Control: tags 905586 + pending
Dear maintainer,
I've prepared an NMU for lxc (versioned as 1:2.0.9-6.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer. Note that the two patches while adressing the
issue, still would allow test for existence of files, but this was
afaics not adressed explicitly.
Regards,
Salvatore
diff -Nru lxc-2.0.9/debian/changelog lxc-2.0.9/debian/changelog
--- lxc-2.0.9/debian/changelog 2018-01-27 15:44:36.000000000 +0100
+++ lxc-2.0.9/debian/changelog 2018-08-29 15:22:46.000000000 +0200
@@ -1,3 +1,11 @@
+lxc (1:2.0.9-6.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * utils: add LXC_PROC_PID_FD_LEN
+ * CVE 2018-6556: verify netns fd in lxc-user-nic (Closes: #905586)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Wed, 29 Aug 2018 15:22:46 +0200
+
lxc (1:2.0.9-6) unstable; urgency=medium
* 0004-debian-Use-iproute2-instead-of-iproute.patch: fix creation of
diff -Nru lxc-2.0.9/debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch lxc-2.0.9/debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch
--- lxc-2.0.9/debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch 1970-01-01 01:00:00.000000000 +0100
+++ lxc-2.0.9/debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch 2018-08-29 15:22:46.000000000 +0200
@@ -0,0 +1,35 @@
+From f96f5f3c1341e73ee51c8b49bef4ba571c562d8c Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brau...@ubuntu.com>
+Date: Fri, 4 May 2018 11:59:11 +0200
+Subject: [PATCH] utils: add LXC_PROC_PID_FD_LEN
+
+Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
+---
+ src/lxc/utils.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index a2bad89db..e4d8519db 100644
+--- a/src/lxc/utils.h
++++ b/src/lxc/utils.h
+@@ -99,6 +99,17 @@
+ #define LXC_NUMSTRLEN64 21
+ #define LXC_LINELEN 4096
+ #define LXC_IDMAPLEN 4096
++/* /proc/ = 6
++ * +
++ * <pid-as-str> = LXC_NUMSTRLEN64
++ * +
++ * /fd/ = 4
++ * +
++ * <fd-as-str> = LXC_NUMSTRLEN64
++ * +
++ * \0 = 1
++ */
++#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1)
+
+ /* returns 1 on success, 0 if there were any failures */
+ extern int lxc_rmdir_onedev(char *path, const char *exclude);
+--
+2.17.1
+
diff -Nru lxc-2.0.9/debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch lxc-2.0.9/debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch
--- lxc-2.0.9/debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch 1970-01-01 01:00:00.000000000 +0100
+++ lxc-2.0.9/debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch 2018-08-29 15:22:46.000000000 +0200
@@ -0,0 +1,101 @@
+From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brau...@ubuntu.com>
+Date: Wed, 25 Jul 2018 19:56:54 +0200
+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
+
+Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
+---
+ src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
+ src/lxc/utils.c | 12 ++++++++++++
+ src/lxc/utils.h | 5 +++++
+ 3 files changed, 49 insertions(+), 3 deletions(-)
+
+--- a/src/lxc/lxc_user_nic.c
++++ b/src/lxc/lxc_user_nic.c
+@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[])
+ exit(EXIT_FAILURE);
+ }
+ } else if (request == LXC_USERNIC_DELETE) {
+- netns_fd = open(args.pid, O_RDONLY);
++ char opath[LXC_PROC_PID_FD_LEN];
++
++ /* Open the path with O_PATH which will not trigger an actual
++ * open(). Don't report an errno to the caller to not leak
++ * information whether the path exists or not.
++ * When stracing setuid is stripped so this is not a concern
++ * either.
++ */
++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
+ if (netns_fd < 0) {
+- usernic_error("Could not open \"%s\": %s\n", args.pid,
+- strerror(errno));
++ usernic_error("Failed to open \"%s\"\n", args.pid);
++ exit(EXIT_FAILURE);
++ }
++
++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
++ close(netns_fd);
++ exit(EXIT_FAILURE);
++ }
++
++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
++ if (ret < 0 || (size_t)ret >= sizeof(opath)) {
++ close(netns_fd);
++ exit(EXIT_FAILURE);
++ }
++
++ /* Now get an fd that we can use in setns() calls. */
++ ret = open(opath, O_RDONLY | O_CLOEXEC);
++ if (ret < 0) {
++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
++ close(netns_fd);
+ exit(EXIT_FAILURE);
+ }
++ close(netns_fd);
++ netns_fd = ret;
+ }
+
+ if (!create_db_dir(LXC_USERNIC_DB)) {
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -2377,6 +2377,18 @@ bool has_fs_type(const char *path, fs_ty
+ return has_type;
+ }
+
++bool fhas_fs_type(int fd, fs_type_magic magic_val)
++{
++ int ret;
++ struct statfs sb;
++
++ ret = fstatfs(fd, &sb);
++ if (ret < 0)
++ return false;
++
++ return is_fs_type(&sb, magic_val);
++}
++
+ bool lxc_nic_exists(char *nic)
+ {
+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
+--- a/src/lxc/utils.h
++++ b/src/lxc/utils.h
+@@ -46,6 +46,10 @@
+ #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask))
+ #endif
+
++#ifndef NSFS_MAGIC
++#define NSFS_MAGIC 0x6e736673
++#endif
++
+ /* Useful macros */
+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
+ #define LXC_NUMSTRLEN64 21
+@@ -403,6 +407,7 @@ void *must_realloc(void *orig, size_t sz
+ /* __typeof__ should be safe to use with all compilers. */
+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
+ extern bool has_fs_type(const char *path, fs_type_magic magic_val);
++extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
+ extern bool lxc_nic_exists(char *nic);
+
diff -Nru lxc-2.0.9/debian/patches/series lxc-2.0.9/debian/patches/series
--- lxc-2.0.9/debian/patches/series 2018-01-27 15:44:36.000000000 +0100
+++ lxc-2.0.9/debian/patches/series 2018-08-29 15:22:46.000000000 +0200
@@ -2,3 +2,5 @@
0002-lxc-debian-don-t-write-C.-locales-to-etc-locale.gen.patch
0003-lxc-debian-don-t-hardcode-valid-releases.patch
0004-debian-Use-iproute2-instead-of-iproute.patch
+0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch
+0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch
