git.ipfire.org Git - thirdparty/lxc.git/commit

author	Maher Azzouzi <maherazz04@gmail.com>
	Sun, 25 Dec 2022 12:50:25 +0000 (13:50 +0100)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Fri, 6 Jan 2023 22:15:32 +0000 (17:15 -0500)
commit	80553b5b412365f429aff93cff178e3e952ee6bd
tree	b752adfe91a59244dd6a86bbeace2f6200221a06	tree \| snapshot
parent	1089f49c58c1f78938fd973c115a6af92e80aea2	commit \| diff

Patching an incoming CVE (CVE-2022-47952)

lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may
allow local users to infer whether any file exists, even within a
protected directory tree, because "Failed to open" often indicates
that a file does not exist, whereas "does not refer to a network
namespace path" often indicates that a file exists. NOTE: this is
different from CVE-2018-6556 because the CVE-2018-6556 fix design was
based on the premise that "we will report back to the user that the
open() failed but the user has no way of knowing why it failed";
however, in many realistic cases, there are no plausible reasons for
failing except that the file does not exist.

PoC:
> % ls /l
> ls: cannot open directory '/l': Permission denied
> % /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic delete lol lol /l/h/tt h h
> cmd/lxc_user_nic.c: 1096: main: Failed to open "/l/h/tt" <----- file does not exist.
> % /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic delete lol lol /l/h/t h h
> cmd/lxc_user_nic.c: 1101: main: Path "/l/h/t" does not refer to a network namespace path <---- file exist!

Signed-off-by: MaherAzzouzi <maherazz04@gmail.com>
Acked-by: Serge Hallyn <serge@hallyn.com>