[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991287: unblock: containerd/1.4.5~ds1-2

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org

Please unblock package containerd

[ Reason ]
Backport patch for CVE-2021-32760:
https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w

[ Impact ]
If it's blocked, the package has security issue.

[ Tests ]
Upstream has added a regression test to the patch.

[ Risks ]
Only one line change(in archive/tar_unix.go file), and a new test (in archive/tar_unix.go file).

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock containerd/1.4.5~ds1-2


diff -Nru containerd-1.4.5~ds1/debian/changelog containerd-1.4.5~ds1/debian/changelog
--- containerd-1.4.5~ds1/debian/changelog	2021-05-12 13:17:38.000000000 +0800
+++ containerd-1.4.5~ds1/debian/changelog	2021-07-20 02:36:10.000000000 +0800
@@ -1,3 +1,9 @@
+containerd (1.4.5~ds1-2) unstable; urgency=medium
+
+  * Backport patches for CVE-2021-32760
+
+ -- Shengjing Zhu <zhsj@debian.org>  Tue, 20 Jul 2021 02:36:10 +0800
+
 containerd (1.4.5~ds1-1) unstable; urgency=medium
 
   * New upstream patch version v1.4.5
diff -Nru containerd-1.4.5~ds1/debian/gbp.conf containerd-1.4.5~ds1/debian/gbp.conf
--- containerd-1.4.5~ds1/debian/gbp.conf	2021-05-12 13:17:38.000000000 +0800
+++ containerd-1.4.5~ds1/debian/gbp.conf	2021-07-20 02:36:10.000000000 +0800
@@ -1,4 +1,5 @@
 [DEFAULT]
 pristine-tar = True
 debian-branch = debian/sid
+upstream-branch = upstream/sid
 dist = DEP14
diff -Nru containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch
--- containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch	1970-01-01 08:00:00.000000000 +0800
+++ containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch	2021-07-20 02:36:10.000000000 +0800
@@ -0,0 +1,91 @@
+From 03aa748c11663e87a72fab92b7ab7c88c28bf13e Mon Sep 17 00:00:00 2001
+From: Derek McGowan <derek@mcg.dev>
+Date: Tue, 6 Jul 2021 12:37:54 -0700
+Subject: [PATCH 1/2] Use chmod path for checking symlink
+
+Signed-off-by: Derek McGowan <derek@mcg.dev>
+(cherry picked from commit 27597ccfd30d8aa06b448062896bccfb33ad8f22)
+Signed-off-by: Derek McGowan <derek@mcg.dev>
+---
+ archive/tar_unix.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/archive/tar_unix.go b/archive/tar_unix.go
+index 6e89d2fdbc9..c22e79bf2be 100644
+--- a/archive/tar_unix.go
++++ b/archive/tar_unix.go
+@@ -113,7 +113,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
+ 
+ func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error {
+ 	if hdr.Typeflag == tar.TypeLink {
+-		if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
++		if fi, err := os.Lstat(path); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
+ 			if err := os.Chmod(path, hdrInfo.Mode()); err != nil && !os.IsNotExist(err) {
+ 				return err
+ 			}
+
+From 664f93ead6c613a9f0e9932dfa75c602dbe35f41 Mon Sep 17 00:00:00 2001
+From: Derek McGowan <derek@mcg.dev>
+Date: Tue, 6 Jul 2021 16:23:03 -0700
+Subject: [PATCH 2/2] Add test for archive breakout test for lchmod
+
+Signed-off-by: Derek McGowan <derek@mcg.dev>
+(cherry picked from commit ad81d76219a75559cb9d74a214efe0d779d7cbef)
+Signed-off-by: Derek McGowan <derek@mcg.dev>
+---
+ archive/tar_test.go | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/archive/tar_test.go b/archive/tar_test.go
+index 568f5a95f1c..8ffd3f221b8 100644
+--- a/archive/tar_test.go
++++ b/archive/tar_test.go
+@@ -243,6 +243,11 @@ func TestBreakouts(t *testing.T) {
+ 		return nil
+ 	}
+ 	errFileDiff := errors.New("files differ")
++	td, err := ioutil.TempDir("", "test-breakouts-")
++	if err != nil {
++		t.Fatal(err)
++	}
++	defer os.RemoveAll(td)
+ 
+ 	isSymlinkFile := func(f string) func(string) error {
+ 		return func(root string) error {
+@@ -744,6 +749,36 @@ func TestBreakouts(t *testing.T) {
+ 			// resolution ends up just removing etc
+ 			validator: fileNotExists("etc/passwd"),
+ 		},
++		{
++
++			name: "HardlinkSymlinkChmod",
++			w: func() tartest.WriterToTar {
++				p := filepath.Join(td, "perm400")
++				if err := ioutil.WriteFile(p, []byte("..."), 0400); err != nil {
++					t.Fatal(err)
++				}
++				ep := filepath.Join(td, "also-exists-outside-root")
++				if err := ioutil.WriteFile(ep, []byte("..."), 0640); err != nil {
++					t.Fatal(err)
++				}
++
++				return tartest.TarAll(
++					tc.Symlink(p, ep),
++					tc.Link(ep, "sketchylink"),
++				)
++			}(),
++			validator: func(string) error {
++				p := filepath.Join(td, "perm400")
++				fi, err := os.Lstat(p)
++				if err != nil {
++					return err
++				}
++				if perm := fi.Mode() & os.ModePerm; perm != 0400 {
++					return errors.Errorf("%s perm changed from 0400 to %04o", p, perm)
++				}
++				return nil
++			},
++		},
+ 	}
+ 
+ 	for _, bo := range breakouts {
diff -Nru containerd-1.4.5~ds1/debian/patches/series containerd-1.4.5~ds1/debian/patches/series
--- containerd-1.4.5~ds1/debian/patches/series	2021-05-12 13:17:38.000000000 +0800
+++ containerd-1.4.5~ds1/debian/patches/series	2021-07-20 02:36:10.000000000 +0800
@@ -5,3 +5,4 @@
 0005-backport-github.com-containerd-containerd-remotes.patch
 0006-backport-apparmor-handle-signal-mediation.patch
 0007-backport-runtime-ignore-file-already-closed-error.patch
+0008-CVE-2021-32760.patch
Reply to: