Updates re CVE-2019-5736: runc / lxc container escape vulnerability

[mathx]

Seems LXC is susceptible to a container-escape problem. Just wondering about updates for this issue.

https://seclists.org/oss-sec/2019/q1/119

At this point in time debian has no patches yet.

https://security-tracker.debian.org/tracker/CVE-2019-5736

 

[iMx]

Quite a few conditions to be exploitable, from the github lxc commit.

 

[fabian]

it only affects privileged containers.

https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pct_settings
Privileged Containers
Security is done by dropping capabilities, using mandatory access control (AppArmor), SecComp filters and namespaces. The LXC team considers this kind of container as unsafe, and they will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. So you should use this kind of containers only inside a trusted environment, or when no untrusted task is running as root in the container.

Unprivileged Containers
This kind of containers use a new kernel feature called user namespaces. The root UID 0 inside the container is mapped to an unprivileged user outside the container. This means that most security issues (container escape, resource abuse, …) in those containers will affect a random unprivileged user, and so would be a generic kernel security bug rather than an LXC issue. The LXC team thinks unprivileged containers are safe by design.

also see https://brauner.github.io/2019/02/12/privileged-containers.html

lxc-pve 3.1.0-3 contains the fix (currently available in pvetest)