Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear Release Managers, I'd llike to ask you to please unblock package lxc version 1:3.1.0+really3.0.3-6 currently lying in unstable, so it replaces lxc version 1:3.1.0+really3.0.3-4 currently in testing. Indeed, Antonio Terceiro did an upload for 1:3.1.0+really3.0.3-5 in unstable on March the 2nd, with changes regarding Debconf translation in Dutch (see bug #923328 [0]) and another change to fix an issue I introduced in the provided `/etc/lxc/default.conf` file, which made it not usable without a fix by the end user. (see bug #923395 [1]) Although these changes should have reached testing before the freeze, I realized that changes I've made for 1:3.1.0+really3.0.3-4 to fix a CVE introduced some anomalies due to upstream patch not being enough (see bug #923932 [2]), and that I forgot to update debian/NEWS with proper instructions regarding the breaking changes from LXC2 to 3. (explain the reason for the unblock here) Hence I did a 1:3.1.0+really3.0.3-6 upload in unstable to include these changes, and it reset the counter for -5. Attached is a debdiff between testing and unstable. Thanks a lot for considering such an unblock. With best regards, unblock lxc/1:3.1.0+really3.0.3-4 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru lxc-3.1.0+really3.0.3/debian/changelog lxc-3.1.0+really3.0.3/debian/changelog --- lxc-3.1.0+really3.0.3/debian/changelog 2019-02-16 16:21:41.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/changelog 2019-03-09 15:49:21.000000000 +0100 @@ -1,3 +1,22 @@ +lxc (1:3.1.0+really3.0.3-6) unstable; urgency=medium + + * d/patches/0005: Tweaks the 0004 patch for CVE-2019-5736 (Closes: #923932) + * d/NEWS: summary of the important changes since LXC2. + + -- Pierre-Elliott Bécue <p...@debian.org> Sat, 09 Mar 2019 15:49:21 +0100 + +lxc (1:3.1.0+really3.0.3-5) unstable; urgency=medium + + [ Christian Kastner ] + * /etc/default/lxc.conf Change back to lxc.net.0.type + (Closes: #923395) + + [ Frans Spiesschaert ] + * debian/po/nl.po: Add Dutch translation of debconf messages + (Closes: #923328) + + -- Antonio Terceiro <terce...@debian.org> Sat, 02 Mar 2019 12:33:08 -0300 + lxc (1:3.1.0+really3.0.3-4) unstable; urgency=medium [ Lev Lamberov ] diff -Nru lxc-3.1.0+really3.0.3/debian/contrib/default.conf lxc-3.1.0+really3.0.3/debian/contrib/default.conf --- lxc-3.1.0+really3.0.3/debian/contrib/default.conf 2019-02-11 22:59:58.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/contrib/default.conf 2019-03-09 12:54:41.000000000 +0100 @@ -1,3 +1,3 @@ -lxc.net.type = empty +lxc.net.0.type = empty lxc.apparmor.profile = generated lxc.apparmor.allow_nesting = 1 diff -Nru lxc-3.1.0+really3.0.3/debian/liblxc1.symbols lxc-3.1.0+really3.0.3/debian/liblxc1.symbols --- lxc-3.1.0+really3.0.3/debian/liblxc1.symbols 2019-02-16 16:21:29.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/liblxc1.symbols 2019-03-09 12:54:41.000000000 +0100 @@ -381,6 +381,7 @@ lxc_remove_nic_by_idx@Base 1:3.0.2 lxc_requests_empty_network@Base 1:3.0.2 lxc_restore_phys_nics_to_netns@Base 1:3.0.2 + lxc_rexec@Base 1:3.0.3 lxc_ringbuf_create@Base 1:3.0.2 lxc_ringbuf_move_read_addr@Base 1:3.0.2 lxc_ringbuf_read@Base 1:3.0.2 diff -Nru lxc-3.1.0+really3.0.3/debian/NEWS lxc-3.1.0+really3.0.3/debian/NEWS --- lxc-3.1.0+really3.0.3/debian/NEWS 2018-12-22 22:49:44.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/NEWS 2019-03-09 15:49:19.000000000 +0100 @@ -1,3 +1,35 @@ +lxc (1:3.1.0+really3.0.3-6) unstable; urgency=medium + + LXC 3 got some significant changes from LXC 2. + + 1. The configuration files use different variables. A userland script + lxc-update-config is available to update automatically your + configuration files. An automatic update is possible and offered by + debconf during the upgrade of lxc version < 3.0.2 to lxc version >= + 3.0.2. Mind that this update will only work for priviledged containers + with configurations present in /var/lib/lxc/*/config and any other + container will not be updated. + 2. AppArmor support in Debian has increased, thus preventing some systemd + isolation features to work in LXC 3.0.X. Debian has backported some + patches from LXC 3.1 that, along with some configurations in a + container, will allow systemd isolation features to work. + + The required configuration parameters are the ones which follow: + lxc.apparmor.profile = generated + lxc.apparmor.allow_nesting = 1 + + These parameters are provided in the `/etc/lxc/default.conf` file + shipped with LXC 3. Hence, any newly created container will have these + parameters set properly, execpt if you alter the forementionned file. + 3. lxc-templates is deprecated by upstream. The new way of building + containers is via their distrobuilder software. This software isn't in + Debian Buster, and thus, we still provide lxc-templates. If you relied + on it (eg, with lxc.include parameter in some configuration file), you + should install lxc-templates in case it doesn't come by itself (via + recommends). Otherwise you may experience issues after the upgrade. + + -- Pierre-Elliott Bécue <p...@debian.org> Sat, 09 Mar 2019 13:09:05 +0100 + lxc (1:1.1.5-1) unstable; urgency=medium LXC before 1.1 did silently ignore lxc.aa_profile if the kernel did diff -Nru lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch --- lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch 2019-02-16 16:11:58.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch 2019-03-09 12:54:41.000000000 +0100 @@ -5,6 +5,10 @@ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + Adam Iwaniuk and Borys Popławski discovered that an attacker can compromise the runC host binary from inside a privileged runC container. As a result, this could be exploited to gain root access on the host. runC is used as the default diff -Nru lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch --- lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch 1970-01-01 01:00:00.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch 2019-03-09 12:54:41.000000000 +0100 @@ -0,0 +1,151 @@ +From: Christian Brauner <christian.brau...@ubuntu.com> +Date: Tue, 12 Feb 2019 17:31:14 +0100 +Subject: rexec: make rexecution opt-in for library callers +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +We cannot rexecute the liblxc shared library unconditionally as this would +break most of our downstreams. Here are some scenarios: +- anyone performing a dlopen() on the shared library (e.g. users of the LXC + Python bindings) +- LXD as it needs to know the absolute path to its own executable based on + /proc/self/exe etc. + +This commit makes the rexecution of liblxc conditional on whether the +LXC_MEMFD_REXEC environment variable is set or not. If it is then liblxc is +unconditionally rexecuted. + +The only relevant attack vector exists for lxc-attach which we simply reexecute +unconditionally. + +Reported-by: Stéphane Graber <stgra...@ubuntu.com> +Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> +--- + src/lxc/Makefile.am | 4 +++- + src/lxc/rexec.c | 4 ++-- + src/lxc/rexec.h | 26 ++++++++++++++++++++++++++ + src/lxc/tools/lxc_attach.c | 18 ++++++++++++++++++ + 4 files changed, 49 insertions(+), 3 deletions(-) + create mode 100644 src/lxc/rexec.h + +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index 92779e0..5bfad9c 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -23,6 +23,7 @@ noinst_HEADERS = attach.h \ + monitor.h \ + namespace.h \ + raw_syscalls.h \ ++ rexec.h \ + start.h \ + state.h \ + storage/btrfs.h \ +@@ -174,7 +175,7 @@ liblxc_la_SOURCES += ../include/strlcat.c ../include/strlcat.h + endif + + if ENFORCE_MEMFD_REXEC +-liblxc_la_SOURCES += rexec.c ++liblxc_la_SOURCES += rexec.c rexec.h + endif + + AM_CFLAGS = -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \ +@@ -294,6 +295,7 @@ LDADD = liblxc.la \ + + if ENABLE_TOOLS + lxc_attach_SOURCES = tools/lxc_attach.c \ ++ rexec.c rexec.h \ + tools/arguments.c tools/arguments.h + lxc_autostart_SOURCES = tools/lxc_autostart.c \ + tools/arguments.c tools/arguments.h +diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c +index 396bd61..d944c8f 100644 +--- a/src/lxc/rexec.c ++++ b/src/lxc/rexec.c +@@ -137,7 +137,7 @@ on_error: + errno = saved_errno; + } + +-static int lxc_rexec(const char *memfd_name) ++int lxc_rexec(const char *memfd_name) + { + int ret; + char **argv = NULL, **envp = NULL; +@@ -174,7 +174,7 @@ static int lxc_rexec(const char *memfd_name) + */ + __attribute__((constructor)) static void liblxc_rexec(void) + { +- if (lxc_rexec("liblxc")) { ++ if (getenv("LXC_MEMFD_REXEC") && lxc_rexec("liblxc")) { + fprintf(stderr, "Failed to re-execute liblxc via memory file descriptor\n"); + _exit(EXIT_FAILURE); + } +diff --git a/src/lxc/rexec.h b/src/lxc/rexec.h +new file mode 100644 +index 0000000..088ded9 +--- /dev/null ++++ b/src/lxc/rexec.h +@@ -0,0 +1,26 @@ ++/* liblxcapi ++ * ++ * Copyright © 2019 Christian Brauner <christian.brau...