Bugzilla – Bug 855809
VUL-0: CVE-2013-6441: lxc: sshd template allow privilege escalation on host
Last modified: 2014-05-19 07:54:29 UTC
EMBARGOED via vsec: On 12/16/2013 01:14 AM, Salvatore Bonaccorso wrote: > Hi > > Florian Sagar discovered and reported an error in the sshd template > of lxc allowing privilege escalation on the host. The error can be > found on > > https://github.com/lxc/lxc/blob/master/templates/lxc-sshd.in#L131 > > where the mount is not done read-only. There is already a public > pull/commit for this issue so might not anymore be embargoed (but > asking first here). > > https://github.com/dotcloud/lxc/pull/1 > https://github.com/usrflo/lxc/commit/fc09866c98468f3d832289d6608ee611a2c3c387 > > Steps to reproduce provided by Florian: > > 1) add "echo I am `id` on `hostname`" to the template lxc-sshd > (/sbin/init from within the container, as it is writable) > > 2) exploit: root@agiadm:/usr/lib/lxc/templates# lxc-create -n ssh2 > -t sshd > > No config file specified, using the default config I am uid=0(root) > gid=0(root) Gruppen=0(root) on agiadm ... 'sshd' template > installed 'ssh2' created > > 3) no problem: root@agiadm:/usr/lib/lxc/templates# lxc-start -n > ssh2 I am uid=0(root) gid=0(root) Gruppen=0(root) on ssh2 > /usr/lib/lxc/lxc-init ist /usr/lib/lxc/lxc-init > > Can a CVE be assigned to this issue? > > Regards, Salvatore Please use CVE-2013-6441 for this issue.
Thorsten, we already have an older submission pending with other fixes. Please branch from home:cbosdonnat:branches:SUSE:SLE-11-SP3:Update:Test/lxc, add your fixes and then submit to SUSE:SLE-11-SP3:Update:Test. Thanks.
see leonardos comment, and when done reassign this bug to security-team
(In reply to comment #3) > Thorsten, we already have an older submission pending with other fixes. Please > branch from home:cbosdonnat:branches:SUSE:SLE-11-SP3:Update:Test/lxc, add your > fixes and then submit to SUSE:SLE-11-SP3:Update:Test. > Done, via SR 30315
The SWAMPID for this issue is 55558. This issue was rated as moderate. Please submit fixed packages until 2014-01-01. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
bugbot adjusting priority
Err, above comment contains email addresses, so dont unprivateize it. Nevertheless, it reads like we dont need to continue the update, as its useless.
If they push the 'fix' upstream, we can get it via there for future products, but reading his explanation makes it useless to waste update+QA efforts. Closing as WONTFIX.
Hm, reading comment#3 I let this to Leonardo, whether the other non-sec fixes still deserve the update (but then probably as maintenance since the CVE is revoked).
I think at the moment we shouldn't do a maintenance update for the three known bugs. Both are low priority and no L3 was involved. lxc is not widely used (yet) anyway. We can do it in 4 to 8 weeks, but currently the QA queue is already quite long.
I agree with Stephan and moved the bugs back to the planned updates list. Sebastian: should we revert the security 'fix' that was checked-in? Since the CVE was revoked, mentioning it in the change log might cause confusion in the future. Not sure if it's worth the trouble to revert though :/ What's your opinion?
ok. so then I close this bug as well
The SWAMPID for this issue is 56824. This issue was rated as low. Please submit fixed packages until 2014-04-25. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
make public
This particular bug was marked as WONTFIX, so I think thats OK. However AFAIK there are other bnc's that were fixed via this SWAMP.
Update released for: lxc, lxc-debuginfo, lxc-debugsource, lxc-devel Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0643-1: An update that solves one vulnerability and has three fixes is now available. Category: security (low) Bug References: 839653,839663,855809,869663 CVE References: CVE-2013-6441 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): lxc-0.8.0-0.21.6 SUSE Linux Enterprise Server 11 SP3 for VMware (src): lxc-0.8.0-0.21.6 SUSE Linux Enterprise Server 11 SP3 (src): lxc-0.8.0-0.21.6 SUSE Linux Enterprise Desktop 11 SP3 (src): lxc-0.8.0-0.21.6