Docker has issued an advisory for runc and lxc: https://www.openwall.com/lists/oss-security/2019/02/11/2 Patched package uploaded for Cauldron. It failed to build in Mageia 6, which makes no sense: http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20190212002115.luigiwalser.duvel.6026/log/lxc-2.0.8-1.1.mga6/build.0.20190212002550.log Advisory saved below. Advisory: ======================== Updated lxc package fixes security vulnerability: LXC allows attackers to overwrite the host LXC binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: a new container with an attacker- controlled image, or an existing container, to which the attacker previously had write access. This occurs because of file-descriptor mishandling, related to /proc/self/exe. This attack is only possible with privileged containers since it requires root privilege on the host to overwrite the binary. References: https://www.openwall.com/lists/oss-security/2019/02/11/2
(In reply to David Walser from comment #0) > > It failed to build in Mageia 6, which makes no sense: > http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/ > 20190212002115.luigiwalser.duvel.6026/log/lxc-2.0.8-1.1.mga6/build.0. > 20190212002550.log > Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing tv, who submitted this package many times until 3 years ago.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, thierry.vignaud
Hi, Patch 0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch says: "memfd_create() was added to the Linux kernel in the 3.17 release." but omits to say that "memfd_create()" is only supported by glibc since version 2.27. I found in "src/lxc/conf.c" a definition of "memfd_create()" and in "src/lxc/cgroups/cgfsng.c" a definition of "must_realloc()". With my patch "lxc-2.0.8-mga-add-missing-functions.patch", "src/lxc/rexec.c" also includes those functions so lxc builds successfully. I do not know if it is the good method so feel free to correct me if needed. Best regards, Nico.
CC: (none) => nicolas.salguero
Yeah I had seen the note about kernel 3.17 and knew that was new enough, so I was confused. I didn't know about the glibc problem. Some people complained on the oss-security list about the approach to fix it (memfd being part of that) and I think they've proposed a kernel-side fix as another possible mitigation. Anyway, I don't know why it wasn't sufficient for rexec.c to use the definitions that were already in those other files when it links (since that's what it does in 2.0.9 in Cauldron). Fixing the linking is probably the correct approach, so maybe you can take a look at that. In the meantime, I'll let QA play with it, as it might be good enough as-is. Thanks! Advisory in Comment 0. lxc-2.0.8-1.1.mga6 liblxc1-2.0.8-1.1.mga6 python3-lxc-2.0.8-1.1.mga6 lua-lxc-2.0.8-1.1.mga6 liblxc-devel-2.0.8-1.1.mga6 lxc-doc-2.0.8-1.1.mga6 from lxc-2.0.8-1.1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
(In reply to David Walser from comment #3) > Anyway, I don't know why it wasn't sufficient for rexec.c to use the > definitions that were already in those other files when it links (since > that's what it does in 2.0.9 in Cauldron). Fixing the linking is probably > the correct approach, so maybe you can take a look at that. When I try to build version 2.0.9 (from Cauldron) under mga6, it does not complain anymore about function "must_realloc()" but complains about function "memfd_create()". So I can say version 2.0.9 corrected the visibility of function "must_realloc()" but assumes glibc contains "memfd_create()". When I tried to correct the problem with linking, I only got other errors saying that "function ... was already defined ..." and the build failed too.
(In reply to Nicolas Salguero from comment #4) > When I try to build version 2.0.9 (from Cauldron) under mga6, it does not > complain anymore about function "must_realloc()" but complains about > function "memfd_create()". So I can say version 2.0.9 corrected the > visibility of function "must_realloc()" but assumes glibc contains > "memfd_create()". Interesting. > When I tried to correct the problem with linking, I only got other errors > saying that "function ... was already defined ..." and the build failed too. Even if you don't duplicate with your patch the function it complains about being already defined?
(In reply to David Walser from comment #5) > Even if you don't duplicate with your patch the function it complains about > being already defined? Yes, not the functions must_realloc() and memfd_create() but other functions that are defined into src/lxc/conf.c and src/lxc/cgroups/cgfsng.c.
Tested lxc-2.0.8-1.1.mga6 following https://linuxcontainers.org/lxc/getting-started/ # lxc-create -t download -n my-container Distribution: fedora Release: 26 Architecture: amd64 Downloading the image index Downloading the rootfs <snip> # du -s /var/cache/lxc/download/fedora/26/amd64/default/ 52M /var/cache/lxc/download/fedora/26/amd64/default/ # du -s /var/lib/lxc/my-container/ 254M /var/lib/lxc/my-container/ # lxc-info -n my-container Name: my-container State: RUNNING PID: 7856 CPU use: 0.24 seconds BlkIO use: 4.85 MiB Memory use: 13.96 MiB KMem use: 5.01 MiB # lxc-attach -n my-container # cat /etc/system-release Fedora release 26 (Twenty Six) # exit # lxc-stop -n my-container # lxc-destroy -n my-container Destroyed container my-container Adding ok for Mageia 6 x86_64 Advisory committed to svn. Validating the update.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0087.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED