[gentoo-announce] [ GLSA 201711-09 ] LXC: Remote security bypass - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201711-09 ] LXC: Remote security bypass
Date:	Sat, 11 Nov 2017 15:13:18
Message-Id:	`4257641.9sNYmFikgY@localhost.localdomain`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201711-09

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: LXC: Remote security bypass

9

     Date: November 11, 2017

10

     Bugs: #636386

11

       ID: 201711-09

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability in LXC may lead to an unauthorized security bypass.

19

20

Background

21

==========

22

23

LinuX Containers userspace utilities 

24

25

Affected packages

26

=================

27

28

    -------------------------------------------------------------------

29

     Package              /     Vulnerable     /            Unaffected

30

    -------------------------------------------------------------------

31

  1  app-emulation/lxc            < 2.0.7                    >= 2.0.7 

32

33

Description

34

===========

35

36

Previous versions of lxc-attach ran a shell or the specified command

37

without allocating a pseudo terminal making it vulnerable to input

38

faking via a TIOCSTI ioctl call.

39

40

Impact

41

======

42

43

Remote attackers can escape the container and perform unauthorized

44

modifications.

45

46

Workaround

47

==========

48

49

There is no know workaround at this time.

50

51

Resolution

52

==========

53

54

All LXC users should upgrade to the latest version:

55

56

  # emerge --sync

57

  # emerge --ask --oneshot --verbose ">=app-emulation/lxc-2.0.7"

58

59

References

60

==========

61

62

[ 1 ] CVE-2016-10124

63

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10124

64

65

Availability

66

============

67

68

This GLSA and any updates to it are available for viewing at

69

the Gentoo Security Website:

70

71

 https://security.gentoo.org/glsa/201711-09

72

73

Concerns?

74

=========

75

76

Security is a primary focus of Gentoo Linux and ensuring the

77

confidentiality and security of our users' machines is of utmost

78

importance to us. Any security concerns should be addressed to

79

security@g.o or alternatively, you may file a bug at

80

https://bugs.gentoo.org.

81

82

License

83

=======

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201711-09
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: LXC: Remote security bypass
9	Date: November 11, 2017
10	Bugs: #636386
11	ID: 201711-09
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability in LXC may lead to an unauthorized security bypass.
19
20	Background
21	==========
22
23	LinuX Containers userspace utilities
24
25	Affected packages
26	=================
27
28	-------------------------------------------------------------------
29	Package / Vulnerable / Unaffected
30	-------------------------------------------------------------------
31	1 app-emulation/lxc < 2.0.7 >= 2.0.7
32
33	Description
34	===========
35
36	Previous versions of lxc-attach ran a shell or the specified command
37	without allocating a pseudo terminal making it vulnerable to input
38	faking via a TIOCSTI ioctl call.
39
40	Impact
41	======
42
43	Remote attackers can escape the container and perform unauthorized
44	modifications.
45
46	Workaround
47	==========
48
49	There is no know workaround at this time.
50
51	Resolution
52	==========
53
54	All LXC users should upgrade to the latest version:
55
56	# emerge --sync
57	# emerge --ask --oneshot --verbose ">=app-emulation/lxc-2.0.7"
58
59	References
60	==========
61
62	[ 1 ] CVE-2016-10124
63	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10124
64
65	Availability
66	============
67
68	This GLSA and any updates to it are available for viewing at
69	the Gentoo Security Website:
70
71	https://security.gentoo.org/glsa/201711-09
72
73	Concerns?
74	=========
75
76	Security is a primary focus of Gentoo Linux and ensuring the
77	confidentiality and security of our users' machines is of utmost
78	importance to us. Any security concerns should be addressed to
79	security@g.o or alternatively, you may file a bug at
80	https://bugs.gentoo.org.
81
82	License
83	=======