Publish GHSA-3g2j-vm47-x4mj

advisory-database[bot] · advisory-database[bot] · commit b7150e9f143d · 2025-11-13T23:03:33.000Z
diff --git a/advisories/github-reviewed/2025/11/GHSA-3g2j-vm47-x4mj/GHSA-3g2j-vm47-x4mj.json b/advisories/github-reviewed/2025/11/GHSA-3g2j-vm47-x4mj/GHSA-3g2j-vm47-x4mj.json
@@ -0,0 +1,79 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3g2j-vm47-x4mj",
+  "modified": "2025-11-13T23:01:44Z",
+  "published": "2025-11-13T23:01:44Z",
+  "aliases": [],
+  "summary": "LXD vulnerable to a local privilege escalation through custom storage volumes",
+  "details": "**Impact**\n\nThis affects any LXD user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` property set to `true` as well as access to the host as an unprivileged user.\n\nThe most common case for this would be systems using `lxd-user` with the less privileged lxd group to provide unprivileged users with an isolated restricted access to LXD. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges.\n\n**Patches**\n\nPatches for this issue are available: \n\n- LXD 6 series: https://github.com/canonical/lxd/pull/16904\n- LXD 5.21 LTS series: https://github.com/canonical/lxd/pull/16922\n- LXD 5.0 LTS series: https://github.com/canonical/lxd/pull/16923\n- LXD 4.0 LTS series: https://github.com/canonical/lxd/pull/16924 \n\nThe first commit changes the permissions for any new storage pool, the later commit adds a patch that applies it on startup to all existing storage pools.\n\nThese fixes are also available in the associated candidate snap channels for each LTS series:\n\n- 5.21/candidate (5.21.4-8a3cf61)\n- 5.0/candidate (5.0.5-5c60378)\n- 4.0/candidate (4.0.10-35a8127)\n\nWe will be preparing intermediate releases to the associated stable snap channels shortly.\n\n**Workarounds**\n\nPermissions can be manually restricted until a patched version of LXD is deployed.\n\nThis is done with:\n\n```\nsudo nsenter --mount=/run/snapd/ns/lxd.mnt -- chmod 0700 /var/snap/lxd/common/lxd/storage-pools/*/{custom*,virtual-machines*,images}\nsudo nsenter --mount=/run/snapd/ns/lxd.mnt -- chmod 0711 /var/snap/lxd/common/lxd/storage-pools/*/{containers*,buckets*}\n```\n\nThose are the same permissions which will be applied by the patched LXD for both new and existing storage pools.\n\n**References**\n\nThis was reported to Incus publicly on Github here: \n\n- https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf\n- https://github.com/lxc/incus/issues/2641",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "lxd"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "6.18.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/canonical/lxd/security/advisories/GHSA-3g2j-vm47-x4mj"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxc/incus/issues/2641"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/canonical/lxd/pull/16904"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/canonical/lxd/pull/16922"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/canonical/lxd/pull/16923"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/canonical/lxd/pull/16924"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/canonical/lxd"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-269"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-13T23:01:44Z",
+    "nvd_published_at": null
+  }
+}
