Bug#928052: CVE-2019-11502 CVE-2019-11503
Hi,
Thank you for feedback.
On Sun, 9 Jun 2019 19:03:19 +0200 Salvatore Bonaccorso
wrote:
> Hi,
>
snip
> This should not close the bug yet as it only adresses CVE-2019-11502.
> #928052 both tracks CVE-2019-11502 CVE-2019-11503. So onless I miss
> smoething the changes to fix CVE-2019-11503 are missing yet.
I've just dropped inappropriate Closes: and attached fixed debdiff again.
Regards,
diff -Nru snapd-2.37.4/debian/changelog snapd-2.37.4/debian/changelog
--- snapd-2.37.4/debian/changelog 2019-03-01 02:21:26.0 +0900
+++ snapd-2.37.4/debian/changelog 2019-06-09 13:49:16.0 +0900
@@ -1,3 +1,12 @@
+snapd (2.37.4-1.1) unstable; urgency=medium
+
+ [ Kentaro Hayashi ]
+ * Non-maintainer upload.
+ * d/patches/CVE-2019-11502.patch: fix unintended access to a private /tmp
+directory.
+
+ -- Kentaro Hayashi Sun, 09 Jun 2019 13:49:16 +0900
+
snapd (2.37.4-1) unstable; urgency=medium
* New upstream release
diff -Nru snapd-2.37.4/debian/patches/CVE-2019-11502.patch snapd-2.37.4/debian/patches/CVE-2019-11502.patch
--- snapd-2.37.4/debian/patches/CVE-2019-11502.patch 1970-01-01 09:00:00.0 +0900
+++ snapd-2.37.4/debian/patches/CVE-2019-11502.patch 2019-06-09 13:49:16.0 +0900
@@ -0,0 +1,58 @@
+From bdbfeebef03245176ae0dc323392bb0522a339b1 Mon Sep 17 00:00:00 2001
+From: Zygmunt Krynicki
+Date: Mon, 4 Mar 2019 18:40:11 +0100
+Subject: [PATCH] cmd/snap-confine: chown private /tmp parent to root.root
+Origin: https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1
+Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928052
+Forwarded: not-needed
+
+When snap-confine creates a private /tmp directory for a given snap it
+first creates a temporary directory in /tmp/ named after the snap, along
+with a random name. Inside that directory it creates a /tmp directory
+with permissions appropriate for a future /tmp, namely 1777.
+
+Up until recently the that directory was owned by the user who first
+invoked snap-confine. Since the directory is reused by all the users on
+the system this logic makes no sense.
+
+This patch changes the related logic so that the private /tmp directory
+is owned by root, just like the real one.
+
+Signed-off-by: Zygmunt Krynicki
+
+Drop this patch when this package is upgraded to 2.38 or newer version.
+This patch includes two commit:
+
+* https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1
+* https://github.com/snapcore/snapd/commit/1d7b5d8bea96139d3d9b301e6c06534d8fc95eff
+
+--- a/cmd/snap-confine/mount-support.c
b/cmd/snap-confine/mount-support.c
+@@ -62,8 +62,6 @@
+ // TODO: fold this into bootstrap
+ static void setup_private_mount(const char *snap_name)
+ {
+- uid_t uid = getuid();
+- gid_t gid = getgid();
+ char tmpdir[MAX_BUF] = { 0 };
+
+ // Create a 0700 base directory, this is the base dir that is
+@@ -71,8 +69,7 @@
+ //
+ // Under that basedir, we put a 1777 /tmp dir that is then bind
+ // mounted for the applications to use
+- sc_must_snprintf(tmpdir, sizeof(tmpdir), "/tmp/snap.%d_%s_XX", uid,
+- snap_name);
++ sc_must_snprintf(tmpdir, sizeof(tmpdir), "/tmp/snap.%s_XX", snap_name);
+ if (mkdtemp(tmpdir) == NULL) {
+ die("cannot create temporary directory essential for private /tmp");
+ }
+@@ -99,7 +96,7 @@
+ // MS_PRIVATE needs linux > 2.6.11
+ sc_do_mount("none", "/tmp", NULL, MS_PRIVATE, NULL);
+ // do the chown after the bind mount to avoid potential shenanigans
+- if (chown("/tmp/", uid, gid) < 0) {
++ if (chown("/tmp/", 0, 0) < 0) {
+ die("cannot change ownership of /tmp");
+ }
+ // chdir to original directory
diff -Nru snapd-2.37.4/debian/patches/series snapd-2.37.4/debian/patches/series
--- snapd-2.37.4/debian/patches/series 2019-03-01 02:21:26.0 +0900
+++ snapd-2.37.4/debian/patches/series 2019-06-09 13:43:42.0 +0900
@@ -6,3 +6,4 @@
0006-systemd-disable-snapfuse-system.patch
0007-i18n-use-dummy-localizations-to-avoid-dependencies.patch
0010-man-page-sections.patch
+CVE-2019-11502.patch
Bug#928052: CVE-2019-11502 CVE-2019-11503
Hi, I have not reviewed the whole patch but the following appeared on my redar while reviewing: On Sun, Jun 09, 2019 at 05:09:15PM +0900, Kentaro Hayashi wrote: > + [ Kentaro Hayashi ] > + * Non-maintainer upload. > + * d/patches/CVE-2019-11502.patch: fix unintended access to a private /tmp > +directory. (Closes: #928052) This should not close the bug yet as it only adresses CVE-2019-11502. #928052 both tracks CVE-2019-11502 CVE-2019-11503. So onless I miss smoething the changes to fix CVE-2019-11503 are missing yet. Regards, Salvatore
Bug#928052: CVE-2019-11502 CVE-2019-11503
control: tags -1 +patch
I've tried to fix only CVE-2019-11502 as a challenge.
