Ubuntu
lxc package

buffer overflows possible in liblxc

Bug #988918 reported by Serge Hallyn
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
High
Serge Hallyn
Precise
Fix Released
High
Unassigned

Bug Description

==============================
SRU Justification:
Impact: callers of liblxc (like lxc-ip) can easily get buffer overruns
Stable fix: will be same as development fix
Development fix: Change all sprintf calls to snprintf, and check all snprintf return values
 which can possibly overrun
Test case: call lxc-info with a 300 character container name?
Regression potential: If this code is not converted correctly, regular container
 usage can be broken. The lxc testsuite was run to make sure there are no
 regressions with regular container creation and startup. (see
 lp:~serge-hallyn/+junk/lxc-test)
==============================
Some code in liblxc calls sprintf, or doesn't check return values of snprintf. Find and fix those.

See original description
Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu):
assignee: nobody → Serge Hallyn (serge-hallyn)
importance: Undecided → High
status: New → In Progress
Serge Hallyn (serge-hallyn)
description: updated
Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu Precise):
importance: Undecided → High
description: updated
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Serge, or anyone else affected,

Accepted lxc into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in lxc (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Verified.

I tested it with:

bzr branch lp:/~frankban/lpsetup/lp-lxc-ip/
cd lp-lxc-ip/lp-lxc-ip
sed -i 's/\[:85\]//' lxcip.py
sudo ./lxcip.py -n ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp

With prior package, I got

*** buffer overflow detected ***: python terminated

With new package, lxc caught the 'name too long' and returned an error (which lxc.py hid).

I also ran the lxc testsuite (lp:~serge-hallyn/+junk/lxc-test) and found no regressions there.

Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.6 KiB)

This bug was fixed in the package lxc - 0.8.0~rc1-4ubuntu1

---------------
lxc (0.8.0~rc1-4ubuntu1) quantal; urgency=low

  * Merge from unstable. Remaining changes:
    - control:
      - update maintainer
      - Build-Depends: add dh-apparmor and libapparmor-dev
      - lxc Depends: add bridge-utils, dnsmasq-base, iptables, rsync
      - lxc Recommends: add cgroup-lite | cgroup-bin, openssl
      - lxc Suggests: add btrfs-tools, lvm2, qemu-user-static
      - lxc Conflicts: remove (cgroup-bin)
    - Add lxc-start-ephemeral and lxc-wait to debian/local
    - apparmor:
      - add lxc.apparmor, lxc-containers.apparmor,
        lxc-default.apparmor, and new lxc.apparmor.in
    - add debian/lxc.conf (default container creation config file)
    - debian/lxc.install.in:
      * add lxc-start-ephemeral
      * add debian/lxc.conf
      * skip lxc-debconf*
      * skip lxc-ls (Use upstream's)
    - debian/lxc*.install.in: use '*', not @DEB_HOST_MULTIARCH@
    - Use our own completely different lxc.postinst and lxc.postrm
    - remove lxc.templates
    - debian/rules:
      * add DEB_DH_INSTALLINIT_ARGS = --upstart-only
      * don't do debconf stuff
      * add debian/*.apparmor.in to files processed under
        override_dh_auto_clean
      * don't comment out ubuntu or busybox templates
      * do apparmor stuff and install our own lxc-wait under override_dh_install
      * install our upstart scripts in override_dh_installinit
    - add lxc.default, lxc.lxc-net.upstart, lxc.upstart under
      debian/

  * patches kept:
    - 0013-lxc-create-use-default-config.patch (needed manual rebase)
    - 0030-ubuntu-template-fail.patch
    - 0031-ubuntu-template-resolvconf.patch
    - 0044-lxc-destroy-rm-autos
    - debian/patches/0045-fix-other-templates
    - debian/patches/0046-lxc-clone-change-hwaddr
    - debian/patches/0047-bindhome-check-shell
    - debian/patches/0049-ubuntu-template-sudo-and-cleanup
    - debian/patches/0050-clone-lvm-sizes
    - debian/patches/0052-ubuntu-bind-user-conflict
    - debian/patches/0053-lxc-start-pin-rootfs
    - debian/patches/0054-ubuntu-debug
    - debian/patches/0055-ubuntu-handle-badgrp
    - debian/patches/0056-dont-watch-utmp
    - debian/patches/0057-update-manpages
    - debian/patches/0058-fixup-ubuntu-cloud
    - debian/patches/0059-reenable-daily-cloudimg
    - debian/patches/0060-lxc-shutdown
    - debian/patches/0061-lxc-start-apparmor
    - debian/patches/0062-templates-relative-paths
    - debian/patches/0063-check-apparmor-enabled
    - debian/patches/0064-apparmor-mount-proc
    - debian/patches/0065-fix-bindhome-relpath
    - debian/patches/0066-confile-typo
    - debian/patches/0067-templates-lxc-profile
    - debian/patches/0068-fix-lxc-config-layout
    - debian/patches/0069-ubuntu-cloud-fix
    - debian/patches/0070-templates-rmdir-dev-shm
    - debian/patches/0071-ubuntu-cloud-fix-image-extraction
    - debian/patches/0072-lxc-shutdown-help
    - debian/patches/0073-lxc-destroy-waits-before-destroy
    - mark all patches which have been forwarded as such, refresh all
  * 0074-lxc-execute-find-init: lxc-init had moved. Introduce a function in
    lxc-execute to go find it. Otherwise lxc-...

Read more...

Changed in lxc (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu53

---------------
lxc (0.7.5-3ubuntu53) precise-proposed; urgency=low

  * 0074-fix-sprintfs - check return values for all sprintfs and snprintfs
    which could overflow (LP: #988918)
  * 0075-execute-without-rootfs: let lxc-execute succeed with no rootfs
    (LP: #981955)
 -- Serge Hallyn <email address hidden> Thu, 26 Apr 2012 10:52:47 -0500

Changed in lxc (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.