Bug#988802: unblock: runc/1.0.0~rc93+ds1-4
On Thu, May 20, 2021 at 2:33 AM Shengjing Zhu <zhsj@debian.org> wrote:
>
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: zhsj@debian.org
>
> Please unblock package runc
>
> [ Reason ]
> Fix CVE-2021-30465
> https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r
>
> [ Impact ]
> The package can migrate itself(have autopkgtest and not key package),
> but I'd like to reduce the age.
>
> [ Tests ]
> I have done some basic tests. But I'm not sure how to trigger the security
> issue that I can't verify if it's really fixed.
>
> [ Risks ]
> The patch provided by upstream can't be applied clearly to the version we have
> in sid. So I look the changes and backport another two PR, which makes the diff
> a bit large.
>
After I have uploaded -4, then I find upstream has provided a patchset
for runc/1.0.0~rc93, but only on oss-security list,
https://www.openwall.com/lists/oss-security/2021/05/19/2
So the patches I made in -4 are replaced by upstream one.
$ cat debian/patches/CVE-2021-30465/*|diffstat
b/libcontainer/container_linux.go | 7 +--
b/libcontainer/init_linux.go | 1
b/libcontainer/rootfs_linux.go | 42 +++++++++++-------
b/libcontainer/specconv/example.go | 18 +++----
b/libcontainer/utils/utils.go | 54 +++++++++++++++++++++++
b/libcontainer/utils/utils_test.go | 35 +++++++++++++++
libcontainer/container_linux.go | 4 +
libcontainer/rootfs_linux.go | 289
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------------------------------------------
8 files changed, 283 insertions(+), 167 deletions(-)
The changes are almost the same with -4.
Please unblock runc/1.0.0~rc93+ds1-5
Reply to: