diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/lxc-CVE-2018-6556.patch | 116 | ||||
-rw-r--r-- | gnu/packages/virtualization.scm | 1 |
3 files changed, 118 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index ef28cf032c..c54a297209 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -924,6 +924,7 @@ dist_patch_DATA = \ %D%/packages/patches/luit-posix.patch \ %D%/packages/patches/luminance-hdr-qt-printer.patch \ %D%/packages/patches/lvm2-static-link.patch \ + %D%/packages/patches/lxc-CVE-2018-6556.patch \ %D%/packages/patches/lxsession-use-gapplication.patch \ %D%/packages/patches/lyx-2.2.3-fix-test.patch \ %D%/packages/patches/mailutils-uninitialized-memory.patch \ diff --git a/gnu/packages/patches/lxc-CVE-2018-6556.patch b/gnu/packages/patches/lxc-CVE-2018-6556.patch new file mode 100644 index 0000000000..7eab7101f1 --- /dev/null +++ b/gnu/packages/patches/lxc-CVE-2018-6556.patch @@ -0,0 +1,116 @@ +Fix CVE-2018-6556: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556 +https://bugzilla.suse.com/show_bug.cgi?id=988348#c8 + +Patch copied from upstream source repository: + +https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032 + +From c1cf54ebf251fdbad1e971679614e81649f1c032 Mon Sep 17 00:00:00 2001 +From: Christian Brauner <christian.brauner@ubuntu.com> +Date: Wed, 25 Jul 2018 19:56:54 +0200 +Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic + +Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> +--- + src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- + src/lxc/utils.c | 12 ++++++++++++ + src/lxc/utils.h | 5 +++++ + 3 files changed, 49 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c +index ec9cd97e0..c5beb6c8d 100644 +--- a/src/lxc/cmd/lxc_user_nic.c ++++ b/src/lxc/cmd/lxc_user_nic.c +@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + } else if (request == LXC_USERNIC_DELETE) { +- netns_fd = open(args.pid, O_RDONLY); ++ char opath[LXC_PROC_PID_FD_LEN]; ++ ++ /* Open the path with O_PATH which will not trigger an actual ++ * open(). Don't report an errno to the caller to not leak ++ * information whether the path exists or not. ++ * When stracing setuid is stripped so this is not a concern ++ * either. ++ */ ++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); + if (netns_fd < 0) { +- usernic_error("Could not open \"%s\": %s\n", args.pid, +- strerror(errno)); ++ usernic_error("Failed to open \"%s\"\n", args.pid); ++ exit(EXIT_FAILURE); ++ } ++ ++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { ++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); ++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* Now get an fd that we can use in setns() calls. */ ++ ret = open(opath, O_RDONLY | O_CLOEXEC); ++ if (ret < 0) { ++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); ++ close(netns_fd); + exit(EXIT_FAILURE); + } ++ close(netns_fd); ++ netns_fd = ret; + } + + if (!create_db_dir(LXC_USERNIC_DB)) { +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 530b1f81a..3b854e35b 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2544,6 +2544,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) + return has_type; + } + ++bool fhas_fs_type(int fd, fs_type_magic magic_val) ++{ ++ int ret; ++ struct statfs sb; ++ ++ ret = fstatfs(fd, &sb); ++ if (ret < 0) ++ return false; ++ ++ return is_fs_type(&sb, magic_val); ++} ++ + bool lxc_nic_exists(char *nic) + { + #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 6a0bebded..0805f5d0d 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -95,6 +95,10 @@ + #define CGROUP2_SUPER_MAGIC 0x63677270 + #endif + ++#ifndef NSFS_MAGIC ++#define NSFS_MAGIC 0x6e736673 ++#endif ++ + /* Useful macros */ + /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ + #define LXC_NUMSTRLEN64 21 +@@ -580,6 +584,7 @@ extern void *must_realloc(void *orig, size_t sz); + /* __typeof__ should be safe to use with all compilers. */ + typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; + extern bool has_fs_type(const char *path, fs_type_magic magic_val); ++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); + extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); + extern bool lxc_nic_exists(char *nic); + extern int lxc_make_tmpfile(char *template, bool rm); diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index e4120de38f..192d599a3d 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -347,6 +347,7 @@ all common programming languages. Vala bindings are also provided.") (uri (string-append "https://linuxcontainers.org/downloads/lxc/lxc-" version ".tar.gz")) + (patches (search-patches "lxc-CVE-2018-6556.patch")) (sha256 (base32 "1nyml98k28sc5sda0260cmby4irkpnhpwgmx4yhqy10wpr4nr625")))) |