@ubuntu.com>. ++ * Copyright © 2019 Canonical Ltd. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this library; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#ifndef __LXC_REXEC_H ++#define __LXC_REXEC_H ++ ++extern int lxc_rexec(const char *memfd_name); ++ ++#endif /* __LXC_REXEC_H */ +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index 8c8e7d3..80b3693 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -44,10 +44,28 @@ + #include "config.h" + #include "confile.h" + #include "log.h" ++#include "rexec.h" + #include "utils.h" + + lxc_log_define(lxc_attach, lxc); + ++/** ++ * This function will copy any binary that calls liblxc into a memory file and ++ * will use the memfd to rexecute the binary. This is done to prevent attacks ++ * through the /proc/self/exe symlink to corrupt the host binary when host and ++ * container are in the same user namespace or have set up an identity id ++ * mapping: CVE-2019-5736. ++ */ ++#ifdef ENFORCE_MEMFD_REXEC ++__attribute__((constructor)) static void lxc_attach_rexec(void) ++{ ++ if (!getenv("LXC_MEMFD_REXEC") && lxc_rexec("lxc-attach")) { ++ fprintf(stderr, "Failed to re-execute lxc-attach via memory file descriptor\n"); ++ _exit(EXIT_FAILURE); ++ } ++} ++#endif ++ + static int my_parser(struct lxc_arguments *args, int c, char *arg); + static int add_to_simple_array(char ***array, ssize_t *capacity, char *value); + static bool stdfd_is_pty(void); diff -Nru lxc-3.1.0+really3.0.3/debian/patches/series lxc-3.1.0+really3.0.3/debian/patches/series --- lxc-3.1.0+really3.0.3/debian/patches/series 2019-02-16 16:09:40.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/patches/series 2019-03-09 12:54:41.000000000 +0100 @@ -2,3 +2,4 @@ 0002-tests-add-test-for-generated-apparmor-profiles.patch 0003-apparmor-allow-various-remount-bind-options.patch 0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch +0005-rexec-make-rexecution-opt-in-for-library-callers.patch diff -Nru lxc-3.1.0+really3.0.3/debian/po/nl.po lxc-3.1.0+really3.0.3/debian/po/nl.po --- lxc-3.1.0+really3.0.3/debian/po/nl.po 1970-01-01 01:00:00.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/po/nl.po 2019-03-09 12:54:41.000000000 +0100 @@ -0,0 +1,58 @@ +# Dutch translation of lxc debconf templates. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the lxc package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# Frans Spiesschaert <frans.spiesscha...@yucom.be>, 2019. +# +msgid "" +msgstr "" +"Project-Id-Version: lxc_1_3.1.0+really3.0.3-2\n" +"Report-Msgid-Bugs-To: l...@packages.debian.org\n" +"POT-Creation-Date: 2018-11-29 22:19+0100\n" +"PO-Revision-Date: 2019-02-12 16:38+0100\n" +"Last-Translator: Frans Spiesschaert <frans.spiesscha...@yucom.be>\n" +"Language-Team: Debian Dutch l10n Team <debian-l10n-du...@lists.debian.org>\n" +"Language: nl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Gtranslator 2.91.7\n" + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "Auto update lxc2 configuration format to lxc3?" +msgstr "De lxc2-configuratie-indeling automatisch updaten naar lxc3?" + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "" +"LXC 3 comes with many changes for containers' configuration files. It also " +"comes with a binary `/usr/bin/lxc-update-config` that allows one to update " +"his configuration." +msgstr "" +"Met ingang van LXC 3 werden verschillende wijzigingen aangebracht aan de " +"configuratiebestanden van containers. LXC 3 bevat ook een uitvoerbaar " +"bestand `/usr/bin/lxc-update-config` waarmee men zijn configuratie kan " +"updaten." + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "This job can be done either automatically now or manually later." +msgstr "" +"Deze taak kan ofwel nu automatisch uitgevoerd worden of later handmatig " +"gebeuren." + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "" +"Unpriviledged containers configurations will have to be updated manually " +"either way via the `/usr/bin/lxc-update-config` command." +msgstr "" +"De configuraties van niet-geprivilegieerde containers zullen hoe dan ook " +"manueel bijgewerkt moeten worden via het commando `/usr/bin/lxc-update-" +"config`."