diff options
author | Jakub Jirutka <jakub@jirutka.cz> | 2018-08-06 18:19:20 +0000 |
---|---|---|
committer | Jakub Jirutka <jakub@jirutka.cz> | 2018-08-06 20:19:52 +0200 |
commit | 3b59bf1ceb65a93255af5cf0093680e635415adc (patch) | |
tree | 602430d7d1c8cec1e1a7c25e942a30f9ae926243 | |
parent | 7b1f6c1d9f25e866cfd69aa58105fc54a38fe332 (diff) | |
download | alpine_aports-3b59bf1ceb65a93255af5cf0093680e635415adc.tar.bz2 alpine_aports-3b59bf1ceb65a93255af5cf0093680e635415adc.tar.xz alpine_aports-3b59bf1ceb65a93255af5cf0093680e635415adc.zip |
main/lxc: fix CVE-2018-6556
-rw-r--r-- | main/lxc/APKBUILD | 10 | ||||
-rw-r--r-- | main/lxc/CVE-2018-6556.patch | 132 |
2 files changed, 140 insertions, 2 deletions
diff --git a/main/lxc/APKBUILD b/main/lxc/APKBUILD index 280cecdd1d..4fa5b608ea 100644 --- a/main/lxc/APKBUILD +++ b/main/lxc/APKBUILD | |||
@@ -5,7 +5,7 @@ | |||
5 | pkgname=lxc | 5 | pkgname=lxc |
6 | pkgver=2.0.9 | 6 | pkgver=2.0.9 |
7 | _pkgver=${pkgver/_rc/.rc} | 7 | _pkgver=${pkgver/_rc/.rc} |
8 | pkgrel=0 | 8 | pkgrel=1 |
9 | pkgdesc="Userspace interface for the Linux kernel containment features" | 9 | pkgdesc="Userspace interface for the Linux kernel containment features" |
10 | url="https://linuxcontainers.org/lxc/" | 10 | url="https://linuxcontainers.org/lxc/" |
11 | arch="all" | 11 | arch="all" |
@@ -24,9 +24,14 @@ source="https://github.com/lxc/lxc/archive/lxc-$_pkgver.tar.gz | |||
24 | lxc.conf | 24 | lxc.conf |
25 | 25 | ||
26 | download-template-tmpfs.patch | 26 | download-template-tmpfs.patch |
27 | CVE-2018-6556.patch | ||
27 | " | 28 | " |
28 | builddir="$srcdir/lxc-lxc-$_pkgver" | 29 | builddir="$srcdir/lxc-lxc-$_pkgver" |
29 | 30 | ||
31 | # secfixes: | ||
32 | # 2.0.9-r1: | ||
33 | # - CVE-2018-6556 | ||
34 | |||
30 | _tmpldir="usr/share/lxc/templates" | 35 | _tmpldir="usr/share/lxc/templates" |
31 | 36 | ||
32 | prepare() { | 37 | prepare() { |
@@ -149,4 +154,5 @@ sha512sums="c2eb65565efb54e31ba2de61e6768a03142d940bcfda3a85c7fd7cd51bfed206aa4e | |||
149 | e2ffcbf55447291a8434a4f37255c3a6a119bc4116c75d205006aa2b070bf6be28535cf6107bead14bbf64bf9fa415346ab544bd1c15e1add7d1c6380e6b2def version.patch | 154 | e2ffcbf55447291a8434a4f37255c3a6a119bc4116c75d205006aa2b070bf6be28535cf6107bead14bbf64bf9fa415346ab544bd1c15e1add7d1c6380e6b2def version.patch |
150 | 1037e0b773553aa04b619cec7cfc8fa504af830e58c8211eda367da7e36aeb88f45fca1f955a08fc4fa3f9da660017d5fe7145a326a2064cf15e24d1772d9e27 lxc.initd | 155 | 1037e0b773553aa04b619cec7cfc8fa504af830e58c8211eda367da7e36aeb88f45fca1f955a08fc4fa3f9da660017d5fe7145a326a2064cf15e24d1772d9e27 lxc.initd |
151 | 5b83b0323e58bf00bd1e124c265729499cee97559b6fe18482962e3bed50d121b4c7a09f25cbce7b1e18d4234627bc4b4581ba2060e33cd022f105b4429cef01 lxc.conf | 156 | 5b83b0323e58bf00bd1e124c265729499cee97559b6fe18482962e3bed50d121b4c7a09f25cbce7b1e18d4234627bc4b4581ba2060e33cd022f105b4429cef01 lxc.conf |
152 | d055df5f7cc1001829f6eaef4c31c50088eeb7965d57b756e17b05dddeb86cf5648470c6711471fd0092418b95214ad5dc15c33d8db284f242773dd432ea51e0 download-template-tmpfs.patch" | 157 | d055df5f7cc1001829f6eaef4c31c50088eeb7965d57b756e17b05dddeb86cf5648470c6711471fd0092418b95214ad5dc15c33d8db284f242773dd432ea51e0 download-template-tmpfs.patch |
158 | 3409711430072a3d4b8e7496aac8f655fe75d5b2b299bb0def17d119361611f2659a746a3f9c6aff539a13c3fbd8486dcaaff23a27a2b9d533673da524f4f095 CVE-2018-6556.patch" | ||
diff --git a/main/lxc/CVE-2018-6556.patch b/main/lxc/CVE-2018-6556.patch new file mode 100644 index 0000000000..e2857ea715 --- /dev/null +++ b/main/lxc/CVE-2018-6556.patch | |||
@@ -0,0 +1,132 @@ | |||
1 | From 5eb45428b312e978fb9e294dde16efb14dd9fa4d Mon Sep 17 00:00:00 2001 | ||
2 | From: Christian Brauner <christian.brauner@ubuntu.com> | ||
3 | Date: Wed, 25 Jul 2018 19:56:54 +0200 | ||
4 | Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic | ||
5 | |||
6 | Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> | ||
7 | |||
8 | Patch-Source: https://github.com/lxc/lxc/commit/5eb45428b312e978fb9e294dde16efb14dd9fa4d | ||
9 | https://github.com/lxc/lxc/commit/f96f5f3c1341e73ee51c8b49bef4ba571c562d8c | ||
10 | --- | ||
11 | src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- | ||
12 | src/lxc/utils.c | 12 ++++++++++++ | ||
13 | src/lxc/utils.h | 5 +++++ | ||
14 | 3 files changed, 49 insertions(+), 3 deletions(-) | ||
15 | |||
16 | diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c | ||
17 | index 2a5c3a43a..b7c72abd7 100644 | ||
18 | --- a/src/lxc/lxc_user_nic.c | ||
19 | +++ b/src/lxc/lxc_user_nic.c | ||
20 | @@ -1129,12 +1129,41 @@ int main(int argc, char *argv[]) | ||
21 | exit(EXIT_FAILURE); | ||
22 | } | ||
23 | } else if (request == LXC_USERNIC_DELETE) { | ||
24 | - netns_fd = open(args.pid, O_RDONLY); | ||
25 | + char opath[LXC_PROC_PID_FD_LEN]; | ||
26 | + | ||
27 | + /* Open the path with O_PATH which will not trigger an actual | ||
28 | + * open(). Don't report an errno to the caller to not leak | ||
29 | + * information whether the path exists or not. | ||
30 | + * When stracing setuid is stripped so this is not a concern | ||
31 | + * either. | ||
32 | + */ | ||
33 | + netns_fd = open(args.pid, O_PATH | O_CLOEXEC); | ||
34 | if (netns_fd < 0) { | ||
35 | - usernic_error("Could not open \"%s\": %s\n", args.pid, | ||
36 | - strerror(errno)); | ||
37 | + usernic_error("Failed to open \"%s\"\n", args.pid); | ||
38 | exit(EXIT_FAILURE); | ||
39 | } | ||
40 | + | ||
41 | + if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { | ||
42 | + usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); | ||
43 | + close(netns_fd); | ||
44 | + exit(EXIT_FAILURE); | ||
45 | + } | ||
46 | + | ||
47 | + ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); | ||
48 | + if (ret < 0 || (size_t)ret >= sizeof(opath)) { | ||
49 | + close(netns_fd); | ||
50 | + exit(EXIT_FAILURE); | ||
51 | + } | ||
52 | + | ||
53 | + /* Now get an fd that we can use in setns() calls. */ | ||
54 | + ret = open(opath, O_RDONLY | O_CLOEXEC); | ||
55 | + if (ret < 0) { | ||
56 | + usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); | ||
57 | + close(netns_fd); | ||
58 | + exit(EXIT_FAILURE); | ||
59 | + } | ||
60 | + close(netns_fd); | ||
61 | + netns_fd = ret; | ||
62 | } | ||
63 | |||
64 | if (!create_db_dir(LXC_USERNIC_DB)) { | ||
65 | diff --git a/src/lxc/utils.c b/src/lxc/utils.c | ||
66 | index 10e14b7f3..eb0af8222 100644 | ||
67 | --- a/src/lxc/utils.c | ||
68 | +++ b/src/lxc/utils.c | ||
69 | @@ -2319,6 +2319,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) | ||
70 | return has_type; | ||
71 | } | ||
72 | |||
73 | +bool fhas_fs_type(int fd, fs_type_magic magic_val) | ||
74 | +{ | ||
75 | + int ret; | ||
76 | + struct statfs sb; | ||
77 | + | ||
78 | + ret = fstatfs(fd, &sb); | ||
79 | + if (ret < 0) | ||
80 | + return false; | ||
81 | + | ||
82 | + return is_fs_type(&sb, magic_val); | ||
83 | +} | ||
84 | + | ||
85 | bool lxc_nic_exists(char *nic) | ||
86 | { | ||
87 | #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 | ||
88 | diff --git a/src/lxc/utils.h b/src/lxc/utils.h | ||
89 | index a2bad89db..e4d8519db 100644 | ||
90 | --- a/src/lxc/utils.h | ||
91 | +++ b/src/lxc/utils.h | ||
92 | @@ -99,6 +99,17 @@ | ||
93 | #define LXC_NUMSTRLEN64 21 | ||
94 | #define LXC_LINELEN 4096 | ||
95 | #define LXC_IDMAPLEN 4096 | ||
96 | +/* /proc/ = 6 | ||
97 | + * + | ||
98 | + * <pid-as-str> = LXC_NUMSTRLEN64 | ||
99 | + * + | ||
100 | + * /fd/ = 4 | ||
101 | + * + | ||
102 | + * <fd-as-str> = LXC_NUMSTRLEN64 | ||
103 | + * + | ||
104 | + * \0 = 1 | ||
105 | + */ | ||
106 | +#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1) | ||
107 | |||
108 | /* returns 1 on success, 0 if there were any failures */ | ||
109 | extern int lxc_rmdir_onedev(char *path, const char *exclude); | ||
110 | diff --git a/src/lxc/utils.h b/src/lxc/utils.h | ||
111 | index e4d8519db..56fed0a42 100644 | ||
112 | --- a/src/lxc/utils.h | ||
113 | +++ b/src/lxc/utils.h | ||
114 | @@ -94,6 +94,10 @@ | ||
115 | #define CGROUP2_SUPER_MAGIC 0x63677270 | ||
116 | #endif | ||
117 | |||
118 | +#ifndef NSFS_MAGIC | ||
119 | +#define NSFS_MAGIC 0x6e736673 | ||
120 | +#endif | ||
121 | + | ||
122 | /* Useful macros */ | ||
123 | /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ | ||
124 | #define LXC_NUMSTRLEN64 21 | ||
125 | @@ -555,6 +559,7 @@ extern void *must_realloc(void *orig, size_t sz); | ||
126 | /* __typeof__ should be safe to use with all compilers. */ | ||
127 | typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; | ||
128 | extern bool has_fs_type(const char *path, fs_type_magic magic_val); | ||
129 | +extern bool fhas_fs_type(int fd, fs_type_magic magic_val); | ||
130 | extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); | ||
131 | extern bool lxc_nic_exists(char *nic); | ||
132 | extern int lxc_make_tmpfile(char *template, bool rm); | ||