Hi Antonio, On Fri, Aug 31, 2018 at 08:14:57AM -0300, Antonio Terceiro wrote: > On Thu, Aug 30, 2018 at 10:06:15PM +0200, Salvatore Bonaccorso wrote: > > Control: tags 905586 + pending > > > > > > Dear maintainer, > > > > I've prepared an NMU for lxc (versioned as 1:2.0.9-6.1) and > > uploaded it to DELAYED/5. > > Thanks! > > > Please feel free to tell me if I should delay it longer. > > on the contrary: please feel free to make it an immediate upload. I will > import your diff in the git repository
Thank you, I just have rescheduled it. if you prefer to have the single commits they are attached to this mail. I realize you probably would have prefered a proper merge request, but I did not start working from the salsa repo but from a gbp import-dsc git repo. Regards, Salvatore
>From d37ad7ef0f5d30b9dc94252726d338f1b44e746e Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso <car...@debian.org> Date: Wed, 29 Aug 2018 15:19:27 +0200 Subject: [PATCH 1/3] utils: add LXC_PROC_PID_FD_LEN --- debian/changelog | 6 ++++ ...s-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch | 35 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 42 insertions(+) create mode 100644 debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch diff --git a/debian/changelog b/debian/changelog index e3a1393eabe6..ece65f3f2990 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +lxc (1:2.0.9-7) UNRELEASED; urgency=medium + + * utils: add LXC_PROC_PID_FD_LEN + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 29 Aug 2018 15:19:41 +0200 + lxc (1:2.0.9-6) unstable; urgency=medium * 0004-debian-Use-iproute2-instead-of-iproute.patch: fix creation of diff --git a/debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch b/debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch new file mode 100644 index 000000000000..300264419c2e --- /dev/null +++ b/debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch @@ -0,0 +1,35 @@ +From f96f5f3c1341e73ee51c8b49bef4ba571c562d8c Mon Sep 17 00:00:00 2001 +From: Christian Brauner <christian.brau...@ubuntu.com> +Date: Fri, 4 May 2018 11:59:11 +0200 +Subject: [PATCH] utils: add LXC_PROC_PID_FD_LEN + +Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> +--- + src/lxc/utils.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index a2bad89db..e4d8519db 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -99,6 +99,17 @@ + #define LXC_NUMSTRLEN64 21 + #define LXC_LINELEN 4096 + #define LXC_IDMAPLEN 4096 ++/* /proc/ = 6 ++ * + ++ * <pid-as-str> = LXC_NUMSTRLEN64 ++ * + ++ * /fd/ = 4 ++ * + ++ * <fd-as-str> = LXC_NUMSTRLEN64 ++ * + ++ * \0 = 1 ++ */ ++#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1) + + /* returns 1 on success, 0 if there were any failures */ + extern int lxc_rmdir_onedev(char *path, const char *exclude); +-- +2.17.1 + diff --git a/debian/patches/series b/debian/patches/series index 43c8fba2388b..5ebb5b167444 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 0002-lxc-debian-don-t-write-C.-locales-to-etc-locale.gen.patch 0003-lxc-debian-don-t-hardcode-valid-releases.patch 0004-debian-Use-iproute2-instead-of-iproute.patch +0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch -- 2.18.0
>From 23be076be26591f506acc929586ce7fa37569400 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso <car...@debian.org> Date: Wed, 29 Aug 2018 15:20:25 +0200 Subject: [PATCH 2/3] CVE 2018-6556: verify netns fd in lxc-user-nic Closes: #905586 --- debian/changelog | 1 + ...-lxc-user-nic-verify-file-descriptor.patch | 101 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 103 insertions(+) create mode 100644 debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch diff --git a/debian/changelog b/debian/changelog index ece65f3f2990..438982ff7e8d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ lxc (1:2.0.9-7) UNRELEASED; urgency=medium * utils: add LXC_PROC_PID_FD_LEN + * CVE 2018-6556: verify netns fd in lxc-user-nic (Closes: #905586) -- Salvatore Bonaccorso <car...@debian.org> Wed, 29 Aug 2018 15:19:41 +0200 diff --git a/debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch b/debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch new file mode 100644 index 000000000000..c877483af596 --- /dev/null +++ b/debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch @@ -0,0 +1,101 @@ +From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001 +From: Christian Brauner <christian.brau...@ubuntu.com> +Date: Wed, 25 Jul 2018 19:56:54 +0200 +Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic + +Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> +--- + src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- + src/lxc/utils.c | 12 ++++++++++++ + src/lxc/utils.h | 5 +++++ + 3 files changed, 49 insertions(+), 3 deletions(-) + +--- a/src/lxc/lxc_user_nic.c ++++ b/src/lxc/lxc_user_nic.c +@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + } else if (request == LXC_USERNIC_DELETE) { +- netns_fd = open(args.pid, O_RDONLY); ++ char opath[LXC_PROC_PID_FD_LEN]; ++ ++ /* Open the path with O_PATH which will not trigger an actual ++ * open(). Don't report an errno to the caller to not leak ++ * information whether the path exists or not. ++ * When stracing setuid is stripped so this is not a concern ++ * either. ++ */ ++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); + if (netns_fd < 0) { +- usernic_error("Could not open \"%s\": %s\n", args.pid, +- strerror(errno)); ++ usernic_error("Failed to open \"%s\"\n", args.pid); ++ exit(EXIT_FAILURE); ++ } ++ ++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { ++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); ++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* Now get an fd that we can use in setns() calls. */ ++ ret = open(opath, O_RDONLY | O_CLOEXEC); ++ if (ret < 0) { ++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); ++ close(netns_fd); + exit(EXIT_FAILURE); + } ++ close(netns_fd); ++ netns_fd = ret; + } + + if (!create_db_dir(LXC_USERNIC_DB)) { +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2377,6 +2377,18 @@ bool has_fs_type(const char *path, fs_ty + return has_type; + } + ++bool fhas_fs_type(int fd, fs_type_magic magic_val) ++{ ++ int ret; ++ struct statfs sb; ++ ++ ret = fstatfs(fd, &sb); ++ if (ret < 0) ++ return false; ++ ++ return is_fs_type(&sb, magic_val); ++} ++ + bool lxc_nic_exists(char *nic) + { + #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -46,6 +46,10 @@ + #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask)) + #endif + ++#ifndef NSFS_MAGIC ++#define NSFS_MAGIC 0x6e736673 ++#endif ++ + /* Useful macros */ + /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ + #define LXC_NUMSTRLEN64 21 +@@ -403,6 +407,7 @@ void *must_realloc(void *orig, size_t sz + /* __typeof__ should be safe to use with all compilers. */ + typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; + extern bool has_fs_type(const char *path, fs_type_magic magic_val); ++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); + extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); + extern bool lxc_nic_exists(char *nic); + diff --git a/debian/patches/series b/debian/patches/series index 5ebb5b167444..b7406be95fcc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ 0003-lxc-debian-don-t-hardcode-valid-releases.patch 0004-debian-Use-iproute2-instead-of-iproute.patch 0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch +0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch -- 2.18.0
>From 7f62f830385172e8a0b7dcfd75299291bf5edbdb Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso <car...@debian.org> Date: Wed, 29 Aug 2018 15:22:53 +0200 Subject: [PATCH 3/3] Prepare changelog for release Gbp-Dch: Ignore --- debian/changelog | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 438982ff7e8d..a8befad79481 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,10 @@ -lxc (1:2.0.9-7) UNRELEASED; urgency=medium +lxc (1:2.0.9-6.1) unstable; urgency=medium + * Non-maintainer upload. * utils: add LXC_PROC_PID_FD_LEN * CVE 2018-6556: verify netns fd in lxc-user-nic (Closes: #905586) - -- Salvatore Bonaccorso <car...@debian.org> Wed, 29 Aug 2018 15:19:41 +0200 + -- Salvatore Bonaccorso <car...@debian.org> Wed, 29 Aug 2018 15:22:46 +0200 lxc (1:2.0.9-6) unstable; urgency=medium -- 2.18.0