Fix security issue with lxc-user-nic and OpenVswitch networks#4678
Merged
Conversation
Some variable names were a bit confusing in find_line and cull_entries. Rename and document, and fix the flows using these. It's possible that a more maintainable approach, long term, would be to break these up differently: have one function create a neat in memory data structure representing the files, and have the paths currently using find_line and cull_entries peek into the data structures. But i think this is pretty clear. This fixes CVE-2026-39402 Signed-off-by: Serge E. Hallyn <serge@hallyn.com> Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Signed-off-by: Serge E. Hallyn <serge@hallyn.com> Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Member
Author
DreamConnected
pushed a commit
to DreamConnected/lxc
that referenced
this pull request
May 1, 2026
Fix security issue with lxc-user-nic and OpenVswitch networks
shr-project
pushed a commit
to shr-project/meta-virtualization
that referenced
this pull request
Jun 10, 2026
Apply the nearest upstream fix commit from stable-5.0 [1] for the lxc-user-nic OVS port deletion authorization bypass, aligned with the original fix in v7.0.0 [2] as referenced in PR [4]. Ubuntu specific test commit [3] from PR [4] is omitted because it is specific to a host environment. It assumes an Ubuntu host, installs openvswitch-switch with apt-get, creates local users, edits /etc/lxc/lxc-usernet and /run/lxc/nics, and manipulates OVS bridges. That is not suitable for inclusion as a Yocto runtime CVE patch without separate ptest adaptation. [1] lxc/lxc@db25752 [2] lxc/lxc@7c43483 [3] lxc/lxc@14754e0 [4] lxc/lxc#4678 References: https://security-tracker.debian.org/tracker/CVE-2026-39402 https://nvd.nist.gov/vuln/detail/CVE-2026-39402 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.