This fixes three security issues related to file templates:
- The template target path could be made to be relative or gothrough
symlinks in a way that could lead to arbitrary write to the host
filesystem.
- The template directory could be relative, allowing for arbitrary read
from the host filesystem.
- The template file itself could be made relative, allowing for
arbitrary reads from the host filesystem.
In the case of the template target path, the new logic makes use of the
kernel's openat2 system call which brings a variety of flags that can be
used to restrict path resolution and detect potential issues.
For the template path itself, we now validate that it is a simple local
file and that the template directory isn't a symlink.
This fixes CVE-2026-23954
Reported-by: Rory McNamara <rory.mcnamara@snyk.io>
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
This commit fixes the fact that `LinkByName` reported a link not found
error when run on a veth pair whose other end is in a container.
Signed-off-by: Benjamin Somers <benjamin.somers@imt-atlantique.fr>
This fixes a bug where modifying an updatable configuration key (for
example, `limits.read`) while the device (for example a disk) is
detached could lead the update function to ask QEMU to perform
operations on a device it doesn't know.
Signed-off-by: Benjamin Somers <benjamin.somers@imt-atlantique.fr>
Up until now, the SOA format returned by the internal DNS server
used the zone's name for the primary dns server field, and either
the first dns.nameservers entry or hostmaster.{.zone} for the contact
address.
Instead, use the first entry in dns.nameservers for the master dns
server if set, and adjust the contact address accordingly.
Old SOA entry (no dns.nameserver set):
incus.example.com. 3600 IN SOA incus.example.com. hostmaster.incus.example.com. 1769025229 120 60 86400 30
Old SOA entry (with dns.nameserver set):
incus.example.com. 3600 IN SOA incus.example.com. ns1.example.com. 1769025229 120 60 86400 30
New SOA entry (no dns.nameserver set):
incus.example.com. 3600 IN SOA incus.example.com. hostmaster.incus.example.com. 1769025229 120 60 86400 30
New SOA entry (with dns.nameserver set):
incus.example.com. 3600 IN SOA ns1.example.com. hostmaster.ns1.example.com. 1769025229 120 60 86400 30
Signed-off-by: Dan McGregor <danmcgr@protonmail.com>
`source` is a shortcut for the `linstor.resource_group.name` option and is actively used in lxc/incus-deploy, but not
documented yet.
Signed-off-by: Tim Beermann <tibeer@berryit.de>
LXC doesn't currently have a syntax to hold a multi-line environment
variable in its configuration. The use of multi-line environment
variables leads to a corrupted configuration file and to a security
issue where additional lines may be added by an unprivileged user to
escalate their privileges.
This fixes CVE-2026-23953.
Reported-by: Rory McNamara <rory.mcnamara@snyk.io>
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
