From baef1ad739f09d31fed77679f93083abbe1a806c Mon Sep 17 00:00:00 2001
From: Gunesh Shanbhag <17478096+gshanbhag525@users.noreply.github.com>
Date: Thu, 30 Jan 2025 18:37:31 +0530
Subject: [PATCH] Improve GHSA-x9qq-236j-gj97

---
 .../GHSA-x9qq-236j-gj97.json                  | 20 ++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/advisories/github-reviewed/2023/12/GHSA-x9qq-236j-gj97/GHSA-x9qq-236j-gj97.json b/advisories/github-reviewed/2023/12/GHSA-x9qq-236j-gj97/GHSA-x9qq-236j-gj97.json
index 9b4a4f1d07d50..95020e949a2ca 100644
--- a/advisories/github-reviewed/2023/12/GHSA-x9qq-236j-gj97/GHSA-x9qq-236j-gj97.json
+++ b/advisories/github-reviewed/2023/12/GHSA-x9qq-236j-gj97/GHSA-x9qq-236j-gj97.json
@@ -1,12 +1,16 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x9qq-236j-gj97",
-  "modified": "2024-03-05T15:26:23Z",
+  "modified": "2024-03-05T15:26:24Z",
   "published": "2023-12-05T23:32:58Z",
-  "aliases": [],
+  "aliases": [
+
+  ],
   "summary": "Canonical LXD documentation improvement to make clear restricted.devices.disk=allow without restricted.devices.disk.paths also allows shift=true",
   "details": "### Summary\n\nIf a user has restricted access to a project that is configured with `restricted=true`, they can gain root access on the system by creating a disk device with `shift=true` and creating a setuid root executable. This is possible because the `shift` property is not restricted unless `restricted.devices.disk.paths` is set.\n\n### Details\n\nThe following patch shows the offending code with a possible fix:\n```patch\n--- a/lxd/device/disk.go\n+++ b/lxd/device/disk.go\n@@ -429,17 +429,19 @@ func (d *disk) validateEnvironmentSourcePath() error {\n        if instProject.Name != api.ProjectDefaultName {\n                // If restricted disk paths are in force, then check the disk's source is allowed, and record the\n                // allowed parent path for later user during device start up sequence.\n-               if shared.IsTrue(instProject.Config[\"restricted\"]) && instProject.Config[\"restricted.devices.disk.paths\"] != \"\" {\n-                       allowed, restrictedParentSourcePath := project.CheckRestrictedDevicesDiskPaths(instProject.Config, d.config[\"source\"])\n-                       if !allowed {\n-                               return fmt.Errorf(\"Disk source path %q not allowed by project for disk %q\", d.config[\"source\"], d.name)\n+               if shared.IsTrue(instProject.Config[\"restricted\"]) {\n+                       if instProject.Config[\"restricted.devices.disk.paths\"] != \"\" {\n+                               allowed, restrictedParentSourcePath := project.CheckRestrictedDevicesDiskPaths(instProject.Config, d.config[\"source\"])\n+                               if !allowed {\n+                                       return fmt.Errorf(\"Disk source path %q not allowed by project for disk %q\", d.config[\"source\"], d.name)\n+                               }\n+\n+                               d.restrictedParentSourcePath = shared.HostPath(restrictedParentSourcePath)\n                        }\n\n                        if shared.IsTrue(d.config[\"shift\"]) {\n                                return fmt.Errorf(`The \"shift\" property cannot be used with a restricted source path`)\n                        }\n-\n-                       d.restrictedParentSourcePath = shared.HostPath(restrictedParentSourcePath)\n                }\n        }\n```\n\n### PoC\n\n```bash\n$ lxc project create restricted -c restricted=true -c restricted.devices.disk=allow\n$ lxc project switch restricted\n$ lxc profile device add default root disk path=/ pool=default\n$ lxc init ubuntu:22.04 c1\n$ lxc config device add c1 d1 disk source=/ path=/mnt shift=true\n$ lxc start c1  # no error\n\n$ lxc project set restricted restricted.devices.disk.paths=/  # explicitly allow mounting /\n$ lxc restart c1\nError: Failed to start device \"d1\": The \"shift\" property cannot be used with a restricted source path\n```\n\nCreated https://github.com/canonical/lxd/issues/12606 to improve the documentation as per https://github.com/canonical/lxd/security/advisories/GHSA-x9qq-236j-gj97#advisory-comment-91918",
-  "severity": [],
+  "severity": [
+
+  ],
   "affected": [
     {
       "package": {
@@ -18,16 +22,16 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "5.19"
+              "introduced": "0.0.0-20231019094722-ff5926c3b519"
             },
             {
-              "fixed": "5.20"
+              "fixed": "= 0.0.0-20231212113931-6b2c9592e968"
             }
           ]
         }
       ],
       "versions": [
-        "5.19"
+        "0.0.0-20231019094722-ff5926c3b519"
       ]
     }
   ],
@@ -50,7 +54,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+
+    ],
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2023-12-05T23:32:58Z",