Package : lxc
Version : 0.7.2-1+deb6u1
CVE ID : CVE-2013-6441 CVE-2015-1335
Debian Bug : #800471
Brief introduction
CVE-2013-6441
The template script lxc-sshd used to mount itself as /sbin/init in the
container using a writable bind-mount.
This update resolved the above issue by using a read-only bind-mount
instead preventing any form of potentially accidental damage.
CVE-2015-1335
On container startup, lxc sets up the container's initial file system
tree by doing a bunch of mounting, guided by the container's configuration
file.
The container config is owned by the admin or user on the host, so we
do not try to guard against bad entries. However, since the mount
target is in the container, it's possible that the container admin
could divert the mount with symbolic links. This could bypass proper
container startup (i.e. confinement of a root-owned container by the
restrictive apparmor policy, by diverting the required write to
/proc/self/attr/current), or bypass the (path-based) apparmor policy
by diverting, say, /proc to /mnt in the container.
This update implements a safe_mount() function that prevents lxc from
doing mounts onto symbolic links.
--
mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net
Attachment:
signature.asc
Description: Digital signature