The debdiff patch is added.
I hope it will help to fix.
diff -Nru snapd-2.37.4/debian/changelog snapd-2.37.4/debian/changelog
--- snapd-2.37.4/debian/changelog 2019-03-01 02:21:26.0 +0900
+++ snapd-2.37.4/debian/changelog 2019-06-09 13:49:16.0 +0900
@@ -1,3 +1,12 @@
+snapd (2.37.4-1.1) unstable; urgency=medium
+
+ [ Kentaro Hayashi ]
+ * Non-maintainer upload.
+ * d/patches/CVE-2019-11502.patch: fix unintended access to a private /tmp
+directory. (Closes: #928052)
+
+ -- Kentaro Hayashi Sun, 09 Jun 2019 13:49:16 +0900
+
snapd (2.37.4-1) unstable; urgency=medium
* New upstream release
diff -Nru snapd-2.37.4/debian/patches/CVE-2019-11502.patch snapd-2.37.4/debian/patches/CVE-2019-11502.patch
--- snapd-2.37.4/debian/patches/CVE-2019-11502.patch 1970-01-01 09:00:00.0 +0900
+++ snapd-2.37.4/debian/patches/CVE-2019-11502.patch 2019-06-09 13:49:16.0 +0900
@@ -0,0 +1,58 @@
+From bdbfeebef03245176ae0dc323392bb0522a339b1 Mon Sep 17 00:00:00 2001
+From: Zygmunt Krynicki
+Date: Mon, 4 Mar 2019 18:40:11 +0100
+Subject: [PATCH] cmd/snap-confine: chown private /tmp parent to root.root
+Origin: https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1
+Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928052
+Forwarded: not-needed
+
+When snap-confine creates a private /tmp directory for a given snap it
+first creates a temporary directory in /tmp/ named after the snap, along
+with a random name. Inside that directory it creates a /tmp directory
+with permissions appropriate for a future /tmp, namely 1777.
+
+Up until recently the that directory was owned by the user who first
+invoked snap-confine. Since the directory is reused by all the users on
+the system this logic makes no sense.
+
+This patch changes the related logic so that the private /tmp directory
+is owned by root, just like the real one.
+
+Signed-off-by: Zygmunt Krynicki
+
+Drop this patch when this package is upgraded to 2.38 or newer version.
+This patch includes two commit:
+
+* https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1
+* https://github.com/snapcore/snapd/commit/1d7b5d8bea96139d3d9b301e6c06534d8fc95eff
+
+--- a/cmd/snap-confine/mount-support.c
b/cmd/snap-confine/mount-support.c
+@@ -62,8 +62,6 @@
+ // TODO: fold this into bootstrap
+ static void setup_private_mount(const char *snap_name)
+ {
+- uid_t uid = getuid();
+- gid_t gid = getgid();
+ char tmpdir[MAX_BUF] = { 0 };
+
+ // Create a 0700 base directory, this is the base dir that is
+@@ -71,8 +69,7 @@
+ //
+ // Under that basedir, we put a 1777 /tmp dir that is then bind
+ // mounted for the applications to use
+- sc_must_snprintf(tmpdir, sizeof(tmpdir), "/tmp/snap.%d_%s_XX", uid,
+- snap_name);
++ sc_must_snprintf(tmpdir, sizeof(tmpdir), "/tmp/snap.%s_XX", snap_name);
+ if (mkdtemp(tmpdir) == NULL) {
+ die("cannot create temporary directory essential for private /tmp");
+ }
+@@ -99,7 +96,7 @@
+ // MS_PRIVATE needs linux > 2.6.11
+ sc_do_mount("none", "/tmp", NULL, MS_PRIVATE, NULL);
+ // do the chown after the bind mount to avoid potential shenanigans
+- if (chown("/tmp/", uid, gid) < 0) {
++ if (chown("/tmp/", 0, 0) < 0) {
+ die("cannot change ownership of /tmp");
+ }
+ // chdir to original directory
diff -Nru snapd-2.37.4/debian/patches/series snapd-2.37.4/debian/patches/series
--- snapd-2.37.4/debian/patches/series 2019-03-01 02:21:26.0 +0900
+++ snapd-2.37.4/debian/patches/series 2019-06-09 13:43:42.0 +0900
@@ -6,3 +6,4 @@
0006-systemd-disable-snapfuse-system.patch
0007-i18n-use-dummy-localizations-to-avoid-dependencies.patch
0010-man-page-sections.patch
+CVE-2019-11502.patch
Bug#928052: CVE-2019-11502 CVE-2019-11503
control: tags -1 +fixed-upstream On Fri, 26 Apr 2019 23:04:05 +0200 Moritz Muehlenhoff wrote: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11502 It was fixed in upstream 2.38 https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11503 It was fixed in upstream 2.39 https://github.com/snapcore/snapd/commit/187893dee84e34ed40680217d2c3ce810985f97e -- Hideki Yamane
Bug#928052: CVE-2019-11502 CVE-2019-11503
Source: snapd Severity: grave Tags: security http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11502 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11503 Cheers, Moritz
