Bug 16443

Summary: lxc new security issues CVE-2015-1331 and CVE-2015-1334
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, sysadmin-bugs, thierry.vignaud, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/652012/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: lxc-1.0.5-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-07-22 17:12:52 CEST 
Two security issues in lxc have been announced:
http://openwall.com/lists/oss-security/2015/07/22/4

CVE-2015-1331 also affects Mageia 5.

CVE-2015-1334 also affects Mageia 4 and Mageia 5.

The message above has links to commits to fix these issues.

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-22 17:13:04 CEST

CC: (none) => thierry.vignaud
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-22 20:22:54 CEST 
Ubuntu has issued an advisory for this today (July 22):
http://www.ubuntu.com/usn/usn-2675-1

URL: (none) => http://lwn.net/Vulnerabilities/652012/

Comment 2 David Walser 2015-07-27 21:38:42 CEST 
Debian and Ubuntu have both only patched LXC 1.0.x or newer versions.  I guess we can skip Mageia 4.
Comment 3 David Walser 2015-07-27 21:55:22 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated lxc packages fix security vulnerabilities:

Roman Fiedler discovered that LXC had a directory traversal flaw when creating
lock files. A local attacker could exploit this flaw to create an arbitrary
file as the root user (CVE-2015-1331).

Roman Fiedler discovered that LXC incorrectly trusted the container's proc
filesystem to set up AppArmor profile changes and SELinux domain transitions.
A local attacker could exploit this flaw to run programs inside the container
that are not confined by AppArmor or SELinux (CVE-2015-1334).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1334
http://www.ubuntu.com/usn/usn-2675-1
========================

Updated packages in core/updates_testing:
========================
lxc-1.0.5-3.1.mga5
liblxc1-1.0.5-3.1.mga5
liblxc-devel-1.0.5-3.1.mga5

from lxc-1.0.5-3.1.mga5.src.rpm

CC: (none) => mageia
Version: Cauldron => 5
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Dave Hodgins 2015-07-28 17:17:53 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 4 William Kenney 2015-08-05 18:55:18 CEST 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
lxc liblxc1 liblxc-devel

default install of lxc liblxc1 & liblxc-devel

[root@localhost wilcal]# urpmi lxc
Package lxc-1.0.5-3.mga5.i586 is already installed
[root@localhost wilcal]# urpmi liblxc1
Package liblxc1-1.0.5-3.mga5.i586 is already installed
[root@localhost wilcal]# urpmi liblxc-devel
Package liblxc-devel-1.0.5-3.mga5.i586 is already installed

using Lewis Smith's Commment 2 in:
https://bugs.mageia.org/show_bug.cgi?id=12760

[root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd
Generating public/private rsa key pair.
Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
c8:ff:83:c7:a7:1b:fc:ec:ce:1d:66:84:ab:2c:17:50 root@localhost
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|          E      |...........

lxc seems to respond as expected.

In a root terminal run: lxc-destroy -n lxcsshd

install lxc liblxc1 & liblxc-devel from updates_testing

[root@localhost wilcal]# urpmi lxc
Package lxc-1.0.5-3.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi liblxc1
Package liblxc1-1.0.5-3.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi liblxc-devel
Package liblxc-devel-1.0.5-3.1.mga5.i586 is already installed

[root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd
Generating public/private rsa key pair.
Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
2b:d2:d8:5d:97:56:2d:a7:b4:08:e0:b1:86:39:90:c8 root@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| . ...  o        |
|  E .. + +     . |........

lxc continues to respond as expected.

Note: you can go back and forth between:
lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd
and
lxc-destroy -n lxcsshd
as many times as you want to test.

CC: (none) => wilcal.int

Comment 5 William Kenney 2015-08-05 19:20:57 CEST 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
lxc lib64lxc1 lib64lxc-devel

default install of lxc lib64lxc1 & lib64lxc-devel

[root@localhost wilcal]# urpmi lxc
Package lxc-1.0.5-3.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64lxc1
Package lib64lxc1-1.0.5-3.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64lxc-devel
Package lib64lxc-devel-1.0.5-3.mga5.x86_64 is already installed

using Lewis Smith's Commment 2 in:
https://bugs.mageia.org/show_bug.cgi?id=12760

[root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd
Generating public/private rsa key pair.
Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
03:aa:13:98:75:99:9f:00:eb:7f:1c:e1:5b:6d:27:4a root@localhost
The key's randomart image is:
+--[ RSA 2048]----+
|  .              |
|   o o           |...........

lxc seems to respond as expected.

In a root terminal run: lxc-destroy -n lxcsshd

install lxc lib64lxc1 & lib64lxc-devel from updates_testing

[root@localhost wilcal]# urpmi lxc
Package lxc-1.0.5-3.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64lxc1
Package lib64lxc1-1.0.5-3.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64lxc-devel
Package lib64lxc-devel-1.0.5-3.1.mga5.x86_64 is already installed

[root@localhost wilcal]# lxc-create -n lxcsshd -t /usr/share/lxc/templates/lxc-sshd
Generating public/private rsa key pair.
Your identification has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /var/lib/lxc/lxcsshd/rootfs/etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
b9:bc:54:f2:df:43:67:95:bd:14:2a:b4:20:d9:c4:a8 root@localhost
The key's randomart image is:
+--[ RSA 2048]----+
|        *.       |
|       + + .   . |........

lxc continues to respond as expected.
William Kenney 2015-08-05 19:21:24 CEST

Whiteboard: advisory => advisory MGA5-32-OK MGA5-64-OK

Comment 6 William Kenney 2015-08-05 19:22:55 CEST 
I'd say unless someone wants to become an lxc expert on
testing this thing this looks good to go. Agree David?
Comment 7 David Walser 2015-08-05 19:26:22 CEST 
Yep, let's go.
Comment 8 William Kenney 2015-08-05 19:50:27 CEST 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-08-07 21:21:06 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0304.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED