* [Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1
@ 2019-08-16 17:03 Fabrice Fontaine
2019-08-17 13:41 ` Thomas Petazzoni
2019-10-04 19:47 ` Bernd Kuhls
0 siblings, 2 replies; 7+ messages in thread
From: Fabrice Fontaine @ 2019-08-16 17:03 UTC (permalink / raw)
To: buildroot
- lxc switched from gnutls to openssl since version 3.2.0 and
https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997
- lxc needs a glibc or musl toolchain since version 3.2.0 and
https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
- This version includes a security fix (named CVE-2019-5736 on runC):
https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/lxc/Config.in | 5 +++--
package/lxc/lxc.hash | 2 +-
package/lxc/lxc.mk | 16 ++++++++--------
3 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/package/lxc/Config.in b/package/lxc/Config.in
index d8d8f50c8e..0b3c1b923e 100644
--- a/package/lxc/Config.in
+++ b/package/lxc/Config.in
@@ -6,6 +6,7 @@ config BR2_PACKAGE_LXC
depends on !BR2_STATIC_LIBS
depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 # C++11
depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_0 # setns() system call
+ depends on !BR2_TOOLCHAIN_USES_UCLIBC # no fexecve
help
Linux Containers (LXC), provides the ability to group and
isolate of a set of processes in a jail by virtualizing and
@@ -14,9 +15,9 @@ config BR2_PACKAGE_LXC
https://linuxcontainers.org/
-comment "lxc needs a toolchain w/ threads, headers >= 3.0, dynamic library, gcc >= 4.7"
+comment "lxc needs a glibc or musl toolchain w/ threads, headers >= 3.0, dynamic library, gcc >= 4.7"
depends on BR2_USE_MMU
depends on !BR2_TOOLCHAIN_HAS_THREADS \
|| !BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 \
|| !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_0 \
- || BR2_STATIC_LIBS
+ || BR2_STATIC_LIBS || BR2_TOOLCHAIN_USES_UCLIBC
diff --git a/package/lxc/lxc.hash b/package/lxc/lxc.hash
index aad38ca57a..d5ea799776 100644
--- a/package/lxc/lxc.hash
+++ b/package/lxc/lxc.hash
@@ -1,3 +1,3 @@
# Locally calculated
-sha256 4d8772c25baeaea2c37a954902b88c05d1454c91c887cb6a0997258cfac3fdc5 lxc-3.1.0.tar.gz
+sha256 5f903986a4b17d607eea28c0aa56bf1e76e8707747b1aa07d31680338b1cc3d4 lxc-3.2.1.tar.gz
sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING
diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk
index a059fd578e..81adeef5ee 100644
--- a/package/lxc/lxc.mk
+++ b/package/lxc/lxc.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LXC_VERSION = 3.1.0
+LXC_VERSION = 3.2.1
LXC_SITE = https://linuxcontainers.org/downloads/lxc
LXC_LICENSE = LGPL-2.1+
LXC_LICENSE_FILES = COPYING
@@ -19,13 +19,6 @@ ifeq ($(BR2_PACKAGE_BASH_COMPLETION),y)
LXC_DEPENDENCIES += bash-completion
endif
-ifeq ($(BR2_PACKAGE_GNUTLS),y)
-LXC_CONF_OPTS += --enable-gnutls
-LXC_DEPENDENCIES += gnutls
-else
-LXC_CONF_OPTS += --disable-gnutls
-endif
-
ifeq ($(BR2_PACKAGE_LIBCAP),y)
LXC_CONF_OPTS += --enable-capabilities
LXC_DEPENDENCIES += libcap
@@ -47,4 +40,11 @@ else
LXC_CONF_OPTS += --disable-selinux
endif
+ifeq ($(BR2_PACKAGE_OPENSSL),y)
+LXC_CONF_OPTS += --enable-openssl
+LXC_DEPENDENCIES += openssl
+else
+LXC_CONF_OPTS += --disable-openssl
+endif
+
$(eval $(autotools-package))
--
2.20.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1
2019-08-16 17:03 [Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1 Fabrice Fontaine
@ 2019-08-17 13:41 ` Thomas Petazzoni
2019-08-17 19:36 ` Fabrice Fontaine
2019-10-04 19:47 ` Bernd Kuhls
1 sibling, 1 reply; 7+ messages in thread
From: Thomas Petazzoni @ 2019-08-17 13:41 UTC (permalink / raw)
To: buildroot
On Fri, 16 Aug 2019 19:03:15 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> - lxc switched from gnutls to openssl since version 3.2.0 and
> https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997
> - lxc needs a glibc or musl toolchain since version 3.2.0 and
> https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> - This version includes a security fix (named CVE-2019-5736 on runC):
> https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
We normally apply security bumps to master. But this one seems like a
quite major bump, and it also disables the package for uClibc.
