Created attachment 379568 [details, diff] patch that fixes the problem /usr/bin/jail does not check return value of setuid() and setgid(). If the user has RLIMIT_NPROC limit overflow, setuid() does not change process UID and returns EAGAIN. jail utility then passes control to user shell still in superuser mode. It is hard to reproduce, because limit overflow must happer after jail was started but before it calls setuid(). But we actually saw this happen. Suggested patch is attached, you cal also see it here: https://gist.github.com/spiculator/281c923919de42530b93
Thanks for the report. Has this issue been raised upstream, if so can you please point to a bug report? The patch looks good to me, but given that this package is not currently maintained that might make it easier to process as a version bump.
I don't think any upstream still exists for this package. The last version was released in 2001, I did not find any working issue tracker, and the mail list is empty for many months. We use gentoo, that's why I sent this bug to gentoo. We will be happy to fix it in upstream if you know any alive upstream for this package.
Wouldn't be better to try to use some alternative package then? For now you found this security issue... but it could contain many more that are for now hidden because the package has no upstream for ages and probably not much people still care :/
We do not have any problem right now, we fixed our problem already, I just tried to find some place where I could share the solution. Gentoo have this package in portage, we use Gentoo, so it seemed natural to help Gentoo become a little better. :)
(In reply to Sergey Redin from comment #4) > We do not have any problem right now, we fixed our problem already, I just > tried to find some place where I could share the solution. Gentoo have this > package in portage, we use Gentoo, so it seemed natural to help Gentoo > become a little better. :) Don't misunderstand, that is certainly appreciated :) We're just trying to figure out the correct course of action regarding this package. E.g. would you be interested in sending an email to the oss-sec mailing list[0] for a CVE assignment and maybe feedback on the patch? References: [0] http://seclists.org/oss-sec/
In fact, I could clone this package to github and become upstream for it, if Gentoo is OK with that and will accept my fork as upstream. We will definitely continue using jail, and we have a few other (less important) patches we use already. I just would not like to start some negotiations with some one about it, but I could support it without a problem, we use it anyway.
(In reply to Sergey Redin from comment #6) > In fact, I could clone this package to github and become upstream for it, if > Gentoo is OK with that and will accept my fork as upstream. We will > definitely continue using jail, and we have a few other (less important) > patches we use already. I just would not like to start some negotiations > with some one about it, but I could support it without a problem, we use it > anyway. That sounds good to me, as an extension of that, would you also be willing to proxy-maintain the package in Gentoo? You can find some information about that on [0] and additional questions can be asked in e.g #gentoo-dev-help on IRC (Freenode) References: [0] http://wiki.gentoo.org/wiki/Project:Proxy_Maintainers
OK, here is my forked upstream: https://github.com/spiculator/jail A aggree to be the proxy maintaner for this package.
Created attachment 380460 [details] new app-misc/jail
(In reply to Kristian Fiskerstrand from comment #7) > That sounds good to me, as an extension of that, would you also be willing > to proxy-maintain the package in Gentoo? You can find some information about > that on [0] and additional questions can be asked in e.g #gentoo-dev-help on > IRC (Freenode) New app-misc/jail is attached, please check.
(In reply to Sergey Redin from comment #10) > (In reply to Kristian Fiskerstrand from comment #7) > > That sounds good to me, as an extension of that, would you also be willing > > to proxy-maintain the package in Gentoo? You can find some information about > > that on [0] and additional questions can be asked in e.g #gentoo-dev-help on > > IRC (Freenode) > > New app-misc/jail is attached, please check. Hi. Thanks for uploading the ebuild et al. Just did a quick review, and a few things I noticed: (i) if possible, please use latest EAPI (latest is 5) (ii) KEYWORDS should all be set to ~arch instead of stable for a new ebuild (for arches where it has been slightly tested). (iii) Following (i), emake, einstall,dodoc etc won't need ||die, as this is implied in newer EAPIs (>=4).
Created attachment 380532 [details] try 2
(In reply to Kristian Fiskerstrand from comment #11) > Hi. Thanks for uploading the ebuild et al. Just did a quick review, and a > few things I noticed: > (i) if possible, please use latest EAPI (latest is 5) > (ii) KEYWORDS should all be set to ~arch instead of stable for a new ebuild > (for arches where it has been slightly tested). > (iii) Following (i), emake, einstall,dodoc etc won't need ||die, as this is > implied in newer EAPIs (>=4). Hi, please check again.
Created attachment 380546 [details, diff] patch against jail-2.0.ebuild (In reply to Sergey Redin from comment #13) > Hi, please check again. HI Sergey, the ebuild itself sounds good to me, the attached patch is a slightly modification (not a strong request, but more than a personal taste), combine "cd && blah" into one line.. "einstall -C src" doesn't works, so convert into "emake -C src install". remove the dosed comment, it deprecated. on the other way, if you take over the maintenance, would you consider merge these patches, sed hackings into the source code? instead of let them floating inside ${FILESDIR} or in the ebuild file, which could make the ebuild much more neat and clean. HI Kristian Fiskerstrand, I couldn't find you listed as a Gentoo dev, so likely you can't commit this into portage tree. so if you guys need help, just let me know.. (act as @proxy-maint team). thanks you all
(In reply to Yixun Lan from comment #14) Hi Yixun. > HI Sergey, the ebuild itself sounds good to me, the attached patch is a > slightly modification (not a strong request, but more than a personal > taste), combine "cd && blah" into one line.. "einstall -C src" doesn't > works, so convert into "emake -C src install". remove the dosed comment, it > deprecated. I cannot see how this patch changes anything in the way this ebuild works. This simply changes the coding style. I am OK with these changes, but please note that this bug is about security issue, and I would like to have this security issue fixed first. This bug is open for more than two weeks already, I think it needs to be fixed before merging patches or fixing style. > on the other way, if you take over the maintenance, would you consider merge > these patches, sed hackings into the source code? instead of let them > floating inside ${FILESDIR} or in the ebuild file, which could make the > ebuild much more neat and clean. Yes, I definitely plan to do that in the next release, with some other patches that we already use for jail. > HI Kristian Fiskerstrand, I couldn't find you listed as a Gentoo dev, so > likely you can't commit this into portage tree. so if you guys need help, > just let me know.. (act as @proxy-maint team). Yes, please commit this ebuild. Thank you.
+*jail-2.0 (10 Jul 2014) + + 10 Jul 2014; Yixun Lan <dlan@gentoo.org> +jail-2.0.ebuild, metadata.xml: + bug 514892, version bump, switch to new upstream, fix security issue, thanks + Sergey Redin 1) improve the ebuild/package in the next release definitely ok with me, actually that was exactly I suggested. 2) as this is security bump, you can file stablereq immediately by re-using this bug. Changing keywords to STABLEREQ, and CC arch teams. Notice the ebuild is rather minor changes, so instead of dropping other two keywords (ppc, x86), I re-added them back. please using following format to file stablereq. Arches, please test and mark stable: =app-misc/jail-2.0 Target keywords Both : "amd64 ppc x86" 3) for the live version ebuild, I'd rather leave it out. and keep it in your own overlay is just fine. thanks for contributing..
(In reply to Yixun Lan from comment #16) Thank you! At last it is fixed. I believe jail-1.9-r3.ebuild must be removed. It has unfixed security issue, and it is the only difference with 2.0 in fact.
(In reply to Sergey Redin from comment #17) > (In reply to Yixun Lan from comment #16) > > Thank you! At last it is fixed. > > I believe jail-1.9-r3.ebuild must be removed. It has unfixed > security issue, and it is the only difference with 2.0 in fact. Since 1.9 is stabilized, this is done in the cleanup stage after stabilizing the new package. Arches, please test and mark stable =app-misc/jail-2.0 Target keywords: amd64 ppc x86
amd64 stable
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
GLSA vote: No
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: No
Cleanup done 25 Aug 2014; Kristian Fiskerstrand <k_f@gentoo.org> -jail-1.9-r3.ebuild: + Cleanup for security bug #514892 as requested by proxy maintainer
