[Secure-testing-team] Bug#691376: schroot: session recovery mounts $device, not $mount-device, for LVM snapshots

Roger Leigh rleigh at debian.org
Wed Oct 24 21:23:27 UTC 2012 

Package: schroot
Version: 1.6.3-1
Severity: serious
Tags: security
Justification: Security violation and potential for dataloss

Originally reported here:
https://bugs.launchpad.net/ubuntu/+source/schroot/+bug/1070008

Calling --recover-session on a session using an LVM snapshot, it
remounts using the original LV rather than the snapshot LV.

This is due to this check failing:
sbuild::chroot_block_device_base::set_device():

  /// @todo: This may not be appropriate for derived classes such as
  /// lvm_snapshot, since re-setting the device could overwrite the
  /// mount device.
  chroot_facet_mountable::ptr pmnt
    (get_facet<chroot_facet_mountable>());
#ifdef SBUILD_FEATURE_LVMSNAP
  if (!dynamic_cast<chroot_lvm_snapshot *>(this))
#endif
    pmnt->set_mount_device(this->device);

This is due to the use of dynamic_cast<> in this method.  This is
not in itself wrong, but because this method is called from the
constructor, the dynamic_cast<> returns null due to the vptr not
yet having any knowledge of the derived class--it will work fine
once the base class is constructed.

This was already commented in several places to refactor to clean
this up, but the presence of this issue will require this to be
done immediately.

I've tagged this security due to the potential for a user to access
the original source chroot.  However, the scope is relatively
limited since the filesystem permissions will prevent them from
doing anything they should not (unless you granted them root
access, in which case they already had the ability to do this).


Regards,
Roger

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32.33-kvm-i386-20111128-dirty (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages schroot depends on:
ii  libboost-filesystem1.49.0       1.49.0-3.1
ii  libboost-iostreams1.49.0        1.49.0-3.1
ii  libboost-program-options1.49.0  1.49.0-3.1
ii  libboost-regex1.49.0            1.49.0-3.1
ii  libboost-system1.49.0           1.49.0-3.1
ii  libc6                           2.13-35
ii  libgcc1                         1:4.7.1-7
ii  liblockdev1                     1.0.3-1.5
ii  libpam0g                        1.1.3-7.1
ii  libstdc++6                      4.7.1-7
ii  libuuid1                        2.20.1-5.2
ii  schroot-common                  1.6.3-1

schroot recommends no packages.

Versions of packages schroot suggests:
pn  aufs-modules | unionfs-modules  <none>
pn  btrfs-tools                     <none>
ii  debootstrap                     1.0.42
pn  lvm2                            <none>
pn  qemu-user-static                <none>

-- Configuration Files:
/etc/schroot/schroot.conf changed [not included]

-- no debconf information

More information about the Secure-testing-team mailing list