Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[18.03] Security backport for fuse (CVE-2018-10906) #48757

Merged
merged 6 commits into from Oct 25, 2018
Merged

[18.03] Security backport for fuse (CVE-2018-10906) #48757

merged 6 commits into from Oct 25, 2018

Conversation

primeos
Copy link
Member

@primeos primeos commented Oct 20, 2018
edited

Motivation for this change

Delayed security backport for CVE-2018-10906. SSHFS works, I'm currently testing some rebuilds.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@primeos primeos added the 8.has: port to stable A PR already has a backport to the stable release. label Oct 20, 2018
@primeos primeos self-assigned this Oct 20, 2018
@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: fuse, fuse3

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: fuse, fuse3

Partial log (click to expand)

shrinking /nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8/lib/libulockmgr.so.1.0.1
shrinking /nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8/lib/libfuse.so.2.9.8
gzipping man pages under /nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8/share/man/
strip is /nix/store/hy39vplmzpwckvzxgyhr54dwz0mnfv2p-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8/lib  /nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8/bin  /nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8/sbin
patching script interpreter paths in /nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8
checking for references to /build in /nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8...
moving /nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8/sbin/* to /nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8/bin
/nix/store/n8ksqw61pzl0y75bcri44x7sill7z64w-fuse-2.9.8
/nix/store/p5ggf8i7hs21b4sigl44cf2xjlzrizfj-fuse-3.2.5

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: fuse, fuse3

Partial log (click to expand)

shrinking /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8/lib/libulockmgr.so.1.0.1
shrinking /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8/lib/libfuse.so.2.9.8
shrinking /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8/sbin/mount.fuse
gzipping man pages under /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8/share/man/
strip is /nix/store/k8b9hqv58dd1z0j4ikak24ykndcm91s6-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8/lib  /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8/bin  /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8/sbin
patching script interpreter paths in /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8
checking for references to /build in /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8...
/nix/store/zl3kz9jccf7jdh1hhphnf9xarsaqc5ck-fuse-3.2.5
moving /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8/sbin/* to /nix/store/xyn0c3zbnx1f2qiv0sakq6pxkw5x68fl-fuse-2.9.8/bin

@primeos
Copy link
Member Author

primeos commented Oct 21, 2018

Hm, unfortunately this seems to break xen:

  CC    i386-dm/pci-hotplug.o
  CC    i386-dm/piix4acpi.o
  CC    i386-dm/xenstore.o
  CC    i386-dm/xen_platform.o
  CC    i386-dm/xen_machine_fv.o
  CC    i386-dm/xen_machine_pv.o
  CC    i386-dm/xen_backend.o
  CC    i386-dm/xenfb.o
  CC    i386-dm/xen_console.o
  CC    i386-dm/xen_disk.o
  CC    i386-dm/exec-dm.o
  CC    i386-dm/pci_emulation.o
  CC    i386-dm/helper2.o
  CC    i386-dm/battery_mgmt.o
  CC    i386-dm/tpm_tis.o
  CC    i386-dm/pass-through.o
  CC    i386-dm/pt-msi.o
  CC    i386-dm/pt-graphics.o
  CC    i386-dm/kqemu.o
  CC    i386-dm/i386-dis.o
  AR    i386-dm/libqemu.a
  LINK  i386-dm/qemu-dm
collect2: error: ld returned 1 exit status
make[4]: *** [Makefile:740: qemu-dm] Error 1
make[4]: Leaving directory '/build/xen-4.8.2/tools/qemu-xen-traditional-dir/i386-dm'
make[3]: *** [Makefile:42: subdir-i386-dm] Error 2
make[3]: Leaving directory '/build/xen-4.8.2/tools/qemu-xen-traditional-dir'
make[2]: *** [Makefile:199: subdir-all-qemu-xen-traditional-dir] Error 2
make[2]: Leaving directory '/build/xen-4.8.2/tools'
make[1]: *** [/build/xen-4.8.2/tools/../tools/Rules.mk:212: subdirs-install] Error 2
make[1]: Leaving directory '/build/xen-4.8.2/tools'
make: *** [Makefile:101: install-tools] Error 2
builder for '/nix/store/dknj9bhk9cl53wwaxqhxnlrng0vqz1fk-xen-4.8.2.drv' failed with exit code 2
note: build failure may have been caused by lack of free disk space
error: build of '/nix/store/dknj9bhk9cl53wwaxqhxnlrng0vqz1fk-xen-4.8.2.drv' failed

@primeos primeos removed their assignment Oct 21, 2018
@c0bw3b
Copy link
Contributor

c0bw3b commented Oct 25, 2018

We could settle for setting:

meta.knownVulnerabilities = [ "CVE-2018-10906: vulnerable to a restriction bypass when SELinux is active." ];

@primeos
Copy link
Member Author

primeos commented Oct 25, 2018
edited

Hey @c0bw3b thanks for the suggestion, I wasn't aware of this attribute. However according to the nixpkgs manual Nix would refuse to install fuse:

Nix comes with certain defaults about what packages can and cannot be installed, based on a package's metadata. By default, Nix will prevent installation if any of the following criteria are true:

  • [...]
  • The package has known security vulnerabilities but has not or can not be updated for some reason, and a list of issues has been entered in to the package's meta.knownVulnerabilities.

That would be problematic because fuse will be installed by default on NixOS (IIRC).

Unfortunately I don't have much time for this ATM (didn't thought it would break Xen), but I'll try something else and if that doesn't work I'll test if GrahamcOfBorg can build it (just to be sure).

But luckily it's only a local exploit and SELinux needs to be active so the impact should be limited (but of course that doesn't mean we should completely ignore it).

primeos and others added 6 commits October 25, 2018 21:19
@primeos
fuse3: 3.2.1 -> 3.2.2
c178111 
Stop using bin/mount.fuse from fuse3 for fuse2 (mount.fuse from fuse3
isn't guaranteed to remain backwards compatible).

(cherry picked from commit c00b5bf)
@7c6f434c @primeos
fuse3: install fuse.conf without execute bit
f486260 
(cherry picked from commit 085eab7)
@primeos
fuse3: 3.2.2 -> 3.2.3
ea1b61c 
(cherry picked from commit d3e3e13)
@primeos
fuse3: 3.2.3 -> 3.2.4
289390b 
(cherry picked from commit fa6941f)
@primeos
fuse3: 3.2.4 -> 3.2.5 (security, CVE-2018-10906)
0e58950 
Upstream changelog:
- SECURITY UPDATE: In previous versions of libfuse it was possible to
  for unprivileged users to specify the allow_other option even when
  this was forbidden in /etc/fuse.conf. The vulnerability is present
  only on systems where SELinux is active (including in permissive
  mode).
- The fusermount binary has been hardened in several ways to reduce
  potential attack surface. Most importantly, mountpoints and mount
  options must now match a hard-coded whitelist. It is expected that
  this whitelist covers all regular use-cases.
- Added a test of seekdir to test_syscalls.
- Fixed readdir bug when non-zero offsets are given to filler and the
  filesystem client, after reading a whole directory, re-reads it from a
  non-zero offset e. g. by calling seekdir followed by readdir.

(cherry picked from commit 46cd782)
@primeos
fuse: 2.9.7 -> 2.9.8 (security, CVE-2018-10906)
228acdc 
Upstream changelog:
- SECURITY UPDATE: In previous versions of libfuse it was possible to
  for unprivileged users to specify the allow_other option even when
  this was forbidden in /etc/fuse.conf. The vulnerability is present
  only on systems where SELinux is active (including in permissive
  mode).
- libfuse no longer segfaults when fuse_interrupted() is called outside
  the event loop.
- The fusermount binary has been hardened in several ways to reduce
  potential attack surface. Most importantly, mountpoints and mount
  options must now match a hard-coded whitelist. It is expected that
  this whitelist covers all regular use-cases.
- Fixed rename deadlock on FreeBSD.

(cherry picked from commit ec1082c)
@primeos primeos force-pushed the security-backports-for-18.03 branch from 3c5ebd7 to 228acdc Compare October 25, 2018 19:51
@primeos
Copy link
Member Author

primeos commented Oct 25, 2018

I've found the issue, it should work now.

@primeos
Copy link
Member Author

primeos commented Oct 25, 2018

@GrahamcOfBorg build xen

@primeos primeos self-assigned this Oct 25, 2018
@GrahamcOfBorg
Copy link

No attempt on aarch64-linux (full log)

The following builds were skipped because they don't evaluate on aarch64-linux: xen

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: xen

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: fuse, fuse3

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: fuse, fuse3

Partial log (click to expand)

shrinking /nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8/lib/libulockmgr.so.1.0.1
shrinking /nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8/lib/libfuse.so.2.9.8
gzipping man pages under /nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8/share/man/
strip is /nix/store/hy39vplmzpwckvzxgyhr54dwz0mnfv2p-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8/lib  /nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8/bin  /nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8/sbin
patching script interpreter paths in /nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8
checking for references to /build in /nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8...
moving /nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8/sbin/* to /nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8/bin
/nix/store/gplmjp4drkz6yh28gfhln1g7fa1k0shg-fuse-2.9.8
/nix/store/2r9nr1w7hzfsg4gqn6qnq2q6zqpwbcy9-fuse-3.2.5

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: fuse, fuse3

Partial log (click to expand)

shrinking /nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8/lib/libfuse.so.2.9.8
shrinking /nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8/sbin/mount.fuse
gzipping man pages under /nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8/share/man/
strip is /nix/store/k8b9hqv58dd1z0j4ikak24ykndcm91s6-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8/lib  /nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8/bin  /nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8/sbin
patching script interpreter paths in /nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8
checking for references to /build in /nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8...
moving /nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8/sbin/* to /nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8/bin
/nix/store/prjyf5v37qyvb6zqa7vdlbbx8dxl5ddk-fuse-2.9.8
/nix/store/3nb7pr950xhiqdp8qqyncll5dc44fymp-fuse-3.2.5

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: xen

Partial log (click to expand)

cannot find section .dynamic
cannot find section .dynamic
cannot find section .dynamic
cannot find section .dynamic
cannot find section .dynamic
cannot find section .dynamic
cannot find section .dynamic
cannot find section .dynamic
moving /nix/store/xyfd2zj21byc3xcxdxv2hw5b7wvhaz2n-xen-4.8.2/sbin/* to /nix/store/xyfd2zj21byc3xcxdxv2hw5b7wvhaz2n-xen-4.8.2/bin
/nix/store/xyfd2zj21byc3xcxdxv2hw5b7wvhaz2n-xen-4.8.2

@primeos
Copy link
Member Author

primeos commented Oct 25, 2018

SSHFS still works and the other rebuilds I've checked where all successful.

@primeos primeos merged commit ede8a2f into NixOS:release-18.03 Oct 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@primeos primeos

Labels
1.severity: security 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 11-100 10.rebuild-linux: 101-500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@primeos @GrahamcOfBorg @c0bw3b @FRidh @7c6f434c