Comment 12 for bug 1470842

Revision history for this message
Tyler Hicks (tyhicks) wrote : Re: [Bug 1470842] Re: lxc tools lock handling vulnerable to symlink attack

On 2015-07-06 19:12:31, Stéphane Graber wrote:
> Serge provided a patch by e-mail.

I replied to his patch with a potential attack vector that was still
available. I point this out because we may not have a final patch at
this point.

> Upstream we've got LXC 1.1.3 right around the corner so we can land the
> patch in git master and then push it to the 1.1 maintenance branch and
> tag 1.1.3 very soon after. This release will then make it directly to
> wily and vivid.
>
> For trusty, we'll have to wait for LXC 1.0.8 upstream and that'll take a
> while longer as I've got a backlog of about 200 patches to go through
> for the stable branch.

The security team will apply the fix, as a distro patch, to all affected
stable releases and push out updates. You can then handle the Trusty SRU
however you'd like as long as you don't drop the fix in the version that
you take through the SRU process.

> So I guess the best for now is to pick a time where we:
> - Push Serge's fix as a distro patch to all supported releases
> - Push the fix to LXC git master
> - Post to lxc-devel and lxc-users about the security issue
> - Tag LXC 1.1.3 including the fix
> - Continue working on LXC 1.0.8 which will include the fix too

Lets wait just a little bit longer on deciding that time until we're
sure that we have a final patch available.