CVE-2015-1340: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

May 24, 2022 (updated February 24, 2023)

LXD before version 0.19-0ubuntu5 doUidshiftIntoContainer() has an unsafe Chmod() call that races against the stat in the Filepath.Walk() function. A symbolic link created in that window could cause any file on the system to have any mode of the attacker’s choice.

References

bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270
github.com/advisories/GHSA-8mpq-fmr3-6jxv
github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4
github.com/lxc/lxd/pull/1189
nvd.nist.gov/vuln/detail/CVE-2015-1340
pkg.go.dev/vuln/GO-2021-0071

Code Behaviors & Features

Detect and mitigate CVE-2015-1340 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →