[PATCH/next,1/1] package/lxc: security bump to version 3.2.1
diff mbox series

Message ID 20190816170315.8763-1-fontaine.fabrice@gmail.com
State New
Headers show
Series
  • [PATCH/next,1/1] package/lxc: security bump to version 3.2.1
Related show

Commit Message

Fabrice Fontaine Aug. 16, 2019, 5:03 p.m. UTC
- lxc switched from gnutls to openssl since version 3.2.0 and
  https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997
- lxc needs a glibc or musl toolchain since version 3.2.0 and
  https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
- This version includes a security fix (named CVE-2019-5736 on runC):
  https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/lxc/Config.in |  5 +++--
 package/lxc/lxc.hash  |  2 +-
 package/lxc/lxc.mk    | 16 ++++++++--------
 3 files changed, 12 insertions(+), 11 deletions(-)

Comments

Thomas Petazzoni Aug. 17, 2019, 1:41 p.m. UTC | #1
On Fri, 16 Aug 2019 19:03:15 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> - lxc switched from gnutls to openssl since version 3.2.0 and
>   https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997
> - lxc needs a glibc or musl toolchain since version 3.2.0 and
>   https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> - This version includes a security fix (named CVE-2019-5736 on runC):
>   https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

We normally apply security bumps to master. But this one seems like a
quite major bump, and it also disables the package for uClibc.

Does it make sense to backport just the security fix in master ?

Thomas
Fabrice Fontaine Aug. 17, 2019, 7:36 p.m. UTC | #2
Hello Thomas,

Le sam. 17 août 2019 à 15:41, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> a écrit :
>
> On Fri, 16 Aug 2019 19:03:15 +0200
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> > - lxc switched from gnutls to openssl since version 3.2.0 and
> >   https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997
> > - lxc needs a glibc or musl toolchain since version 3.2.0 and
> >   https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> > - This version includes a security fix (named CVE-2019-5736 on runC):
> >   https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> We normally apply security bumps to master. But this one seems like a
> quite major bump, and it also disables the package for uClibc.
Yes I know that's why I marked it for next.
>
> Does it make sense to backport just the security fix in master ?
I could but this fix will add the glibc or musl toolchain dependency.
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
Best Regards,

Fabrice
Thomas Petazzoni Aug. 17, 2019, 7:59 p.m. UTC | #3
Hello,

+Peter in Cc.

On Sat, 17 Aug 2019 21:36:27 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> Hello Thomas,
> 
> Le sam. 17 août 2019 à 15:41, Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> a écrit :
> >
> > On Fri, 16 Aug 2019 19:03:15 +0200
> > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> >  
> > > - lxc switched from gnutls to openssl since version 3.2.0 and
> > >   https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997
> > > - lxc needs a glibc or musl toolchain since version 3.2.0 and
> > >   https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> > > - This version includes a security fix (named CVE-2019-5736 on runC):
> > >   https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> > >
> > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>  
> >
> > We normally apply security bumps to master. But this one seems like a
> > quite major bump, and it also disables the package for uClibc.  
> Yes I know that's why I marked it for next.
> >
> > Does it make sense to backport just the security fix in master ?  
> I could but this fix will add the glibc or musl toolchain dependency.

OK, so let's bring Peter Korsgaard in Cc. Since he maintains the
stable/LTS branches, it is important to get his call on this issue.

Thanks,

Thomas
Peter Korsgaard Aug. 27, 2019, 8:39 p.m. UTC | #4
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

Hi,

 >> > Does it make sense to backport just the security fix in master ?  
 >> I could but this fix will add the glibc or musl toolchain dependency.

 > OK, so let's bring Peter Korsgaard in Cc. Since he maintains the
 > stable/LTS branches, it is important to get his call on this issue.

Well, is is "complicated" ;) CVE-2019-5736 is the same issue we fixed
for runc back in February (where the fix had some fallout).

But do notice:

- Issue only applies to privileged containers, which is explicitly
  marked as unsafe by upstream - E.G. on their website:

  They're not safe at all and should only be used in environments where
  unprivileged containers aren't available and where you would trust
  your container's user with root access to the host.

  https://linuxcontainers.org/lxc/security/#LXC

- The current lxc version in 2019.02.x / 2019.05.x / 2019.08 is 3.1.0,
  which is a development version of late 2018.

