Hello everyone, Today we're releasing LXD 2.0.2 as a security release for two recent CVEs. The main announcement can be found at: https://linuxcontainers.org/lxd/news/ == CVE-2016-1581 == Robie Basak noticed that after setting up a loop based ZFS pool through "lxd init" the resulting file (/var/lib/lxd/zfs.img) was world readable. This would allow any user on the system, and a potential attacker to copy and then read the data of any LXD container, regardless of file permissions inside the container. LXD 2.0.2 fixes the "lxd init" logic to always set the mode of zfs.img to 0600. Additionally a one-time upgrade step will trigger on first run and reset any existing zfs.img mode to be 0600. If you manage an affected system and suspect an unauthorized user may have accessed the zfs.img file, you should consider replacing any secret that was stored in the affected containers (private keys and similar credentials). == CVE-2016-1582 == Robie Basak noticed that when switching an unprivileged container (default, security.privileged=false) into privileged mode (by setting security.privileged to true), the container rootfs is properly remapped but the container directory itself (/var/lib/lxd/containers/XYZ) remains at 0755. This is a problem because it allows an unprivileged user on the host to access any world readable path under /var/lib/lxd/containers/XYZ which may include setuid binaries. Such setuid binaries could then be used on the host to access otherwise unaccessible data or to escalate one's privileges. LXD 2.0.2 fixes this behavior by making sure all privileged containers are always root-owned and have their mode set to 0700 to prevent traversal by unprivileged users. Additionally a one-time upgrade step will trigger on first run and reset any existing privileged containers' ownership and mode to root:root 0700 We recommend everyone update to LXD 2.0.2 as soon as possible. Especially if you are a user of loop-mounted ZFS or privileged containers! Thanks to the Ubuntu Security team for coordinating the disclosure of those two CVEs with other Linux distributions. As a reminder, the 2.0 series is supported for bugfix and security updates up until June 2021. Stéphane Graber On behalf of the LXD development team
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
