[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#857468: marked as done (jessie-pu: package lxc/1:1.0.6-6+deb8u6)

Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <1494078258.26551.13.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #857468,
regarding jessie-pu: package lxc/1:1.0.6-6+deb8u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
857468: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857468
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Ohai,

I would like to upload lxc/1:1.0.6-6+deb8u6 for Jessie and seek your (pre-)approval.

The reason for the upload is to fix #857295 aka
 CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership
The patch for that is straight from upstream's stable-1.0 branch.

The same fix went in towards Stretch in #857442.

Thanks
Evgeni

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/changelog b/debian/changelog
index 65b7aad..9867357 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lxc (1:1.0.6-6+deb8u6) jessie; urgency=medium
+
+  * CVE-2017-5985: Ensure target netns is caller-owned (Closes: #857295)
+
+ -- Evgeni Golov <evgeni@debian.org>  Sat, 11 Mar 2017 10:42:30 +0100
+
 lxc (1:1.0.6-6+deb8u5) jessie; urgency=medium
 
   * attach: do not send procfd to attached process
diff --git a/debian/patches/0027-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch b/debian/patches/0027-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch
new file mode 100644
index 0000000..206ee15
--- /dev/null
+++ b/debian/patches/0027-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch
@@ -0,0 +1,205 @@
+From c905f00ad78b78a5e9c0d67504b86e00dfe085ec Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Sat, 11 Feb 2017 13:27:06 +0100
+Subject: [PATCH] CVE-2017-5985: Ensure target netns is caller-owned
+
+Before this commit, lxc-user-nic could potentially have been tricked into
+operating on a network namespace over which the caller did not hold privilege.
+
+This commit ensures that the caller is privileged over the network namespace by
+temporarily dropping privilege.
+
+Launchpad: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/lxc_user_nic.c | 130 ++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 96 insertions(+), 34 deletions(-)
+
+diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
+index 8981e11a..08123860 100644
+--- a/src/lxc/lxc_user_nic.c
++++ b/src/lxc/lxc_user_nic.c
+@@ -49,6 +49,14 @@
+ #include "utils.h"
+ #include "network.h"
+ 
++#define usernic_debug_stream(stream, format, ...)                              \
++	do {                                                                   \
++		fprintf(stream, "%s: %d: %s: " format, __FILE__, __LINE__,     \
++			__func__, __VA_ARGS__);                                \
++	} while (false)
++
++#define usernic_error(format, ...) usernic_debug_stream(stderr, format, __VA_ARGS__)
++
+ static void usage(char *me, bool fail)
+ {
+ 	fprintf(stderr, "Usage: %s pid type bridge nicname\n", me);
+@@ -153,7 +161,7 @@ static char *get_eow(char *s, char *e)
+ static char *find_line(char *p, char *e, char *u, char *t, char *l)
+ {
+ 	char *p1, *p2, *ret;
+-	
++
+ 	while (p<e  && (p1 = get_eol(p, e)) < e) {
+ 		ret = p;
+ 		if (*p == '#')
+@@ -473,68 +481,122 @@ again:
+ static int rename_in_ns(int pid, char *oldname, char **newnamep)
+ {
+ 	char nspath[MAXPATHLEN];
++	uid_t ruid, suid, euid;
++	int fret = -1;
+ 	int fd = -1, ofd = -1, ret, ifindex = -1;
+ 	bool grab_newname = false;
+ 
+ 	ret = snprintf(nspath, MAXPATHLEN, "/proc/%d/ns/net", getpid());
+ 	if (ret < 0 || ret >= MAXPATHLEN)
+-		return -1;
++		goto do_partial_cleanup;
++
+ 	if ((ofd = open(nspath, O_RDONLY)) < 0) {
+-		fprintf(stderr, "Opening %s\n", nspath);
+-		return -1;
++		usernic_error("Failed opening network namespace path for '%d'.", getpid());
++		goto do_partial_cleanup;
+ 	}
++
+ 	ret = snprintf(nspath, MAXPATHLEN, "/proc/%d/ns/net", pid);
+ 	if (ret < 0 || ret >= MAXPATHLEN)
+-		goto out_err;
++		goto do_partial_cleanup;
+ 
+ 	if ((fd = open(nspath, O_RDONLY)) < 0) {
+-		fprintf(stderr, "Opening %s\n", nspath);
+-		goto out_err;
++		usernic_error("Failed opening network namespace path for '%d'.", pid);
++		goto do_partial_cleanup;
+ 	}
+-	if (setns(fd, 0) < 0) {
+-		fprintf(stderr, "setns to container network namespace\n");
+-		goto out_err;
++
++	ret = getresuid(&ruid, &euid, &suid);
++	if (ret < 0) {
++		usernic_error("Failed to retrieve real, effective, and saved "
++			      "user IDs: %s\n",
++			      strerror(errno));
++		goto do_partial_cleanup;
++	}
++
++	ret = setns(fd, CLONE_NEWNET);
++	close(fd);
++	fd = -1;
++	if (ret < 0) {
++		usernic_error("Failed to setns() to the network namespace of "
++			      "the container with PID %d: %s.\n",
++			      pid, strerror(errno));
++		goto do_partial_cleanup;
++	}
++
++	ret = setresuid(ruid, ruid, 0);
++	if (ret < 0) {
++		usernic_error("Failed to drop privilege by setting effective "
++			      "user id and real user id to %d, and saved user "
++			      "ID to 0: %s.\n",
++			      ruid, strerror(errno));
++		// COMMENT(brauner): It's ok to jump to do_full_cleanup here
++		// since setresuid() will succeed when trying to set real,
++		// effective, and saved to values they currently have.
++		goto do_full_cleanup;
+ 	}
+-	close(fd); fd = -1;
++
+ 	if (!*newnamep) {
+ 		grab_newname = true;
+ 		*newnamep = VETH_DEF_NAME;
+-		if (!(ifindex = if_nametoindex(oldname))) {
+-			fprintf(stderr, "failed to get netdev index\n");
+-			goto out_err;
++
++		ifindex = if_nametoindex(oldname);
++		if (!ifindex) {
++			usernic_error("Failed to get netdev index: %s.\n",
++				      strerror(errno));
++			goto do_full_cleanup;
+ 		}
+ 	}
+-	if ((ret = lxc_netdev_rename_by_name(oldname, *newnamep)) < 0) {
+-		fprintf(stderr, "Error %d renaming netdev %s to %s in container\n", ret, oldname, *newnamep);
+-		goto out_err;
++
++	ret = lxc_netdev_rename_by_name(oldname, *newnamep);
++	if (ret < 0) {
++		usernic_error(
++		    "Error %d renaming netdev %s to %s in container.\n", ret,
++		    oldname, *newnamep);
++		goto do_full_cleanup;
+ 	}
++
+ 	if (grab_newname) {
+-		char ifname[IFNAMSIZ], *namep = ifname;
++		char ifname[IFNAMSIZ];
++		char *namep = ifname;
+ 		if (!if_indextoname(ifindex, namep)) {
+-			fprintf(stderr, "Failed to get new netdev name\n");
+-			goto out_err;
++			usernic_error("Failed to get new netdev name: %s.\n",
++				      strerror(errno));
++			goto do_full_cleanup;
+ 		}
+ 		*newnamep = strdup(namep);
+ 		if (!*newnamep)
+-			goto out_err;
+-	}
+-	if (setns(ofd, 0) < 0) {
+-		fprintf(stderr, "Error returning to original netns\n");
+-		close(ofd);
+-		return -1;
++			goto do_full_cleanup;
+ 	}
+-	close(ofd);
+ 
+-	return 0;
++	fret = 0;
+ 
+-out_err:
+-	if (ofd >= 0)
+-		close(ofd);
+-	if (setns(ofd, 0) < 0)
+-		fprintf(stderr, "Error returning to original network namespace\n");
++do_full_cleanup:
++	ret = setresuid(ruid, euid, suid);
++	if (ret < 0) {
++		usernic_error(
++		    "Failed to restore privilege by setting effective "
++		    "user id to %d, real user id to %d, and saved user "
++		    "ID to %d: %s.\n",
++		    ruid, euid, suid, strerror(errno));
++		fret = -1;
++		// COMMENT(brauner): setns() should fail if setresuid() doesn't
++		// succeed but there's no harm in falling through; keeps the
++		// code cleaner.
++	}
++
++	ret = setns(ofd, CLONE_NEWNET);
++	if (ret < 0) {
++		usernic_error("Failed to setns() to original network namespace "
++			      "of PID %d: %s.\n",
++			      ofd, strerror(errno));
++		fret = -1;
++	}
++
++do_partial_cleanup:
+ 	if (fd >= 0)
+ 		close(fd);
+-	return -1;
++	close(ofd);
++
++	return fret;
+ }
+ 
+ /*
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index c97b6c5..4c1313c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,4 @@
 0024-lxc-alpine-fix-verification-of-apk.static-binary.patch
 0025-Remounts-bind-mounts-if-read-only-flag-is-provided.patch
 0026-CVE-2016-8649_do-not-send-procfd-to-attached-process.patch
+0027-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch

--- End Message ---
--- Begin Message --- 
Version: 8.8

Hi,

Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: