LXD 2.0.2 has been released (security update)!

Stéphane Graber stgraber at ubuntu.com
Tue May 31 18:16:56 UTC 2016


Hello everyone,

Today we're releasing LXD 2.0.2 as a security release for two recent CVEs.

The main announcement can be found at: https://linuxcontainers.org/lxd/news/


== CVE-2016-1581 ==
Robie Basak noticed that after setting up a loop based ZFS pool through
"lxd init" the resulting file (/var/lib/lxd/zfs.img) was world readable.

This would allow any user on the system, and a potential attacker to
copy and then read the data of any LXD container, regardless of file
permissions inside the container.

LXD 2.0.2 fixes the "lxd init" logic to always set the mode of zfs.img to 0600.

Additionally a one-time upgrade step will trigger on first run and reset
any existing zfs.img mode to be 0600.

If you manage an affected system and suspect an unauthorized user may
have accessed the zfs.img file, you should consider replacing any secret
that was stored in the affected containers (private keys and similar
credentials).


== CVE-2016-1582 ==
Robie Basak noticed that when switching an unprivileged container
(default, security.privileged=false) into privileged mode (by setting
security.privileged to true), the container rootfs is properly remapped
but the container directory itself (/var/lib/lxd/containers/XYZ) remains
at 0755.

This is a problem because it allows an unprivileged user on the host to
access any world readable path under /var/lib/lxd/containers/XYZ which
may include setuid binaries.

Such setuid binaries could then be used on the host to access otherwise
unaccessible data or to escalate one's privileges.

LXD 2.0.2 fixes this behavior by making sure all privileged containers
are always root-owned and have their mode set to 0700 to prevent
traversal by unprivileged users.

Additionally a one-time upgrade step will trigger on first run and reset
any existing privileged containers' ownership and mode to root:root 0700


We recommend everyone update to LXD 2.0.2 as soon as possible.
Especially if you are a user of loop-mounted ZFS or privileged
containers!


Thanks to the Ubuntu Security team for coordinating the disclosure of
those two CVEs with other Linux distributions.


As a reminder, the 2.0 series is supported for bugfix and security
updates up until June 2021.


Stéphane Graber
On behalf of the LXD development team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/containers/attachments/20160531/4cef604e/attachment.sig>


More information about the Containers mailing list