oss-sec mailing list archives
Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership
From: Tyler Hicks <tyhicks () canonical com>
Date: Mon, 13 Mar 2017 20:07:14 -0500
On 03/10/2017 06:03 AM, Stiepan wrote:
I don't know whether that is the same bug, or a related one, but on Debian8 using LXC from jessie-backports, setting the default route in a container affects the host - namely, from an unpriv. container, setting the route sets the host's route as well. lxc-info --version outputs 2.0.6 and no update is currently available (on Debian).
Thanks for the report. I just tried to reproduce the issue on Ubuntu 16.04 with 2.0.7-0ubuntu1~16.04.2, which is the package patched for the issue that I announced in this thread. I couldn't reproduce it. I then installed an old 2.0.6 based deb (2.0.6-0ubuntu1~ubuntu16.04.1) and still couldn't reproduce it. I'd suggest opening an upstream bug here: https://github.com/lxc/lxc/issues/new (Normally, they prefer private security bugs on Launchpad but your report to this list is already public so I don't see a need.) Tyler
Stiepan -------- Original Message -------- Subject: [oss-security] LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership Local Time: 9 March 2017 5:54 PM UTC Time: 9 March 2017 16:55 From: tyhicks () canonical com To: oss-security () lists openwall com Stéphane Graber <stgraber () ubuntu com> Jann Horn discovered that the lxc-user-nic program could be tricked into operating on a network namespace over which the caller did not hold privilege. The behavior didn't follow what was documented in the lxc-user-nic(1) man page: It ensures that the calling user is privileged over the network namespace to which the interface will be attached. This issue is CVE-2017-5985. https://lists.linuxcontainers.org/pipermail/lxc-users/2017-March/012925.html https://launchpad.net/bugs/1654676 https://github.com/lxc/lxc/commit/16af238036a5464ae8f2420ed3af214f0de875f9 Tyler
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership Tyler Hicks (Mar 09)
- Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership Stiepan (Mar 10)
- Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership Tyler Hicks (Mar 13)
- Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership Stiepan (Mar 14)
- Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership Stiepan (Mar 15)
- Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership Stiepan (Mar 28)
- Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership Serge E. Hallyn (Mar 28)
- Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership Tyler Hicks (Mar 13)
- Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership Stiepan (Mar 10)