aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Geerinckx-Rice <me@tobias.gr>2018-08-17 05:16:23 +0200
committerTobias Geerinckx-Rice <me@tobias.gr>2018-08-17 05:19:05 +0200
commitc4f8953a12b8831bcbbea6a217190ac8ca70ae73 (patch)
treea39edd8d0ee519d0dcf23b77de5d78be821af2b0
parent3ef4b301284d3b7039483a249dcb477abcf3dcdc (diff)
downloadguix-c4f8953a12b8831bcbbea6a217190ac8ca70ae73.tar
guix-c4f8953a12b8831bcbbea6a217190ac8ca70ae73.tar.gz
gnu: lxc: Update to 3.0.2.
* gnu/packages/virtualization.scm (lxc): Update to 3.0.2. [source]: Remove patch. * gnu/packages/patches/lxc-CVE-2018-6556.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/lxc-CVE-2018-6556.patch116
-rw-r--r--gnu/packages/virtualization.scm5
3 files changed, 2 insertions, 120 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 1e64015faa..fc674ffff7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -929,7 +929,6 @@ dist_patch_DATA = \
%D%/packages/patches/luit-posix.patch \
%D%/packages/patches/luminance-hdr-qt-printer.patch \
%D%/packages/patches/lvm2-static-link.patch \
- %D%/packages/patches/lxc-CVE-2018-6556.patch \
%D%/packages/patches/lxsession-use-gapplication.patch \
%D%/packages/patches/lyx-2.2.3-fix-test.patch \
%D%/packages/patches/mailutils-uninitialized-memory.patch \
diff --git a/gnu/packages/patches/lxc-CVE-2018-6556.patch b/gnu/packages/patches/lxc-CVE-2018-6556.patch
deleted file mode 100644
index 7eab7101f1..0000000000
--- a/gnu/packages/patches/lxc-CVE-2018-6556.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-Fix CVE-2018-6556:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556
-https://bugzilla.suse.com/show_bug.cgi?id=988348#c8
-
-Patch copied from upstream source repository:
-
-https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032
-
-From c1cf54ebf251fdbad1e971679614e81649f1c032 Mon Sep 17 00:00:00 2001
-From: Christian Brauner <christian.brauner@ubuntu.com>
-Date: Wed, 25 Jul 2018 19:56:54 +0200
-Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
-
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
----
- src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
- src/lxc/utils.c | 12 ++++++++++++
- src/lxc/utils.h | 5 +++++
- 3 files changed, 49 insertions(+), 3 deletions(-)
-
-diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c
-index ec9cd97e0..c5beb6c8d 100644
---- a/src/lxc/cmd/lxc_user_nic.c
-+++ b/src/lxc/cmd/lxc_user_nic.c
-@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[])
- exit(EXIT_FAILURE);
- }
- } else if (request == LXC_USERNIC_DELETE) {
-- netns_fd = open(args.pid, O_RDONLY);
-+ char opath[LXC_PROC_PID_FD_LEN];
-+
-+ /* Open the path with O_PATH which will not trigger an actual
-+ * open(). Don't report an errno to the caller to not leak
-+ * information whether the path exists or not.
-+ * When stracing setuid is stripped so this is not a concern
-+ * either.
-+ */
-+ netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
- if (netns_fd < 0) {
-- usernic_error("Could not open \"%s\": %s\n", args.pid,
-- strerror(errno));
-+ usernic_error("Failed to open \"%s\"\n", args.pid);
-+ exit(EXIT_FAILURE);
-+ }
-+
-+ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
-+ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
-+ close(netns_fd);
-+ exit(EXIT_FAILURE);
-+ }
-+
-+ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
-+ if (ret < 0 || (size_t)ret >= sizeof(opath)) {
-+ close(netns_fd);
-+ exit(EXIT_FAILURE);
-+ }
-+
-+ /* Now get an fd that we can use in setns() calls. */
-+ ret = open(opath, O_RDONLY | O_CLOEXEC);
-+ if (ret < 0) {
-+ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
-+ close(netns_fd);
- exit(EXIT_FAILURE);
- }
-+ close(netns_fd);
-+ netns_fd = ret;
- }
-
- if (!create_db_dir(LXC_USERNIC_DB)) {
-diff --git a/src/lxc/utils.c b/src/lxc/utils.c
-index 530b1f81a..3b854e35b 100644
---- a/src/lxc/utils.c
-+++ b/src/lxc/utils.c
-@@ -2544,6 +2544,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
- return has_type;
- }
-
-+bool fhas_fs_type(int fd, fs_type_magic magic_val)
-+{
-+ int ret;
-+ struct statfs sb;
-+
-+ ret = fstatfs(fd, &sb);
-+ if (ret < 0)
-+ return false;
-+
-+ return is_fs_type(&sb, magic_val);
-+}
-+
- bool lxc_nic_exists(char *nic)
- {
- #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
-diff --git a/src/lxc/utils.h b/src/lxc/utils.h
-index 6a0bebded..0805f5d0d 100644
---- a/src/lxc/utils.h
-+++ b/src/lxc/utils.h
-@@ -95,6 +95,10 @@
- #define CGROUP2_SUPER_MAGIC 0x63677270
- #endif
-
-+#ifndef NSFS_MAGIC
-+#define NSFS_MAGIC 0x6e736673
-+#endif
-+
- /* Useful macros */
- /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
- #define LXC_NUMSTRLEN64 21
-@@ -580,6 +584,7 @@ extern void *must_realloc(void *orig, size_t sz);
- /* __typeof__ should be safe to use with all compilers. */
- typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
- extern bool has_fs_type(const char *path, fs_type_magic magic_val);
-+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
- extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
- extern bool lxc_nic_exists(char *nic);
- extern int lxc_make_tmpfile(char *template, bool rm);
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index a39f2fa58f..7427465f57 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -340,16 +340,15 @@ all common programming languages. Vala bindings are also provided.")
(define-public lxc
(package
(name "lxc")
- (version "3.0.1")
+ (version "3.0.2")
(source (origin
(method url-fetch)
(uri (string-append
"https://linuxcontainers.org/downloads/lxc/lxc-"
version ".tar.gz"))
- (patches (search-patches "lxc-CVE-2018-6556.patch"))
(sha256
(base32
- "1nyml98k28sc5sda0260cmby4irkpnhpwgmx4yhqy10wpr4nr625"))))
+ "0p1gy553cm4mhwxi85fl6qiwz61rjmvysm8c8pd20qh62xxi3dva"))))
(build-system gnu-build-system)
(native-inputs
`(("pkg-config" ,pkg-config)))