Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Maintenance:6023
lxc.openSUSE_Leap_42.2_Update
CVE-2015-1331-lxclock-use-run-lxc-lock-rather-t...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch of Package lxc.openSUSE_Leap_42.2_Update
From: Serge Hallyn <serge.hallyn@ubuntu.com> Date: Fri, 3 Jul 2015 09:26:17 -0500 Subject: CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: yes Git-commit: 72cf81f6a3404e35028567db2c99a90406e9c6e6 References: bnc#938522 This prevents an unprivileged user to use LXC to create arbitrary file on the filesystem. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Jiri Slaby <jslaby@suse.com> --- src/lxc/lxclock.c | 47 ++++++++++------------------------------------- src/tests/locktests.c | 2 +- 2 files changed, 11 insertions(+), 38 deletions(-) diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c index fe13898df98f..e9e95f7a01d9 100644 --- a/src/lxc/lxclock.c +++ b/src/lxc/lxclock.c @@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n) char *rundir; /* lockfile will be: - * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root + * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root * or - * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root + * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root */ - /* length of "/lock/lxc/" + $lxcpath + "/" + "." + $lxcname + '\0' */ - len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 3; + /* length of "/lxc/lock/" + $lxcpath + "/" + "." + $lxcname + '\0' */ + len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 3; rundir = get_rundir(); if (!rundir) return NULL; @@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, const char *n) return NULL; } - ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p); + ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p); if (ret < 0 || ret >= len) { free(dest); free(rundir); @@ -128,40 +128,13 @@ static char *lxclock_name(const char *p, const char *n) } ret = mkdir_p(dest, 0755); if (ret < 0) { - /* fall back to "/tmp/" + $(id -u) + "/lxc" + $lxcpath + "/" + "." + $lxcname + '\0' - * * maximum length of $(id -u) is 10 calculated by (log (2 ** (sizeof(uid_t) * 8) - 1) / log 10 + 1) - * * lxcpath always starts with '/' - */ - int l2 = 22 + strlen(n) + strlen(p); - if (l2 > len) { - char *d; - d = realloc(dest, l2); - if (!d) { - free(dest); - free(rundir); - return NULL; - } - len = l2; - dest = d; - } - ret = snprintf(dest, len, "/tmp/%d/lxc%s", geteuid(), p); - if (ret < 0 || ret >= len) { - free(dest); - free(rundir); - return NULL; - } - ret = mkdir_p(dest, 0755); - if (ret < 0) { - free(dest); - free(rundir); - return NULL; - } - ret = snprintf(dest, len, "/tmp/%d/lxc%s/.%s", geteuid(), p, n); - } else - ret = snprintf(dest, len, "%s/lock/lxc/%s/.%s", rundir, p, n); + free(dest); + free(rundir); + return NULL; + } + ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n); free(rundir); - if (ret < 0 || ret >= len) { free(dest); return NULL; diff --git a/src/tests/locktests.c b/src/tests/locktests.c index dd3393a89334..233ca127c6de 100644 --- a/src/tests/locktests.c +++ b/src/tests/locktests.c @@ -122,7 +122,7 @@ int main(int argc, char *argv[]) exit(1); } struct stat sb; - char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/"; + char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/"; ret = stat(pathname, &sb); if (ret != 0) { fprintf(stderr, "%d: filename %s not created\n", __LINE__, -- 2.4.5
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
