--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected],
[email protected]
Control: affects -1 + src:lxc
[ Reason ]
The release of LXC 7.0 included a fix for the low severity CVE-2026-
39402. After discussion with the Security Team, this vulnerability
won't receive its own DSA, but will be addressed via the upcoming point
release.
[ Impact ]
LXC in bookworm is currently vulnerable to CVE-2026-39402.
[ Tests ]
Upstream did add a test in the 7.0 release, but I haven't included it
in the cherry-pick because the packaging of lxc in bookworm won't ever
actually run it.
[ Risks ]
Minor/none -- one targeted fix cherry-picked from the upstream git
repo.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
One patch as outlined above.
[ Other info ]
The source debdiff is attached.
diff -Nru lxc-5.0.2/debian/changelog lxc-5.0.2/debian/changelog
--- lxc-5.0.2/debian/changelog 2025-01-03 00:53:50.000000000 +0000
+++ lxc-5.0.2/debian/changelog 2026-04-30 19:05:41.000000000 +0000
@@ -1,3 +1,9 @@
+lxc (1:5.0.2-1+deb12u4) bookworm; urgency=medium
+
+ * Cherry-pick upstream fix for CVE-2026-39402
+
+ -- Mathias Gibbens <[email protected]> Thu, 30 Apr 2026 19:05:41 +0000
+
lxc (1:5.0.2-1+deb12u3) bookworm; urgency=medium
* Cherry-pick upstream fix for null pointer dereference when using a shared
diff -Nru lxc-5.0.2/debian/patches/0103-cherry-pick-CVE-2026-39402.patch lxc-5.0.2/debian/patches/0103-cherry-pick-CVE-2026-39402.patch
--- lxc-5.0.2/debian/patches/0103-cherry-pick-CVE-2026-39402.patch 1970-01-01 00:00:00.000000000 +0000
+++ lxc-5.0.2/debian/patches/0103-cherry-pick-CVE-2026-39402.patch 2026-04-30 19:05:09.000000000 +0000
@@ -0,0 +1,168 @@
+From db25752fe8a03c8264a21ca99f49b2db93c56910 Mon Sep 17 00:00:00 2001
+From: "Serge E. Hallyn" <[email protected]>
+Date: Mon, 20 Apr 2026 23:07:47 -0500
+Subject: [PATCH] lxc-user-nic: clarify and fix
+
+Some variable names were a bit confusing in find_line and cull_entries.
+Rename and document, and fix the flows using these.
+
+It's possible that a more maintainable approach, long term, would be
+to break these up differently: have one function create a neat
+in memory data structure representing the files, and have the paths
+currently using find_line and cull_entries peek into the data structures.
+But i think this is pretty clear.
+
+This fixes CVE-2026-39402
+
+Signed-off-by: Serge E. Hallyn <[email protected]>
+Reviewed-by: Alexander Mikhalitsyn <[email protected]>
+---
+ src/lxc/cmd/lxc_user_nic.c | 75 +++++++++++++++++++++++++++++---------
+ 1 file changed, 57 insertions(+), 18 deletions(-)
+
+diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c
+index d1b392199a..7f5a0b6fdf 100644
+--- a/src/lxc/cmd/lxc_user_nic.c
++++ b/src/lxc/cmd/lxc_user_nic.c
+@@ -371,19 +371,58 @@ static char *get_eow(char *s, char *e)
+ return s;
+ }
+
++static bool same_word(const char *start, const char *end, const char *word)
++{
++ size_t wordlen = strlen(word);
++ size_t buflen = end - start;
++
++ if (wordlen != buflen)
++ return false;
++ if (strncmp(start, word, wordlen) == 0)
++ return true;
++ return false;
++}
++
++/*
++ * in:
++ * @buf_start and @buf_end point to the buffer to be read.
++ *
++ * @owner_name is the name of the user who should own the link.
++ *
++ * @net_type is type of connection, e.g. veth
++ *
++ * @net_link is the name of the bridge, e.g. lxcbr0, on which the
++ * device should live.
++ *
++ * @net_dev is the name of the device itself in the host netns.
++ *
++ * out:
++ * @is_owner is set to true if the current line is owned by @name.
++
++ * @nic_found is set to true if the line is specifically for the passed-in
++ * @net_dev, and it is on the right @net_link and of the right @net_type.
++ *
++ * @exists is set to false if the nic in this line no longer exists. This is
++ * used by cull_entries(): if we set it to false, then this line will be
++ * removed from the LXC_USERNIC_DB (e.g. /var/run/lxc/nics).
++ */
+ static char *find_line(char *buf_start, char *buf_end, char *name,
+ char *net_type, char *net_link, char *net_dev,
+- bool *owner, bool *found, bool *keep)
++ bool *is_owner, bool *nic_found, bool *exists)
+ {
+ char *end_of_line, *end_of_word, *line;
++ bool right_net_type, right_bridge, right_link_name;;
+
+ while (buf_start < buf_end) {
+ size_t len;
+ char netdev_name[IFNAMSIZ];
+
+- *found = false;
+- *keep = true;
+- *owner = false;
++ *nic_found = false;
++ *exists = true;
++ *is_owner = false;
++ right_net_type = false;
++ right_bridge = false;
++ right_link_name = false;
+
+ end_of_line = get_eol(buf_start, buf_end);
+ if (end_of_line >= buf_end)
+@@ -402,11 +441,8 @@ static char *find_line(char *buf_start, char *buf_end, char *name,
+ if (!end_of_word)
+ return NULL;
+
+- if (strncmp(buf_start, name, strlen(name)))
+- *found = false;
+- else
+- if (strlen(name) == (size_t)(end_of_word - buf_start))
+- *owner = true;
++ if (same_word(buf_start, end_of_word, name))
++ *is_owner = true;
+
+ buf_start = end_of_word + 1;
+ while ((buf_start < buf_end) && isblank(*buf_start))
+@@ -418,8 +454,8 @@ static char *find_line(char *buf_start, char *buf_end, char *name,
+ if (!end_of_word)
+ return NULL;
+
+- if (strncmp(buf_start, net_type, strlen(net_type)))
+- *found = false;
++ if (same_word(buf_start, end_of_word, net_type))
++ right_net_type = true;
+
+ buf_start = end_of_word + 1;
+ while ((buf_start < buf_end) && isblank(*buf_start))
+@@ -431,8 +467,8 @@ static char *find_line(char *buf_start, char *buf_end, char *name,
+ if (!end_of_word)
+ return NULL;
+
+- if (strncmp(buf_start, net_link, strlen(net_link)))
+- *found = false;
++ if (same_word(buf_start, end_of_word, net_link))
++ right_bridge = true;
+
+ buf_start = end_of_word + 1;
+ while ((buf_start < buf_end) && isblank(*buf_start))
+@@ -451,10 +487,13 @@ static char *find_line(char *buf_start, char *buf_end, char *name,
+
+ memcpy(netdev_name, buf_start, len);
+ netdev_name[len] = '\0';
+- *keep = lxc_nic_exists(netdev_name);
++ *exists = lxc_nic_exists(netdev_name);
+
+ if (net_dev && !strcmp(netdev_name, net_dev))
+- *found = true;
++ right_link_name = true;
++
++ if (right_net_type && right_bridge && right_link_name)
++ *nic_found = true;
+
+ return line;
+
+@@ -584,7 +623,7 @@ static bool cull_entries(int fd, char *name, char *net_type, char *net_link,
+ size_t length = 0;
+ int ret;
+ char *buf_end, *buf_start;
+- bool found, keep;
++ bool nic_found, is_owner, keep;
+
+ ret = fd_to_buf(fd, &buf, &length);
+ if (ret < 0) {
+@@ -600,7 +639,7 @@ static bool cull_entries(int fd, char *name, char *net_type, char *net_link,
+ buf_start = buf;
+ buf_end = buf + length;
+ while ((buf_start = find_line(buf_start, buf_end, name, net_type,
+- net_link, net_dev, &(bool){true}, &found,
++ net_link, net_dev, &is_owner, &nic_found,
+ &keep))) {
+ struct entry_line *newe;
+
+@@ -608,7 +647,7 @@ static bool cull_entries(int fd, char *name, char *net_type, char *net_link,
+ if (!newe)
+ return false;
+
+- if (found)
++ if (nic_found && is_owner)
+ *found_nicname = true;
+
+ entry_lines = newe;
diff -Nru lxc-5.0.2/debian/patches/series lxc-5.0.2/debian/patches/series
--- lxc-5.0.2/debian/patches/series 2025-01-03 00:53:50.000000000 +0000
+++ lxc-5.0.2/debian/patches/series 2026-04-30 19:05:30.000000000 +0000
@@ -4,3 +4,4 @@
0100-fix-nftables-ipv6.patch
0101-cherry-pick-fix-ephemeral-copies.patch
0102-cherry-pick-fix-null-pointer-dereference.patch
+0103-cherry-pick-CVE-2026-39402.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
