Comment 42 for bug 1639345
Revision history for this message
| Seth Forshee (sforshee) wrote Re: [Bug 1639345] Re: lxc-attach to malicious container allows access to host | #42 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
On Wed, Nov 16, 2016 at 04:06:26PM -0000, Tyler Hicks wrote:
> On 11/15/2016 04:59 PM, Seth Forshee wrote:
> > On the kernel side there was previously a CVE assigned for the ptrace
> > issue - CVE-2015-8709. That restricted ptrace if the real, effective,
> > and saved uids and gids of the process were not mapped into the ptracing
> > process's user ns, but that doesn't forbid ptrace under the
> > circumstances here.
>
> Please don't reuse that CVE ID for this issue. It is clearly a different
> issue and reusing the CVE ID will only confuse everyone.
Sorry, I didn't really say what I meant to say there. Let me try again.
The patch does fix CVE-2015-8709. We aren't "reusing" it. We're
replacing a sauce patch to fix that CVE with a (better) upstream patch,
which is what we normally do when an upstream fix becomes available.
You're right that the ptrace issue here is different than the one
described by that CVE. Maybe that warrants another CVE, I'm not making
claims either way about that. All I meant to say is that we've already
taken the patch from Eric as an upstream replacement for the previous
patch to fix CVE-2015-8709.