[pkg-lxc-devel] Bug#924427: unblock: lxc/1:3.1.0+really3.0.3-4
Pierre-Elliott Bécue
peb at debian.org
Tue Mar 12 21:25:53 GMT 2019
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
Dear Release Managers,
I'd llike to ask you to please unblock package lxc version
1:3.1.0+really3.0.3-6 currently lying in unstable, so it replaces lxc
version 1:3.1.0+really3.0.3-4 currently in testing.
Indeed, Antonio Terceiro did an upload for 1:3.1.0+really3.0.3-5 in
unstable on March the 2nd, with changes regarding Debconf translation in
Dutch (see bug #923328 [0]) and another change to fix an issue I
introduced in the provided `/etc/lxc/default.conf` file, which made it
not usable without a fix by the end user. (see bug #923395 [1])
Although these changes should have reached testing before the freeze, I
realized that changes I've made for 1:3.1.0+really3.0.3-4 to fix a CVE
introduced some anomalies due to upstream patch not being enough (see
bug #923932 [2]), and that I forgot to update debian/NEWS with proper
instructions regarding the breaking changes from LXC2 to 3. (explain the
reason for the unblock here)
Hence I did a 1:3.1.0+really3.0.3-6 upload in unstable to include these
changes, and it reset the counter for -5.
Attached is a debdiff between testing and unstable.
Thanks a lot for considering such an unblock.
With best regards,
unblock lxc/1:3.1.0+really3.0.3-4
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru lxc-3.1.0+really3.0.3/debian/changelog lxc-3.1.0+really3.0.3/debian/changelog
--- lxc-3.1.0+really3.0.3/debian/changelog 2019-02-16 16:21:41.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/changelog 2019-03-09 15:49:21.000000000 +0100
@@ -1,3 +1,22 @@
+lxc (1:3.1.0+really3.0.3-6) unstable; urgency=medium
+
+ * d/patches/0005: Tweaks the 0004 patch for CVE-2019-5736 (Closes: #923932)
+ * d/NEWS: summary of the important changes since LXC2.
+
+ -- Pierre-Elliott Bécue <peb at debian.org> Sat, 09 Mar 2019 15:49:21 +0100
+
+lxc (1:3.1.0+really3.0.3-5) unstable; urgency=medium
+
+ [ Christian Kastner ]
+ * /etc/default/lxc.conf Change back to lxc.net.0.type
+ (Closes: #923395)
+
+ [ Frans Spiesschaert ]
+ * debian/po/nl.po: Add Dutch translation of debconf messages
+ (Closes: #923328)
+
+ -- Antonio Terceiro <terceiro at debian.org> Sat, 02 Mar 2019 12:33:08 -0300
+
lxc (1:3.1.0+really3.0.3-4) unstable; urgency=medium
[ Lev Lamberov ]
diff -Nru lxc-3.1.0+really3.0.3/debian/contrib/default.conf lxc-3.1.0+really3.0.3/debian/contrib/default.conf
--- lxc-3.1.0+really3.0.3/debian/contrib/default.conf 2019-02-11 22:59:58.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/contrib/default.conf 2019-03-09 12:54:41.000000000 +0100
@@ -1,3 +1,3 @@
-lxc.net.type = empty
+lxc.net.0.type = empty
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
diff -Nru lxc-3.1.0+really3.0.3/debian/liblxc1.symbols lxc-3.1.0+really3.0.3/debian/liblxc1.symbols
--- lxc-3.1.0+really3.0.3/debian/liblxc1.symbols 2019-02-16 16:21:29.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/liblxc1.symbols 2019-03-09 12:54:41.000000000 +0100
@@ -381,6 +381,7 @@
lxc_remove_nic_by_idx at Base 1:3.0.2
lxc_requests_empty_network at Base 1:3.0.2
lxc_restore_phys_nics_to_netns at Base 1:3.0.2
+ lxc_rexec at Base 1:3.0.3
lxc_ringbuf_create at Base 1:3.0.2
lxc_ringbuf_move_read_addr at Base 1:3.0.2
lxc_ringbuf_read at Base 1:3.0.2
diff -Nru lxc-3.1.0+really3.0.3/debian/NEWS lxc-3.1.0+really3.0.3/debian/NEWS
--- lxc-3.1.0+really3.0.3/debian/NEWS 2018-12-22 22:49:44.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/NEWS 2019-03-09 15:49:19.000000000 +0100
@@ -1,3 +1,35 @@
+lxc (1:3.1.0+really3.0.3-6) unstable; urgency=medium
+
+ LXC 3 got some significant changes from LXC 2.
+
+ 1. The configuration files use different variables. A userland script
+ lxc-update-config is available to update automatically your
+ configuration files. An automatic update is possible and offered by
+ debconf during the upgrade of lxc version < 3.0.2 to lxc version >=
+ 3.0.2. Mind that this update will only work for priviledged containers
+ with configurations present in /var/lib/lxc/*/config and any other
+ container will not be updated.
+ 2. AppArmor support in Debian has increased, thus preventing some systemd
+ isolation features to work in LXC 3.0.X. Debian has backported some
+ patches from LXC 3.1 that, along with some configurations in a
+ container, will allow systemd isolation features to work.
+
+ The required configuration parameters are the ones which follow:
+ lxc.apparmor.profile = generated
+ lxc.apparmor.allow_nesting = 1
+
+ These parameters are provided in the `/etc/lxc/default.conf` file
+ shipped with LXC 3. Hence, any newly created container will have these
+ parameters set properly, execpt if you alter the forementionned file.
+ 3. lxc-templates is deprecated by upstream. The new way of building
+ containers is via their distrobuilder software. This software isn't in
+ Debian Buster, and thus, we still provide lxc-templates. If you relied
+ on it (eg, with lxc.include parameter in some configuration file), you
+ should install lxc-templates in case it doesn't come by itself (via
+ recommends). Otherwise you may experience issues after the upgrade.
+
+ -- Pierre-Elliott Bécue <peb at debian.org> Sat, 09 Mar 2019 13:09:05 +0100
+
lxc (1:1.1.5-1) unstable; urgency=medium
LXC before 1.1 did silently ignore lxc.aa_profile if the kernel did
diff -Nru lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch
--- lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch 2019-02-16 16:11:58.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/patches/0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch 2019-03-09 12:54:41.000000000 +0100
@@ -5,6 +5,10 @@
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
Adam Iwaniuk and Borys Popławski discovered that an attacker can compromise the
runC host binary from inside a privileged runC container. As a result, this
could be exploited to gain root access on the host. runC is used as the default
diff -Nru lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch
--- lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch 1970-01-01 01:00:00.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/patches/0005-rexec-make-rexecution-opt-in-for-library-callers.patch 2019-03-09 12:54:41.000000000 +0100
@@ -0,0 +1,151 @@
+From: Christian Brauner <christian.brauner at ubuntu.com>
+Date: Tue, 12 Feb 2019 17:31:14 +0100
+Subject: rexec: make rexecution opt-in for library callers
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+We cannot rexecute the liblxc shared library unconditionally as this would
+break most of our downstreams. Here are some scenarios:
+- anyone performing a dlopen() on the shared library (e.g. users of the LXC
+ Python bindings)
+- LXD as it needs to know the absolute path to its own executable based on
+ /proc/self/exe etc.
+
+This commit makes the rexecution of liblxc conditional on whether the
+LXC_MEMFD_REXEC environment variable is set or not. If it is then liblxc is
+unconditionally rexecuted.
+
+The only relevant attack vector exists for lxc-attach which we simply reexecute
+unconditionally.
+
+Reported-by: Stéphane Graber <stgraber at ubuntu.com>
+Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
+---
+ src/lxc/Makefile.am | 4 +++-
+ src/lxc/rexec.c | 4 ++--
+ src/lxc/rexec.h | 26 ++++++++++++++++++++++++++
+ src/lxc/tools/lxc_attach.c | 18 ++++++++++++++++++
+ 4 files changed, 49 insertions(+), 3 deletions(-)
+ create mode 100644 src/lxc/rexec.h
+
+diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
+index 92779e0..5bfad9c 100644
+--- a/src/lxc/Makefile.am
++++ b/src/lxc/Makefile.am
+@@ -23,6 +23,7 @@ noinst_HEADERS = attach.h \
+ monitor.h \
+ namespace.h \
+ raw_syscalls.h \
++ rexec.h \
+ start.h \
+ state.h \
+ storage/btrfs.h \
+@@ -174,7 +175,7 @@ liblxc_la_SOURCES += ../include/strlcat.c ../include/strlcat.h
+ endif
+
+ if ENFORCE_MEMFD_REXEC
+-liblxc_la_SOURCES += rexec.c
++liblxc_la_SOURCES += rexec.c rexec.h
+ endif
+
+ AM_CFLAGS = -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \
+@@ -294,6 +295,7 @@ LDADD = liblxc.la \
+
+ if ENABLE_TOOLS
+ lxc_attach_SOURCES = tools/lxc_attach.c \
++ rexec.c rexec.h \
+ tools/arguments.c tools/arguments.h
+ lxc_autostart_SOURCES = tools/lxc_autostart.c \
+ tools/arguments.c tools/arguments.h
+diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c
+index 396bd61..d944c8f 100644
+--- a/src/lxc/rexec.c
++++ b/src/lxc/rexec.c
+@@ -137,7 +137,7 @@ on_error:
+ errno = saved_errno;
+ }
+
+-static int lxc_rexec(const char *memfd_name)
++int lxc_rexec(const char *memfd_name)
+ {
+ int ret;
+ char **argv = NULL, **envp = NULL;
+@@ -174,7 +174,7 @@ static int lxc_rexec(const char *memfd_name)
+ */
+ __attribute__((constructor)) static void liblxc_rexec(void)
+ {
+- if (lxc_rexec("liblxc")) {
++ if (getenv("LXC_MEMFD_REXEC") && lxc_rexec("liblxc")) {
+ fprintf(stderr, "Failed to re-execute liblxc via memory file descriptor\n");
+ _exit(EXIT_FAILURE);
+ }
+diff --git a/src/lxc/rexec.h b/src/lxc/rexec.h
+new file mode 100644
+index 0000000..088ded9
+--- /dev/null
++++ b/src/lxc/rexec.h
+@@ -0,0 +1,26 @@
++/* liblxcapi
++ *
++ * Copyright © 2019 Christian Brauner <christian.brauner at ubuntu.com>.
++ * Copyright © 2019 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Lesser General Public License for more details.
++
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this library; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
++ */
++
++#ifndef __LXC_REXEC_H
++#define __LXC_REXEC_H
++
++extern int lxc_rexec(const char *memfd_name);
++
++#endif /* __LXC_REXEC_H */
+diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
+index 8c8e7d3..80b3693 100644
+--- a/src/lxc/tools/lxc_attach.c
++++ b/src/lxc/tools/lxc_attach.c
+@@ -44,10 +44,28 @@
+ #include "config.h"
+ #include "confile.h"
+ #include "log.h"
++#include "rexec.h"
+ #include "utils.h"
+
+ lxc_log_define(lxc_attach, lxc);
+
++/**
++ * This function will copy any binary that calls liblxc into a memory file and
++ * will use the memfd to rexecute the binary. This is done to prevent attacks
++ * through the /proc/self/exe symlink to corrupt the host binary when host and
++ * container are in the same user namespace or have set up an identity id
++ * mapping: CVE-2019-5736.
++ */
++#ifdef ENFORCE_MEMFD_REXEC
++__attribute__((constructor)) static void lxc_attach_rexec(void)
++{
++ if (!getenv("LXC_MEMFD_REXEC") && lxc_rexec("lxc-attach")) {
++ fprintf(stderr, "Failed to re-execute lxc-attach via memory file descriptor\n");
++ _exit(EXIT_FAILURE);
++ }
++}
++#endif
++
+ static int my_parser(struct lxc_arguments *args, int c, char *arg);
+ static int add_to_simple_array(char ***array, ssize_t *capacity, char *value);
+ static bool stdfd_is_pty(void);
diff -Nru lxc-3.1.0+really3.0.3/debian/patches/series lxc-3.1.0+really3.0.3/debian/patches/series
--- lxc-3.1.0+really3.0.3/debian/patches/series 2019-02-16 16:09:40.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/patches/series 2019-03-09 12:54:41.000000000 +0100
@@ -2,3 +2,4 @@
0002-tests-add-test-for-generated-apparmor-profiles.patch
0003-apparmor-allow-various-remount-bind-options.patch
0004-CVE-2019-5736-runC-rexec-callers-as-memfd.patch
+0005-rexec-make-rexecution-opt-in-for-library-callers.patch
diff -Nru lxc-3.1.0+really3.0.3/debian/po/nl.po lxc-3.1.0+really3.0.3/debian/po/nl.po
--- lxc-3.1.0+really3.0.3/debian/po/nl.po 1970-01-01 01:00:00.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/po/nl.po 2019-03-09 12:54:41.000000000 +0100
@@ -0,0 +1,58 @@
+# Dutch translation of lxc debconf templates.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the lxc package.
+# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
+# Frans Spiesschaert <Frans.Spiesschaert at yucom.be>, 2019.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: lxc_1_3.1.0+really3.0.3-2\n"
+"Report-Msgid-Bugs-To: lxc at packages.debian.org\n"
+"POT-Creation-Date: 2018-11-29 22:19+0100\n"
+"PO-Revision-Date: 2019-02-12 16:38+0100\n"
+"Last-Translator: Frans Spiesschaert <Frans.Spiesschaert at yucom.be>\n"
+"Language-Team: Debian Dutch l10n Team <debian-l10n-dutch at lists.debian.org>\n"
+"Language: nl\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Gtranslator 2.91.7\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid "Auto update lxc2 configuration format to lxc3?"
+msgstr "De lxc2-configuratie-indeling automatisch updaten naar lxc3?"
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid ""
+"LXC 3 comes with many changes for containers' configuration files. It also "
+"comes with a binary `/usr/bin/lxc-update-config` that allows one to update "
+"his configuration."
+msgstr ""
+"Met ingang van LXC 3 werden verschillende wijzigingen aangebracht aan de "
+"configuratiebestanden van containers. LXC 3 bevat ook een uitvoerbaar "
+"bestand `/usr/bin/lxc-update-config` waarmee men zijn configuratie kan "
+"updaten."
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid "This job can be done either automatically now or manually later."
+msgstr ""
+"Deze taak kan ofwel nu automatisch uitgevoerd worden of later handmatig "
+"gebeuren."
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid ""
+"Unpriviledged containers configurations will have to be updated manually "
+"either way via the `/usr/bin/lxc-update-config` command."
+msgstr ""
+"De configuraties van niet-geprivilegieerde containers zullen hoe dan ook "
+"manueel bijgewerkt moeten worden via het commando `/usr/bin/lxc-update-"
+"config`."
More information about the Pkg-lxc-devel
mailing list