aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/lxc-CVE-2018-6556.patch116
-rw-r--r--gnu/packages/virtualization.scm1
3 files changed, 118 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index ef28cf032c..c54a297209 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -924,6 +924,7 @@ dist_patch_DATA = \
%D%/packages/patches/luit-posix.patch \
%D%/packages/patches/luminance-hdr-qt-printer.patch \
%D%/packages/patches/lvm2-static-link.patch \
+ %D%/packages/patches/lxc-CVE-2018-6556.patch \
%D%/packages/patches/lxsession-use-gapplication.patch \
%D%/packages/patches/lyx-2.2.3-fix-test.patch \
%D%/packages/patches/mailutils-uninitialized-memory.patch \
diff --git a/gnu/packages/patches/lxc-CVE-2018-6556.patch b/gnu/packages/patches/lxc-CVE-2018-6556.patch
new file mode 100644
index 0000000000..7eab7101f1
--- /dev/null
+++ b/gnu/packages/patches/lxc-CVE-2018-6556.patch
@@ -0,0 +1,116 @@
+Fix CVE-2018-6556:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556
+https://bugzilla.suse.com/show_bug.cgi?id=988348#c8
+
+Patch copied from upstream source repository:
+
+https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032
+
+From c1cf54ebf251fdbad1e971679614e81649f1c032 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Wed, 25 Jul 2018 19:56:54 +0200
+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
+
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
+ src/lxc/utils.c | 12 ++++++++++++
+ src/lxc/utils.h | 5 +++++
+ 3 files changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c
+index ec9cd97e0..c5beb6c8d 100644
+--- a/src/lxc/cmd/lxc_user_nic.c
++++ b/src/lxc/cmd/lxc_user_nic.c
+@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[])
+ exit(EXIT_FAILURE);
+ }
+ } else if (request == LXC_USERNIC_DELETE) {
+- netns_fd = open(args.pid, O_RDONLY);
++ char opath[LXC_PROC_PID_FD_LEN];
++
++ /* Open the path with O_PATH which will not trigger an actual
++ * open(). Don't report an errno to the caller to not leak
++ * information whether the path exists or not.
++ * When stracing setuid is stripped so this is not a concern
++ * either.
++ */
++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
+ if (netns_fd < 0) {
+- usernic_error("Could not open \"%s\": %s\n", args.pid,
+- strerror(errno));
++ usernic_error("Failed to open \"%s\"\n", args.pid);
++ exit(EXIT_FAILURE);
++ }
++
++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
++ close(netns_fd);
++ exit(EXIT_FAILURE);
++ }
++
++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
++ if (ret < 0 || (size_t)ret >= sizeof(opath)) {
++ close(netns_fd);
++ exit(EXIT_FAILURE);
++ }
++
++ /* Now get an fd that we can use in setns() calls. */
++ ret = open(opath, O_RDONLY | O_CLOEXEC);
++ if (ret < 0) {
++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
++ close(netns_fd);
+ exit(EXIT_FAILURE);
+ }
++ close(netns_fd);
++ netns_fd = ret;
+ }
+
+ if (!create_db_dir(LXC_USERNIC_DB)) {
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index 530b1f81a..3b854e35b 100644
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -2544,6 +2544,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
+ return has_type;
+ }
+
++bool fhas_fs_type(int fd, fs_type_magic magic_val)
++{
++ int ret;
++ struct statfs sb;
++
++ ret = fstatfs(fd, &sb);
++ if (ret < 0)
++ return false;
++
++ return is_fs_type(&sb, magic_val);
++}
++
+ bool lxc_nic_exists(char *nic)
+ {
+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index 6a0bebded..0805f5d0d 100644
+--- a/src/lxc/utils.h
++++ b/src/lxc/utils.h
+@@ -95,6 +95,10 @@
+ #define CGROUP2_SUPER_MAGIC 0x63677270
+ #endif
+
++#ifndef NSFS_MAGIC
++#define NSFS_MAGIC 0x6e736673
++#endif
++
+ /* Useful macros */
+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
+ #define LXC_NUMSTRLEN64 21
+@@ -580,6 +584,7 @@ extern void *must_realloc(void *orig, size_t sz);
+ /* __typeof__ should be safe to use with all compilers. */
+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
+ extern bool has_fs_type(const char *path, fs_type_magic magic_val);
++extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
+ extern bool lxc_nic_exists(char *nic);
+ extern int lxc_make_tmpfile(char *template, bool rm);
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index e4120de38f..192d599a3d 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -347,6 +347,7 @@ all common programming languages. Vala bindings are also provided.")
(uri (string-append
"https://linuxcontainers.org/downloads/lxc/lxc-"
version ".tar.gz"))
+ (patches (search-patches "lxc-CVE-2018-6556.patch"))
(sha256
(base32
"1nyml98k28sc5sda0260cmby4irkpnhpwgmx4yhqy10wpr4nr625"))))