- A fix is available for the current LTS version (3.0.x, supported until
  2023) and current development version (3.2.1)


So our options are basically:

- Apply the patch to master and 2019.02.x / 2019.05.x

- Revert master/2019.05.x/2019.02.x to the LTS series, 3.0.4

- Cherry pick the fix to 3.1.0 for master/2019.05.x/2019.02.x

- Ignore the issue and only apply the patch to next


I would say option 4 (ignore) or 2 (revert) sounds like the most
sensible options to me.

What do others think?

Patch
diff mbox series

diff --git a/package/lxc/Config.in b/package/lxc/Config.in
index d8d8f50c8e..0b3c1b923e 100644
--- a/package/lxc/Config.in
+++ b/package/lxc/Config.in
@@ -6,6 +6,7 @@  config BR2_PACKAGE_LXC
 	depends on !BR2_STATIC_LIBS
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 # C++11
 	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_0 # setns() system call
+	depends on !BR2_TOOLCHAIN_USES_UCLIBC # no fexecve
 	help
 	  Linux Containers (LXC), provides the ability to group and
 	  isolate of a set of processes in a jail by virtualizing and
@@ -14,9 +15,9 @@  config BR2_PACKAGE_LXC
 
 	  https://linuxcontainers.org/
 
-comment "lxc needs a toolchain w/ threads, headers >= 3.0, dynamic library, gcc >= 4.7"
+comment "lxc needs a glibc or musl toolchain w/ threads, headers >= 3.0, dynamic library, gcc >= 4.7"
 	depends on BR2_USE_MMU
 	depends on !BR2_TOOLCHAIN_HAS_THREADS \
 		|| !BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 \
 		|| !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_0 \
-		|| BR2_STATIC_LIBS
+		|| BR2_STATIC_LIBS || BR2_TOOLCHAIN_USES_UCLIBC
diff --git a/package/lxc/lxc.hash b/package/lxc/lxc.hash
index aad38ca57a..d5ea799776 100644
--- a/package/lxc/lxc.hash
+++ b/package/lxc/lxc.hash
@@ -1,3 +1,3 @@ 
 # Locally calculated
-sha256	4d8772c25baeaea2c37a954902b88c05d1454c91c887cb6a0997258cfac3fdc5	lxc-3.1.0.tar.gz
+sha256	5f903986a4b17d607eea28c0aa56bf1e76e8707747b1aa07d31680338b1cc3d4	lxc-3.2.1.tar.gz
 sha256	dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551	COPYING
diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk
index a059fd578e..81adeef5ee 100644
--- a/package/lxc/lxc.mk
+++ b/package/lxc/lxc.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-LXC_VERSION = 3.1.0
+LXC_VERSION = 3.2.1
 LXC_SITE = https://linuxcontainers.org/downloads/lxc
 LXC_LICENSE = LGPL-2.1+
 LXC_LICENSE_FILES = COPYING
@@ -19,13 +19,6 @@  ifeq ($(BR2_PACKAGE_BASH_COMPLETION),y)
 LXC_DEPENDENCIES += bash-completion
 endif
 
-ifeq ($(BR2_PACKAGE_GNUTLS),y)
-LXC_CONF_OPTS += --enable-gnutls
-LXC_DEPENDENCIES += gnutls
-else
-LXC_CONF_OPTS += --disable-gnutls
-endif
-
 ifeq ($(BR2_PACKAGE_LIBCAP),y)
 LXC_CONF_OPTS += --enable-capabilities
 LXC_DEPENDENCIES += libcap
@@ -47,4 +40,11 @@  else
 LXC_CONF_OPTS += --disable-selinux
 endif
 
+ifeq ($(BR2_PACKAGE_OPENSSL),y)
+LXC_CONF_OPTS += --enable-openssl
+LXC_DEPENDENCIES += openssl
+else
+LXC_CONF_OPTS += --disable-openssl
+endif
+
 $(eval $(autotools-package))