Bug 1122185

Summary: VUL-0: CVE-2019-5736: lxc: container breakout vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Karol Babioch <karol>
Component: IncidentsAssignee: Cédric Bosdonnat <cbosdonnat>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann, asarai, carlos.lopez, cbosdonnat, meissner, rfrohl, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/223038/
Whiteboard: maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1121967    
Bug Blocks:    

Description Karol Babioch 2019-01-16 12:33:18 UTC 
+++ This bug was initially created as a clone of Bug #1121967 +++

Opening this bug for the vulnerability described in bsc#1121967 discovered by Aleksa in order to track this separately for lxc. Given that it is another codebase, we should use another CVE for this. Should we request it on your behalf?

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5736
Comment 1 Aleksa Sarai 2019-01-16 13:21:04 UTC 
> Should we request it on your behalf?

Sure, that'd be great (though you'd probably want to submit it to Canonical's CNA).
Comment 3 Aleksa Sarai 2019-01-17 06:23:04 UTC 
(In reply to Aleksa Sarai from comment #1)
> > Should we request it on your behalf?
> 
> Sure, that'd be great (though you'd probably want to submit it to
> Canonical's CNA).

After speaking to the LXC maintainers, their view is that privileged containers cannot ever be safe and thus that this is not CVE-worthy (and so there's no point in submitting a CVE). This is outlined in their security threat model[1]:

> LXC upstream's position is that those containers aren't and cannot be root-safe.

[1]: https://linuxcontainers.org/lxc/security/
Comment 6 Aleksa Sarai 2019-02-08 13:01:38 UTC 
After talking to the upstream LXC maintainers at length, they have prepared a similar patch to the one I have for runc (I have a copy of it, though it might be outdated). They are going to follow the same CRD as CVE-2019-5736.

As far as I'm aware we don't ship LXC for SLE so we can just pick up the upstream patches when they land.
Comment 7 Marcus Meissner 2019-02-12 16:33:21 UTC 
also published
Comment 8 Swamp Workflow Management 2019-03-27 23:40:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1122185) was mentioned in
https://build.opensuse.org/request/show/689178 Factory / lxc
Comment 9 Swamp Workflow Management 2019-03-28 17:20:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1122185) was mentioned in
https://build.opensuse.org/request/show/689418 Factory / lxc
Comment 10 Swamp Workflow Management 2019-04-03 15:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1122185) was mentioned in
https://build.opensuse.org/request/show/691269 Factory / lxc
Comment 11 Swamp Workflow Management 2019-04-07 08:30:15 UTC 
This is an autogenerated message for OBS integration:
This bug (1122185) was mentioned in
https://build.opensuse.org/request/show/692121 Factory / lxc
https://build.opensuse.org/request/show/692123 42.3 / lxc
https://build.opensuse.org/request/show/692124 15.0 / lxc
https://build.opensuse.org/request/show/692125 Backports:SLE-15 / lxc
Comment 12 Swamp Workflow Management 2019-04-09 14:50:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1122185) was mentioned in
https://build.opensuse.org/request/show/692623 15.0 / lxc+lxcfs
https://build.opensuse.org/request/show/692624 42.3 / lxc+lxcfs
https://build.opensuse.org/request/show/692625 Backports:SLE-15 / lxc+lxcfs
Comment 13 Swamp Workflow Management 2019-04-09 17:30:11 UTC 
This is an autogenerated message for OBS integration:
This bug (1122185) was mentioned in
https://build.opensuse.org/request/show/692672 42.3 / lxc+lxcfs
Comment 14 Swamp Workflow Management 2019-04-17 19:26:06 UTC 
openSUSE-SU-2019:1227-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1122185,1131762,988348
CVE References: CVE-2018-6556,CVE-2019-5736
Sources used:
openSUSE Backports SLE-15 (src):    lxc-3.1.0-bp150.5.3.1, lxcfs-3.0.3-bp150.3.3.1
Comment 15 Swamp Workflow Management 2019-04-23 03:50:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1122185) was mentioned in
https://build.opensuse.org/request/show/696917 15.0 / lxc
https://build.opensuse.org/request/show/696918 42.3 / lxc
https://build.opensuse.org/request/show/696919 Backports:SLE-15 / lxc
Comment 16 Swamp Workflow Management 2019-04-23 15:40:11 UTC 
This is an autogenerated message for OBS integration:
This bug (1122185) was mentioned in
https://build.opensuse.org/request/show/697212 15.0 / lxc
https://build.opensuse.org/request/show/697214 42.3 / lxc
https://build.opensuse.org/request/show/697215 Backports:SLE-15 / lxc
Comment 19 Swamp Workflow Management 2019-04-25 19:09:07 UTC 
openSUSE-SU-2019:1275-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1122185,1131762,988348
CVE References: CVE-2018-6556,CVE-2019-5736
Sources used:
openSUSE Leap 15.0 (src):    lxc-3.1.0-lp150.2.10.1, lxcfs-3.0.3-lp150.2.3.1
Comment 21 Carlos López 2022-08-12 11:10:36 UTC 
(In reply to Aleksa Sarai from comment #3)
> After speaking to the LXC maintainers, their view is that privileged
> containers cannot ever be safe and thus that this is not CVE-worthy (and so
> there's no point in submitting a CVE). This is outlined in their security
> threat model[1]:
> 
> > LXC upstream's position is that those containers aren't and cannot be root-safe.
> 
> [1]: https://linuxcontainers.org/lxc/security/

Given this, and the infeasibility of the backport to SUSE:SLE-11-SP3:Update, I'm closing this bug and tracking that individual codestream as wontfix.