Does it make sense to backport just the security fix in master ?
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1
2019-08-17 13:41 ` Thomas Petazzoni
@ 2019-08-17 19:36 ` Fabrice Fontaine
2019-08-17 19:59 ` Thomas Petazzoni
0 siblings, 1 reply; 7+ messages in thread
From: Fabrice Fontaine @ 2019-08-17 19:36 UTC (permalink / raw)
To: buildroot
Hello Thomas,
Le sam. 17 ao?t 2019 ? 15:41, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> a ?crit :
>
> On Fri, 16 Aug 2019 19:03:15 +0200
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> > - lxc switched from gnutls to openssl since version 3.2.0 and
> > https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997
> > - lxc needs a glibc or musl toolchain since version 3.2.0 and
> > https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> > - This version includes a security fix (named CVE-2019-5736 on runC):
> > https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> We normally apply security bumps to master. But this one seems like a
> quite major bump, and it also disables the package for uClibc.
Yes I know that's why I marked it for next.
>
> Does it make sense to backport just the security fix in master ?
I could but this fix will add the glibc or musl toolchain dependency.
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
Best Regards,
Fabrice
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1
2019-08-17 19:36 ` Fabrice Fontaine
@ 2019-08-17 19:59 ` Thomas Petazzoni
2019-08-27 20:39 ` Peter Korsgaard
0 siblings, 1 reply; 7+ messages in thread
From: Thomas Petazzoni @ 2019-08-17 19:59 UTC (permalink / raw)
To: buildroot
Hello,
+Peter in Cc.
On Sat, 17 Aug 2019 21:36:27 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> Hello Thomas,
>
> Le sam. 17 ao?t 2019 ? 15:41, Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> a ?crit :
> >
> > On Fri, 16 Aug 2019 19:03:15 +0200
> > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> >
> > > - lxc switched from gnutls to openssl since version 3.2.0 and
> > > https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997
> > > - lxc needs a glibc or musl toolchain since version 3.2.0 and
> > > https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> > > - This version includes a security fix (named CVE-2019-5736 on runC):
> > > https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
> > >
> > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> >
> > We normally apply security bumps to master. But this one seems like a
> > quite major bump, and it also disables the package for uClibc.
> Yes I know that's why I marked it for next.
> >
> > Does it make sense to backport just the security fix in master ?
> I could but this fix will add the glibc or musl toolchain dependency.
OK, so let's bring Peter Korsgaard in Cc. Since he maintains the
stable/LTS branches, it is important to get his call on this issue.
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1
2019-08-17 19:59 ` Thomas Petazzoni
@ 2019-08-27 20:39 ` Peter Korsgaard
2019-10-05 13:37 ` Arnout Vandecappelle
0 siblings, 1 reply; 7+ messages in thread
From: Peter Korsgaard @ 2019-08-27 20:39 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
Hi,
>> > Does it make sense to backport just the security fix in master ?
>> I could but this fix will add the glibc or musl toolchain dependency.
> OK, so let's bring Peter Korsgaard in Cc. Since he maintains the
> stable/LTS branches, it is important to get his call on this issue.
Well, is is "complicated" ;) CVE-2019-5736 is the same issue we fixed
for runc back in February (where the fix had some fallout).
But do notice:
- Issue only applies to privileged containers, which is explicitly
marked as unsafe by upstream - E.G. on their website:
They're not safe at all and should only be used in environments where
unprivileged containers aren't available and where you would trust
your container's user with root access to the host.
https://linuxcontainers.org/lxc/security/#LXC
- The current lxc version in 2019.02.x / 2019.05.x / 2019.08 is 3.1.0,
which is a development version of late 2018.
- A fix is available for the current LTS version (3.0.x, supported until
2023) and current development version (3.2.1)
So our options are basically:
- Apply the patch to master and 2019.02.x / 2019.05.x
- Revert master/2019.05.x/2019.02.x to the LTS series, 3.0.4
- Cherry pick the fix to 3.1.0 for master/2019.05.x/2019.02.x
- Ignore the issue and only apply the patch to next
I would say option 4 (ignore) or 2 (revert) sounds like the most
sensible options to me.
What do others think?
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1
2019-08-16 17:03 [Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1 Fabrice Fontaine
2019-08-17 13:41 ` Thomas Petazzoni
@ 2019-10-04 19:47 ` Bernd Kuhls
1 sibling, 0 replies; 7+ messages in thread
From: Bernd Kuhls @ 2019-10-04 19:47 UTC (permalink / raw)
To: buildroot
Am Fri, 16 Aug 2019 19:03:15 +0200 schrieb Fabrice Fontaine:
> Signed-off-by: Fabrice Fontaine
> <fontaine.fabrice@gmail.com>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[build-tested using this defconfig:
BR2_x86_64=y
BR2_x86_atom=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/
tarballs/br-x86-64-musl-2019.05.1.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_7=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_5_1=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM_MUSL=y
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_PACKAGE_OPENSSL=y
BR2_PACKAGE_LIBCAP=y
BR2_PACKAGE_LIBSECCOMP=y
BR2_PACKAGE_LXC=y]
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1
2019-08-27 20:39 ` Peter Korsgaard
@ 2019-10-05 13:37 ` Arnout Vandecappelle
0 siblings, 0 replies; 7+ messages in thread
From: Arnout Vandecappelle @ 2019-10-05 13:37 UTC (permalink / raw)
To: buildroot
On 27/08/2019 22:39, Peter Korsgaard wrote:
>>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
>
> Hi,
>
> >> > Does it make sense to backport just the security fix in master ?
> >> I could but this fix will add the glibc or musl toolchain dependency.
>
> > OK, so let's bring Peter Korsgaard in Cc. Since he maintains the
> > stable/LTS branches, it is important to get his call on this issue.
>
> Well, is is "complicated" ;) CVE-2019-5736 is the same issue we fixed
> for runc back in February (where the fix had some fallout).
>
> But do notice:
>
> - Issue only applies to privileged containers, which is explicitly
> marked as unsafe by upstream - E.G. on their website:
>
> They're not safe at all and should only be used in environments where
> unprivileged containers aren't available and where you would trust
> your container's user with root access to the host.
>
> https://linuxcontainers.org/lxc/security/#LXC
>
> - The current lxc version in 2019.02.x / 2019.05.x / 2019.08 is 3.1.0,
> which is a development version of late 2018.
>
> - A fix is available for the current LTS version (3.0.x, supported until
> 2023) and current development version (3.2.1)
>
>
> So our options are basically:
>
> - Apply the patch to master and 2019.02.x / 2019.05.x
>
> - Revert master/2019.05.x/2019.02.x to the LTS series, 3.0.4
>
> - Cherry pick the fix to 3.1.0 for master/2019.05.x/2019.02.x
>
> - Ignore the issue and only apply the patch to next
>
>
> I would say option 4 (ignore) or 2 (revert) sounds like the most
> sensible options to me.
>
> What do others think?
I tend to lean towards option 2, but option 4 is fine as well of course.
Note that I scheduled a discussion about this type of problem (our LTS branch
ends up with a non-LTS version) for the developer meeting.
Regards,
Arnout
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-10-05 13:37 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-16 17:03 [Buildroot] [PATCH/next 1/1] package/lxc: security bump to version 3.2.1 Fabrice Fontaine
2019-08-17 13:41 ` Thomas Petazzoni
2019-08-17 19:36 ` Fabrice Fontaine
2019-08-17 19:59 ` Thomas Petazzoni
2019-08-27 20:39 ` Peter Korsgaard
2019-10-05 13:37 ` Arnout Vandecappelle
2019-10-04 19:47 ` Bernd Kuhls
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.