf7n35iNkCgpXriIfP/hX8BiX2YbqvuOKmz8BBAuvvpalkma
iXEnX6bkYwfTRIhvSsaJnA4R/QF9NuE6yrbW3+ASoQi5yV3U9X7qg7B5LEsBLD4M
3xRNP9y9xbo1vIJ71d6fxIEcalmS65Tm+YG2SWIMu39LW94PCt7sQn4HNvRBwetu
VU766RZBfC98JQh7H6CKHDrDedg6eRTnJ4zv26ejMiv3X7M5kzXA9GV7P5lrHqWI
ztcwWr0kWGwVpDz/QZ5A8JbhcvBz2YZzMoKOdujztjso6wZgUZqedRSCuaAQzL90
nnRfqzigPFfbFa5lQ4Of4eLqeP8EcaUB1E6jLcAhNhu1huVPg3c/TblmFc+7ynw0
YoC4UpOw5ElTdi0NyvF9
=6MoC
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 06 Sep 2015 07:43:10 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:29:34 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started