| id: GO-2021-0071 |
| modules: |
| - module: github.com/lxc/lxd |
| versions: |
| - fixed: 0.0.0-20151004155856-19c6961cc101 |
| vulnerable_at: 0.0.0-20151004071337-96e120e828e4 |
| packages: |
| - package: github.com/lxc/lxd/shared |
| symbols: |
| - IdmapSet.doUidshiftIntoContainer |
| skip_fix: 'TODO: Revisit this reason (Fix causes error containing cannot find module providing package github.com/chai2010/gettext-go/gettext - possibly an issue with lack of go.mod file in affected version)' |
| summary: Race condition in github.com/lxc/lxd |
| description: |- |
| A race between chown and chmod operations during a container filesystem shift |
| may allow a user who can modify the filesystem to chmod an arbitrary path of |
| their choice, rather than the expected path. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2015-1340 |
| ghsas: |
| - GHSA-8mpq-fmr3-6jxv |
| credits: |
| - Seth Arnold |
| references: |
| - fix: https://github.com/lxc/lxd/pull/1189 |
| - fix: https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4 |
| - web: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270 |
| review_status: REVIEWED |