[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#924427: marked as done (unblock: lxc/1:3.1.0+really3.0.3-4)

Your message dated Wed, 13 Mar 2019 20:52:45 +0000
with message-id <E1h4Arl-0003dh-Os@respighi.debian.org>
and subject line unblock lxc
has caused the Debian Bug report #924427,
regarding unblock: lxc/1:3.1.0+really3.0.3-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
924427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924427
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Managers,

I'd llike to ask you to please unblock package lxc version
1:3.1.0+really3.0.3-6 currently lying in unstable, so it replaces lxc
version 1:3.1.0+really3.0.3-4 currently in testing.

Indeed, Antonio Terceiro did an upload for 1:3.1.0+really3.0.3-5 in
unstable on March the 2nd, with changes regarding Debconf translation in
Dutch (see bug #923328 [0]) and another change to fix an issue I
introduced in the provided `/etc/lxc/default.conf` file, which made it
not usable without a fix by the end user. (see bug #923395 [1])

Although these changes should have reached testing before the freeze, I
realized that changes I've made for 1:3.1.0+really3.0.3-4 to fix a CVE
introduced some anomalies due to upstream patch not being enough (see
bug #923932 [2]), and that I forgot to update debian/NEWS with proper
instructions regarding the breaking changes from LXC2 to 3. (explain the
reason for the unblock here)

Hence I did a 1:3.1.0+really3.0.3-6 upload in unstable to include these
changes, and it reset the counter for -5.

Attached is a debdiff between testing and unstable.

Thanks a lot for considering such an unblock.

With best regards,

unblock lxc/1:3.1.0+really3.0.3-4

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru lxc-3.1.0+really3.0.3/debian/changelog lxc-3.1.0+really3.0.3/debian/changelog
--- lxc-3.1.0+really3.0.3/debian/changelog	2019-02-16 16:21:41.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/changelog	2019-03-09 15:49:21.000000000 +0100
@@ -1,3 +1,22 @@
+lxc (1:3.1.0+really3.0.3-6) unstable; urgency=medium
+
+  * d/patches/0005: Tweaks the 0004 patch for CVE-2019-5736 (Closes: #923932)
+  * d/NEWS: summary of the important changes since LXC2.
+
+ -- Pierre-Elliott Bécue <peb@debian.org>  Sat, 09 Mar 2019 15:49:21 +0100
+
+lxc (1:3.1.0+really3.0.3-5) unstable; urgency=medium
+
+  [ Christian Kastner ]
+  * /etc/default/lxc.conf Change back to lxc.net.0.type
+    (Closes: #923395)
+
+  [ Frans Spiesschaert ]
+  * debian/po/nl.po: Add Dutch translation of debconf messages
+    (Closes: #923328)
+
+ -- Antonio Terceiro <terceiro@debian.org>  Sat, 02 Mar 2019 12:33:08 -0300
+
 lxc (1:3.1.0+really3.0.3-4) unstable; urgency=medium
 
   [ Lev Lamberov ]
diff -Nru lxc-3.1.0+really3.0.3/debian/contrib/default.conf lxc-3.1.0+really3.0.3/debian/contrib/default.conf
--- lxc-3.1.0+really3.0.3/debian/contrib/default.conf	2019-02-11 22:59:58.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/contrib/default.conf	2019-03-09 12:54:41.000000000 +0100
@@ -1,3 +1,3 @@
-lxc.net.type = empty
+lxc.net.0.type = empty
 lxc.apparmor.profile = generated
 lxc.apparmor.allow_nesting = 1
diff -Nru lxc-3.1.0+really3.0.3/debian/liblxc1.symbols lxc-3.1.0+really3.0.3/debian/liblxc1.symbols
--- lxc-3.1.0+really3.0.3/debian/liblxc1.symbols	2019-02-16 16:21:29.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/liblxc1.symbols	2019-03-09 12:54:41.000000000 +0100
@@ -381,6 +381,7 @@
  lxc_remove_nic_by_idx@Base 1:3.0.2
  lxc_requests_empty_network@Base 1:3.0.2
  lxc_restore_phys_nics_to_netns@Base 1:3.0.2
+ lxc_rexec@Base 1:3.0.3
  lxc_ringbuf_create@Base 1:3.0.2
  lxc_ringbuf_move_read_addr@Base 1:3.0.2
  lxc_ringbuf_read@Base 1:3.0.2
diff -Nru lxc-3.1.0+really3.0.3/debian/NEWS lxc-3.1.0+really3.0.3/debian/NEWS
--- lxc-3.1.0+really3.0.3/debian/NEWS	2018-12-22 22:49:44.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/NEWS	2019-03-09 15:49:19.000000000 +0100
@@ -1,3 +1,35 @@
+lxc (1:3.1.0+really3.0.3-6) unstable; urgency=medium
+
+  LXC 3 got some significant changes from LXC 2.
+
+   1. The configuration files use different variables. A userland script
+      lxc-update-config is available to update automatically your
+      configuration files. An automatic update is possible and offered by
+      debconf during the upgrade of lxc version < 3.0.2 to lxc version >=
+      3.0.2. Mind that this update will only work for priviledged containers
+      with configurations present in /var/lib/lxc/*/config and any other
+      container will not be updated.
+   2. AppArmor support in Debian has increased, thus preventing some systemd
+      isolation features to work in LXC 3.0.X. Debian has backported some
+      patches from LXC 3.1 that, along with some configurations in a
+      container, will allow systemd isolation features to work.
+
+      The required configuration parameters are the ones which follow:
+        lxc.apparmor.profile = generated
+        lxc.apparmor.allow_nesting = 1
+
+      These parameters are provided in the `/etc/lxc/default.conf` file
+      shipped with LXC 3. Hence, any newly created container will have these
+      parameters set properly, execpt if you alter the forementionned file.
+   3. lxc-templates is deprecated by upstream. The new way of building
+      containers is via their distrobuilder software. This software isn't in
+      Debian Buster, and thus, we still provide lxc-templates. If you relied
+      on it (eg, with lxc.include parameter in some configuration file), you
+      should install lxc-templates in case it doesn't come by itself (via
+      recommends). Otherwise you may experience issues after the upgrade.
+
+ -- Pierre-Elliott Bécue <peb@debian.org>  Sat, 09 Mar 2019 13:09:05 +0100
+
 lxc (1:1.1.5-1) unstable; urgency=medium
 
   LXC before 1.1 did silently ignore lxc.aa_profile if the kernel did
diff -Nru lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch
--- lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch	2019-02-16 16:11:58.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch	2019-03-09 12:54:41.000000000 +0100
@@ -5,6 +5,10 @@
 Content-Type: text/plain; charset="utf-8"
 Content-Transfer-Encoding: 8bit
 
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
 Adam Iwaniuk and Borys Popławski discovered that an attacker can compromise the
 runC host binary from inside a privileged runC container. As a result, this
 could be exploited to gain root access on the host. runC is used as the default
diff -Nru lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch
--- lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch	1970-01-01 01:00:00.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch	2019-03-09 12:54:41.000000000 +0100
@@ -0,0 +1,151 @@
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Tue, 12 Feb 2019 17:31:14 +0100
+Subject: rexec: make rexecution opt-in for library callers
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+We cannot rexecute the liblxc shared library unconditionally as this would
+break most of our downstreams. Here are some scenarios:
+- anyone performing a dlopen() on the shared library (e.g. users of the LXC
+  Python bindings)
+- LXD as it needs to know the absolute path to its own executable based on
+  /proc/self/exe etc.
+
+This commit makes the rexecution of liblxc conditional on whether the
+LXC_MEMFD_REXEC environment variable is set or not. If it is then liblxc is
+unconditionally rexecuted.
+
+The only relevant attack vector exists for lxc-attach which we simply reexecute
+unconditionally.
+
+Reported-by: Stéphane Graber <stgraber@ubuntu.com>
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/Makefile.am        |  4 +++-
+ src/lxc/rexec.c            |  4 ++--
+ src/lxc/rexec.h            | 26 ++++++++++++++++++++++++++
+ src/lxc/tools/lxc_attach.c | 18 ++++++++++++++++++
+ 4 files changed, 49 insertions(+), 3 deletions(-)
+ create mode 100644 src/lxc/rexec.h
+
+diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
+index 92779e0..5bfad9c 100644
+--- a/src/lxc/Makefile.am
++++ b/src/lxc/Makefile.am
+@@ -23,6 +23,7 @@ noinst_HEADERS = attach.h \
+ 		 monitor.h \
+ 		 namespace.h \
+ 		 raw_syscalls.h \
++		 rexec.h \
+ 		 start.h \
+ 		 state.h \
+ 		 storage/btrfs.h \
+@@ -174,7 +175,7 @@ liblxc_la_SOURCES += ../include/strlcat.c ../include/strlcat.h
+ endif
+ 
+ if ENFORCE_MEMFD_REXEC
+-liblxc_la_SOURCES += rexec.c
++liblxc_la_SOURCES += rexec.c rexec.h
+ endif
+ 
+ AM_CFLAGS = -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \
+@@ -294,6 +295,7 @@ LDADD = liblxc.la \
+ 
+ if ENABLE_TOOLS
+ lxc_attach_SOURCES = tools/lxc_attach.c \
++		     rexec.c rexec.h \
+ 		     tools/arguments.c tools/arguments.h
+ lxc_autostart_SOURCES = tools/lxc_autostart.c \
+ 			tools/arguments.c tools/arguments.h
+diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c
+index 396bd61..d944c8f 100644
+--- a/src/lxc/rexec.c
++++ b/src/lxc/rexec.c
+@@ -137,7 +137,7 @@ on_error:
+ 	errno = saved_errno;
+ }
+ 
+-static int lxc_rexec(const char *memfd_name)
++int lxc_rexec(const char *memfd_name)
+ {
+ 	int ret;
+ 	char **argv = NULL, **envp = NULL;
+@@ -174,7 +174,7 @@ static int lxc_rexec(const char *memfd_name)
+  */
+ __attribute__((constructor)) static void liblxc_rexec(void)
+ {
+-	if (lxc_rexec("liblxc")) {
++	if (getenv("LXC_MEMFD_REXEC") && lxc_rexec("liblxc")) {
+ 		fprintf(stderr, "Failed to re-execute liblxc via memory file descriptor\n");
+ 		_exit(EXIT_FAILURE);
+ 	}
+diff --git a/src/lxc/rexec.h b/src/lxc/rexec.h
+new file mode 100644
+index 0000000..088ded9
+--- /dev/null
++++ b/src/lxc/rexec.h
+@@ -0,0 +1,26 @@
++/* liblxcapi
++ *
++ * Copyright © 2019 Christian Brauner <christian.brauner@ubuntu.com>.
++ * Copyright © 2019 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this library; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
++ */
++
++#ifndef __LXC_REXEC_H
