Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-lxc-devel@lists.alioth.debian.org, gibmat@debian.org Control: affects -1 + src:lxc [ Reason ] The version of lxc in bullseye is affected by the low-severity CVE-2022-47952 which was fixed in the recent release of lxc 5.0.2 (uploaded to unstable yesterday). As the fix was trivial to apply to the version of lxc in bullseye, I think it would be beneficial to include it in the next point release. [ Impact ] Affected versions of lxc suffer a minor information leak which allows a local user to infer whether any file exists, even within a protected directory tree. [ Tests ] A manual proof-of-concept test is provided in the upstream commit fixing this issue. [ Risks ] There are no changes to any of the logic of lxc; the error messages which are returned are modified to be identical in every error case, preventing the information leak. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] Backport upstream commit 1b0469530d7a38b8f8990e114b52530d1bf7f3b8, which fixes CVE-2022-47952. (The line numbers in the diff shifted slightly, otherwise no changes to the patch.) [ Other info ] The source debdiff is attached.
diff -Nru lxc-4.0.6/debian/changelog lxc-4.0.6/debian/changelog --- lxc-4.0.6/debian/changelog 2022-01-13 19:57:39.000000000 +0000 +++ lxc-4.0.6/debian/changelog 2023-01-18 02:53:46.000000000 +0000 @@ -1,3 +1,9 @@ +lxc (1:4.0.6-2+deb11u2) bullseye; urgency=medium + + * Backport fix for CVE-2022-47952 + + -- Mathias Gibbens <gibmat@debian.org> Wed, 18 Jan 2023 02:53:46 +0000 + lxc (1:4.0.6-2+deb11u1) bullseye; urgency=medium * lxc-download: Switch GPG server. diff -Nru lxc-4.0.6/debian/patches/fix-CVE-2022-47952.patch lxc-4.0.6/debian/patches/fix-CVE-2022-47952.patch --- lxc-4.0.6/debian/patches/fix-CVE-2022-47952.patch 1970-01-01 00:00:00.000000000 +0000 +++ lxc-4.0.6/debian/patches/fix-CVE-2022-47952.patch 2023-01-18 02:53:23.000000000 +0000 @@ -0,0 +1,69 @@ +From 1b0469530d7a38b8f8990e114b52530d1bf7f3b8 Mon Sep 17 00:00:00 2001 +From: Maher Azzouzi <maherazz04@gmail.com> +Date: Sun, 25 Dec 2022 13:50:25 +0100 +Subject: [PATCH] Patching an incoming CVE (CVE-2022-47952) + +lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may +allow local users to infer whether any file exists, even within a +protected directory tree, because "Failed to open" often indicates +that a file does not exist, whereas "does not refer to a network +namespace path" often indicates that a file exists. NOTE: this is +different from CVE-2018-6556 because the CVE-2018-6556 fix design was +based on the premise that "we will report back to the user that the +open() failed but the user has no way of knowing why it failed"; +however, in many realistic cases, there are no plausible reasons for +failing except that the file does not exist. + +PoC: +> % ls /l +> ls: cannot open directory '/l': Permission denied +> % /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic delete lol lol /l/h/tt h h +> cmd/lxc_user_nic.c: 1096: main: Failed to open "/l/h/tt" <----- file does not exist. +> % /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic delete lol lol /l/h/t h h +> cmd/lxc_user_nic.c: 1101: main: Path "/l/h/t" does not refer to a network namespace path <---- file exist! + +Signed-off-by: MaherAzzouzi <maherazz04@gmail.com> +Acked-by: Serge Hallyn <serge@hallyn.com> +--- + src/lxc/cmd/lxc_user_nic.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c +index a91e2259d5..69bc6f17d1 100644 +--- a/src/lxc/cmd/lxc_user_nic.c ++++ b/src/lxc/cmd/lxc_user_nic.c +@@ -1088,20 +1088,17 @@ int main(int argc, char *argv[]) + } else if (request == LXC_USERNIC_DELETE) { + char opath[LXC_PROC_PID_FD_LEN]; + +- /* Open the path with O_PATH which will not trigger an actual +- * open(). Don't report an errno to the caller to not leak +- * information whether the path exists or not. +- * When stracing setuid is stripped so this is not a concern +- * either. +- */ ++ // Keep in mind CVE-2022-47952: It's crucial not to leak any ++ // information whether open() succeeded of failed. ++ + netns_fd = open(args.pid, O_PATH | O_CLOEXEC); + if (netns_fd < 0) { +- usernic_error("Failed to open \"%s\"\n", args.pid); ++ usernic_error("Failed while opening netns file for \"%s\"\n", args.pid); + _exit(EXIT_FAILURE); + } + + if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { +- usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); ++ usernic_error("Failed while opening netns file for \"%s\"\n", args.pid); + close(netns_fd); + _exit(EXIT_FAILURE); + } +@@ -1115,7 +1112,7 @@ int main(int argc, char *argv[]) + /* Now get an fd that we can use in setns() calls. */ + ret = open(opath, O_RDONLY | O_CLOEXEC); + if (ret < 0) { +- CMD_SYSERROR("Failed to open \"%s\"\n", args.pid); ++ CMD_SYSERROR("Failed while opening netns file for \"%s\"\n", args.pid); + close(netns_fd); + _exit(EXIT_FAILURE); + } diff -Nru lxc-4.0.6/debian/patches/series lxc-4.0.6/debian/patches/series --- lxc-4.0.6/debian/patches/series 2022-01-13 19:57:39.000000000 +0000 +++ lxc-4.0.6/debian/patches/series 2023-01-18 02:52:02.000000000 +0000 @@ -3,3 +3,4 @@ 0006-lxc.pc.in-removes-DLOG_LIBS-which-is-not-expanded-up.patch 0007-conf-fix-containers-retaining-CAP_NET_ADMIN.patch 0005-lxc-download-Switch-GPG-server.patch +fix-CVE-2022-47952.patch
Attachment:
signature.asc
Description: This is a digitally signed message part