Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9C8Q126sS901vkG8mMxgQPigkx5gBFpDrXBZJqzB9mfVVKvASCmxDOcSAiq9IjkGPjKbAm7r44vrPcqypgDoadrQ2Wuo4wYXFHdQ8amAvwk=@itk.swiss>
Date: Tue, 14 Mar 2017 12:17:53 -0400
From: Stiepan <stie@....swiss>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "857295@...s.debian.org" <857295@...s.debian.org>
Cc: Stéphane Graber <stgraber@...ntu.com>, serge.hallyn@...ntu.com
Subject: Re: LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership

You are welcome. As stated in my reply to Serge H. Hallyn's off-list message, in the meantime I have installed version 2.0.7 from jessie-backports and am unable to reproduce the issue, as I cannot start unprivileged containers anymore (due to a network error). According to Debian's tracker page for lxc, the version that I have installed from backports is 2.0.7-1, which does not include latest upstream fixes. I guess that I have to wait for the 2.0.7-2 package - which includes latest upstream fixes - to land in jessie-backports for these issues (both security and functional) to be fixed.

CC-ing the Debian address for this bug, as they explicitly asked to do this in case there is a need to reopen the Debian bug, which seems to be the case here (at least, for Jessie, since the intermediary 2.0.7-1 .deb apparently breaks unprivileged networking, besides not fixing the security issue).
To the Debian team in charge of this bug:
As unprivileged mode is not activated by default on Debian, I understand that this is not a priority, but it would still be nice to have this fixed quickly.
By the way, not directly related to this specific bug, but I hope that snapd + LXD somehow finds its way into jessie-backports: that would be great!

Stiepan


-------- Original Message --------
Subject: Re: [oss-security] LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership
Local Time: 14 March 2017 2:06 AM
UTC Time: 14 March 2017 01:07
From: tyhicks@...onical.com
To: oss-security@...ts.openwall.com
Stéphane Graber <stgraber@...ntu.com>, serge.hallyn@...ntu.com

On 03/10/2017 06:03 AM, Stiepan wrote:
> I don't know whether that is the same bug, or a related one, but on Debian8 using LXC from jessie-backports, setting the default route in a container affects the host - namely, from an unpriv. container, setting the route sets the host's route as well.
> lxc-info --version outputs 2.0.6 and no update is currently available (on Debian).

Thanks for the report. I just tried to reproduce the issue on Ubuntu
16.04 with 2.0.7-0ubuntu1~16.04.2, which is the package patched for the
issue that I announced in this thread. I couldn't reproduce it.

I then installed an old 2.0.6 based deb (2.0.6-0ubuntu1~ubuntu16.04.1)
and still couldn't reproduce it.

I'd suggest opening an upstream bug here:

https://github.com/lxc/lxc/issues/new

(Normally, they prefer private security bugs on Launchpad but your
report to this list is already public so I don't see a need.)

Tyler

> Stiepan
>
>
>
> -------- Original Message --------
> Subject: [oss-security] LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership
> Local Time: 9 March 2017 5:54 PM
> UTC Time: 9 March 2017 16:55
> From: tyhicks@...onical.com
> To: oss-security@...ts.openwall.com
> Stéphane Graber <stgraber@...ntu.com>
>
> Jann Horn discovered that the lxc-user-nic program could be tricked into
> operating on a network namespace over which the caller did not hold
> privilege.
>
> The behavior didn't follow what was documented in the lxc-user-nic(1)
> man page:
>
> It ensures that the calling user is privileged over the network
> namespace to which the interface will be attached.
>
> This issue is CVE-2017-5985.
>
> https://lists.linuxcontainers.org/pipermail/lxc-users/2017-March/012925.html
> https://launchpad.net/bugs/1654676
> https://github.com/lxc/lxc/commit/16af238036a5464ae8f2420ed3af214f0de875f9
>
> Tyler
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.