++#define __LXC_REXEC_H
++
++extern int lxc_rexec(const char *memfd_name);
++
++#endif /* __LXC_REXEC_H */
+diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
+index 8c8e7d3..80b3693 100644
+--- a/src/lxc/tools/lxc_attach.c
++++ b/src/lxc/tools/lxc_attach.c
+@@ -44,10 +44,28 @@
+ #include "config.h"
+ #include "confile.h"
+ #include "log.h"
++#include "rexec.h"
+ #include "utils.h"
+ 
+ lxc_log_define(lxc_attach, lxc);
+ 
++/**
++ * This function will copy any binary that calls liblxc into a memory file and
++ * will use the memfd to rexecute the binary. This is done to prevent attacks
++ * through the /proc/self/exe symlink to corrupt the host binary when host and
++ * container are in the same user namespace or have set up an identity id
++ * mapping: CVE-2019-5736.
++ */
++#ifdef ENFORCE_MEMFD_REXEC
++__attribute__((constructor)) static void lxc_attach_rexec(void)
++{
++	if (!getenv("LXC_MEMFD_REXEC") && lxc_rexec("lxc-attach")) {
++		fprintf(stderr, "Failed to re-execute lxc-attach via memory file descriptor\n");
++		_exit(EXIT_FAILURE);
++	}
++}
++#endif
++
+ static int my_parser(struct lxc_arguments *args, int c, char *arg);
+ static int add_to_simple_array(char ***array, ssize_t *capacity, char *value);
+ static bool stdfd_is_pty(void);
diff -Nru lxc-3.1.0+really3.0.3/debian/patches/series lxc-3.1.0+really3.0.3/debian/patches/series
--- lxc-3.1.0+really3.0.3/debian/patches/series	2019-02-16 16:09:40.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/patches/series	2019-03-09 12:54:41.000000000 +0100
@@ -2,3 +2,4 @@
 0002-tests-add-test-for-generated-apparmor-profiles.patch
 0003-apparmor-allow-various-remount-bind-options.patch
 0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch
+0005-rexec-make-rexecution-opt-in-for-library-callers.patch
diff -Nru lxc-3.1.0+really3.0.3/debian/po/nl.po lxc-3.1.0+really3.0.3/debian/po/nl.po
--- lxc-3.1.0+really3.0.3/debian/po/nl.po	1970-01-01 01:00:00.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/po/nl.po	2019-03-09 12:54:41.000000000 +0100
@@ -0,0 +1,58 @@
+# Dutch translation of lxc debconf templates.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the lxc package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# Frans Spiesschaert <Frans.Spiesschaert@yucom.be>, 2019.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: lxc_1_3.1.0+really3.0.3-2\n"
+"Report-Msgid-Bugs-To: lxc@packages.debian.org\n"
+"POT-Creation-Date: 2018-11-29 22:19+0100\n"
+"PO-Revision-Date: 2019-02-12 16:38+0100\n"
+"Last-Translator: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>\n"
+"Language-Team: Debian Dutch l10n Team <debian-l10n-dutch@lists.debian.org>\n"
+"Language: nl\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Gtranslator 2.91.7\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid "Auto update lxc2 configuration format to lxc3?"
+msgstr "De lxc2-configuratie-indeling automatisch updaten naar lxc3?"
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid ""
+"LXC 3 comes with many changes for containers' configuration files. It also "
+"comes with a binary `/usr/bin/lxc-update-config` that allows one to update "
+"his configuration."
+msgstr ""
+"Met ingang van LXC 3 werden verschillende wijzigingen aangebracht aan de "
+"configuratiebestanden van containers. LXC 3 bevat ook een uitvoerbaar "
+"bestand `/usr/bin/lxc-update-config` waarmee men zijn configuratie kan "
+"updaten."
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid "This job can be done either automatically now or manually later."
+msgstr ""
+"Deze taak kan ofwel nu automatisch uitgevoerd worden of later handmatig "
+"gebeuren."
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid ""
+"Unpriviledged containers configurations will have to be updated manually "
+"either way via the `/usr/bin/lxc-update-config` command."
+msgstr ""
+"De configuraties van niet-geprivilegieerde containers zullen hoe dan ook "
+"manueel bijgewerkt moeten worden via het commando `/usr/bin/lxc-update-"
+"config`."

--- End Message ---
--- Begin Message --- 
Unblocked lxc.

--- End Message ---
Reply to: