Ubuntu
strongswan package

Merge ~paelzer/ubuntu/+source/strongswan:lp-1786250-self-fd-reads-cosmic into ubuntu/+source/strongswan:ubuntu/cosmic-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/strongswan
  3. lp-1786250-self-fd-reads-cosmic
  4. Merge into ubuntu/cosmic-devel
Proposed by Christian Ehrhardt 
Status: Rejected
Rejected by: Andreas Hasenack
Proposed branch: ~paelzer/ubuntu/+source/strongswan:lp-1786250-self-fd-reads-cosmic
Merge into: ubuntu/+source/strongswan:ubuntu/cosmic-devel
Diff against target: 30 lines (+11/-0)
2 files modified
debian/changelog (+7/-0)
debian/usr.lib.ipsec.charon (+4/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Needs Fixing
fermulator (community) code inspection Approve
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+355589@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - taken over https://code.launchpad.net/~fermulator/ubuntu/+source/strongswan/+git/strongswan/+merge/353423
which needed some cleanup but being a low hanging fruit should be fixed before Cosmic is released IMHO.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Test PPA [1] available.
I ran the basic regression [2] on it and all seems fine as expected.

[1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3437
[2]: https://code.launchpad.net/~paelzer/+git/strongswan-test-wrapper

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Tests and MP look ok now IMHO, but since I rewrote so much I'm opening this up for review by another team member.

Revision history for this message
fermulator (fermulator) wrote :

(hopefully) my review is sufficient, Christian took over because I went mia, but the code in `debian/usr.lib.ipsec.charon` is the same as what I tested, and the changelog was properly updated.

review: Approve (code inspection)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks Robie for the check, uploaded the tag.

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/strongswan
 * [new tag] upload/5.6.3-1ubuntu2 -> upload/5.6.3-1ubuntu2

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploaded to Cosmic.

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading strongswan_5.6.3-1ubuntu2.dsc: done.
  Uploading strongswan_5.6.3-1ubuntu2.debian.tar.xz: done.
  Uploading strongswan_5.6.3-1ubuntu2_source.buildinfo: done.
  Uploading strongswan_5.6.3-1ubuntu2_source.changes: done.
Successfully uploaded packages.

Due to the Beta ISO freeze it is in unapproved [1] for now.

[1]: https://launchpad.net/ubuntu/cosmic/+queue?queue_state=1

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This was superseeded by security updates:
strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium

  * SECURITY UPDATE: Insufficient input validation in gmp plugin
    - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
      buffer overflow with very small RSA keys in
      src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
    - CVE-2018-17540

 -- Marc Deslauriers <email address hidden> Mon, 01 Oct 2018 13:23:59 -0400

strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium

  * SECURITY UPDATE: Insufficient input validation in gmp plugin
    - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
      parse PKCS1 v1.5 RSA signatures to verify them in
      src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
      src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
    - CVE-2018-16151
    - CVE-2018-16152

 -- Marc Deslauriers <email address hidden> Tue, 25 Sep 2018 10:16:15 -0400

strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium

  * Merge with Debian unstable. Remaining changes:
...

review: Needs Fixing
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'll take over this and resubmit

Unmerged commits

0ad07e7... by Christian Ehrhardt 

changelog: fix apparmor denies reading the own FDs (LP: #1786250)

Signed-off-by: Christian Ehrhardt <email address hidden>

d74a857... by Christian Ehrhardt 

fix apparmor denies reading the own FDs (LP: #1786250)

As per LP #1786250, user noted audit failures in system log
against charon trying to read its own list of file descriptors
in /proc/<pid>/fd/.

We are uncertain when/why this started, however it is not
unreasonable for a process to attempt to read its own fd's,
so allow by extending the apparmor profile for charon.

References:
http://manpages.ubuntu.com/manpages/bionic/en/man5/apparmor.d.5.html
https://linux.die.net/man/5/proc

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 3be3a4a..285cd50 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium
7+
8+ * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
9+ Thanks to Matt Callaghan.
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 24 Sep 2018 15:15:54 +0200
12+
13 strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium
14
15 * Merge with Debian unstable. Remaining changes:
16diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon
17index 14cfa6d..6fc50b1 100644
18--- a/debian/usr.lib.ipsec.charon
19+++ b/debian/usr.lib.ipsec.charon
20@@ -71,6 +71,10 @@
21
22 /var/lib/strongswan/* r,
23
24+ # allow self to read file descriptors (LP #1786250)
25+ # restrict to our own process-ID as per apparmor vars
26+ @{PROC}/@{pid}/fd/ r,
27+
28 # Site-specific additions and overrides. See local/README for details.
29 #include <local/usr.lib.ipsec.charon>
30 }

Subscribers

People subscribed via source and target branches