Bug#777649: cgmanager security update for jessie
Quoting Niels Thykier (niels@thykier.net):
> Control: tags -1 moreinfo
>
> On 2015-02-11 05:36, Serge Hallyn wrote:
> > Package: release.debian.org
> > Usertags: jessie-pu
> >
> > A security issue was found in cgmanager, allowing root-owned privileged
> > containers to fully administer cgroups on the host. Two other issues
> > were found which allow cgmanager to be crashed by unprivileged users.
> > These have all been fixed in sid. The debdiff below, against the current
> > jessie package, fixes them for jessie.
> >
> > debdiff:
> >
> > [...]
> > +
> > ++ // Make sure target cgroup is under proxy's
> > ++ int plen = strlen(pcgpath);
> > ++ if (strncmp(pcgpath, path, plen) != 0) {
> > ++ nih_error("%s: target cgroup is not below r (%d)'s", __func__,
> > ++ r.pid);
> > ++ return -1;
> > ++ }
> > ++
> > [...]
>
> Hi,
>
> Is this truly a sufficient test? The above only tests that pcgpath is a
> prefix of path. I do not know exactly what these paths are, so I have
> to ask.
>
> Consider:
>
> pcgpath = "root"
> pcpgpath = "root-acually-not-really"
> plen = strlen(pcgpath) (= 4)
>
> So if only the first plen characters match, they will be considered
> equal. If you know, cases like this cannot happen, then it is fine. I
> just wanted to double check.
Thanks, I appreciate the extra set of eyes.
The situation is that the task making the request (or proxying the request)
is supposed to be locked under its current cgroup, say /a/b/c. It's making
a request pertaining to some cgroup X. We want to make sure that X is
under /a/b/c. Hence the path prefix test.
thanks,
-serge
Reply to: