diff options
| author | psykose <alice@ayaya.dev> | 2023-01-15 13:00:40 +0000 |
|---|---|---|
| committer | psykose <alice@ayaya.dev> | 2023-01-15 14:03:00 +0100 |
| commit | 0908f75b50641197a35488bc761ed3abf7238a09 (patch) | |
| tree | eff96cef3e58d30278b0bad5f8bff9abcf859c4e | |
| parent | 3af361de72f60c2a16d072d12c2411b572a1e789 (diff) | |
main/lxc: mitigate CVE-2022-47952
| -rw-r--r-- | main/lxc/APKBUILD | 6 | ||||
| -rw-r--r-- | main/lxc/CVE-2022-47952.patch | 71 |
2 files changed, 76 insertions, 1 deletions
diff --git a/main/lxc/APKBUILD b/main/lxc/APKBUILD index 7a7686974ba..e2be8269c38 100644 --- a/main/lxc/APKBUILD +++ b/main/lxc/APKBUILD @@ -4,7 +4,7 @@ pkgname=lxc pkgver=4.0.12 _pkgver=${pkgver/_rc/.rc} -pkgrel=1 +pkgrel=2 pkgdesc="Userspace interface for the Linux kernel containment features" url="https://linuxcontainers.org/lxc/" arch="all" @@ -42,11 +42,14 @@ subpackages=" " source="https://linuxcontainers.org/downloads/lxc/lxc-$_pkgver.tar.gz + CVE-2022-47952.patch lxc.initd lxc.confd " # secfixes: +# 4.0.12-r2: +# - CVE-2022-47952 # 3.1.0-r1: # - CVE-2019-5736 # 2.1.1-r9: @@ -169,6 +172,7 @@ bashcomp() { sha512sums=" 04437d9c891cd3a22f756c42f05e97398772587175d65aff9d394f0f3e810efc5c1fe7077c39573de3ec259e0605bc2a7ea51093613b2cef908372ae338df19d lxc-4.0.12.tar.gz +d064ddfc234384d14bbf07ed7332d95622555e8bfb456ba4d2dfedc5c45c4860c928d67c4cc5597f8e6fb03eb5b0d7febc62c8291222f4b6644bf85c85085023 CVE-2022-47952.patch db71783366277a68a5c8116604cf845da4780fe4aebdb5820ae2c4fe028cfe52a9c94246db362476f2f195be6a9c2b835edbe521423f116fc66eb50023d6daab lxc.initd 91de43db5369a9e10102933514d674e9c875218a1ff2910dd882e5b9c308f9e430deacb13d1d7e0b2ed1ef682d0bb035aa6f8a6738f54fa2ca3a05acce04e467 lxc.confd " diff --git a/main/lxc/CVE-2022-47952.patch b/main/lxc/CVE-2022-47952.patch new file mode 100644 index 00000000000..8ac5db881ab --- /dev/null +++ b/main/lxc/CVE-2022-47952.patch @@ -0,0 +1,71 @@ +Patch-Source: https://github.com/lxc/lxc/commit/1b0469530d7a38b8f8990e114b52530d1bf7f3b8 +-- +From 1b0469530d7a38b8f8990e114b52530d1bf7f3b8 Mon Sep 17 00:00:00 2001 +From: Maher Azzouzi <maherazz04@gmail.com> +Date: Sun, 25 Dec 2022 13:50:25 +0100 +Subject: [PATCH] Patching an incoming CVE (CVE-2022-47952) + +lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may +allow local users to infer whether any file exists, even within a +protected directory tree, because "Failed to open" often indicates +that a file does not exist, whereas "does not refer to a network +namespace path" often indicates that a file exists. NOTE: this is +different from CVE-2018-6556 because the CVE-2018-6556 fix design was +based on the premise that "we will report back to the user that the +open() failed but the user has no way of knowing why it failed"; +however, in many realistic cases, there are no plausible reasons for +failing except that the file does not exist. + +PoC: +> % ls /l +> ls: cannot open directory '/l': Permission denied +> % /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic delete lol lol /l/h/tt h h +> cmd/lxc_user_nic.c: 1096: main: Failed to open "/l/h/tt" <----- file does not exist. +> % /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic delete lol lol /l/h/t h h +> cmd/lxc_user_nic.c: 1101: main: Path "/l/h/t" does not refer to a network namespace path <---- file exist! + +Signed-off-by: MaherAzzouzi <maherazz04@gmail.com> +Acked-by: Serge Hallyn <serge@hallyn.com> +--- + src/lxc/cmd/lxc_user_nic.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c +index a91e2259d5..69bc6f17d1 100644 +--- a/src/lxc/cmd/lxc_user_nic.c ++++ b/src/lxc/cmd/lxc_user_nic.c +@@ -1085,20 +1085,17 @@ int main(int argc, char *argv[]) + } else if (request == LXC_USERNIC_DELETE) { + char opath[LXC_PROC_PID_FD_LEN]; + +- /* Open the path with O_PATH which will not trigger an actual +- * open(). Don't report an errno to the caller to not leak +- * information whether the path exists or not. +- * When stracing setuid is stripped so this is not a concern +- * either. +- */ ++ // Keep in mind CVE-2022-47952: It's crucial not to leak any ++ // information whether open() succeeded of failed. ++ + netns_fd = open(args.pid, O_PATH | O_CLOEXEC); + if (netns_fd < 0) { +- usernic_error("Failed to open \"%s\"\n", args.pid); ++ usernic_error("Failed while opening netns file for \"%s\"\n", args.pid); + _exit(EXIT_FAILURE); + } + + if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { +- usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); ++ usernic_error("Failed while opening netns file for \"%s\"\n", args.pid); + close(netns_fd); + _exit(EXIT_FAILURE); + } +@@ -1112,7 +1109,7 @@ int main(int argc, char *argv[]) + /* Now get an fd that we can use in setns() calls. */ + ret = open(opath, O_RDONLY | O_CLOEXEC); + if (ret < 0) { +- CMD_SYSERROR("Failed to open \"%s\"\n", args.pid); ++ CMD_SYSERROR("Failed while opening netns file for \"%s\"\n", args.pid); + close(netns_fd); + _exit(EXIT_FAILURE); + } |