Bug#991287: marked as done (unblock: containerd/1.4.5~ds1-2)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#991287: marked as done (unblock: containerd/1.4.5~ds1-2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 20 Jul 2021 07:45:05 +0000
Message-id: <[🔎] handler.991287.D991287.16267669607225.ackdone@bugs.debian.org>
Reply-to: 991287@bugs.debian.org
References: <E1m5kOi-0001Ub-TE@respighi.debian.org> <[🔎] YPXWIvCXtLkGQ2Y5@local.zhsj.me>

Your message dated Tue, 20 Jul 2021 07:42:36 +0000
with message-id <E1m5kOi-0001Ub-TE@respighi.debian.org>
and subject line unblock containerd
has caused the Debian Bug report #991287,
regarding unblock: containerd/1.4.5~ds1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991287: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991287
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: containerd/1.4.5~ds1-2
From: Shengjing Zhu <zhsj@debian.org>
Date: Tue, 20 Jul 2021 03:44:34 +0800
Message-id: <[🔎] YPXWIvCXtLkGQ2Y5@local.zhsj.me>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org

Please unblock package containerd

[ Reason ]
Backport patch for CVE-2021-32760:
https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w

[ Impact ]
If it's blocked, the package has security issue.

[ Tests ]
Upstream has added a regression test to the patch.

[ Risks ]
Only one line change(in archive/tar_unix.go file), and a new test (in archive/tar_unix.go file).

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock containerd/1.4.5~ds1-2


diff -Nru containerd-1.4.5~ds1/debian/changelog containerd-1.4.5~ds1/debian/changelog
--- containerd-1.4.5~ds1/debian/changelog	2021-05-12 13:17:38.000000000 +0800
+++ containerd-1.4.5~ds1/debian/changelog	2021-07-20 02:36:10.000000000 +0800
@@ -1,3 +1,9 @@
+containerd (1.4.5~ds1-2) unstable; urgency=medium
+
+  * Backport patches for CVE-2021-32760
+
+ -- Shengjing Zhu <zhsj@debian.org>  Tue, 20 Jul 2021 02:36:10 +0800
+
 containerd (1.4.5~ds1-1) unstable; urgency=medium
 
   * New upstream patch version v1.4.5
diff -Nru containerd-1.4.5~ds1/debian/gbp.conf containerd-1.4.5~ds1/debian/gbp.conf
--- containerd-1.4.5~ds1/debian/gbp.conf	2021-05-12 13:17:38.000000000 +0800
+++ containerd-1.4.5~ds1/debian/gbp.conf	2021-07-20 02:36:10.000000000 +0800
@@ -1,4 +1,5 @@
 [DEFAULT]
 pristine-tar = True
 debian-branch = debian/sid
+upstream-branch = upstream/sid
 dist = DEP14
diff -Nru containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch
--- containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch	1970-01-01 08:00:00.000000000 +0800
+++ containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch	2021-07-20 02:36:10.000000000 +0800
@@ -0,0 +1,91 @@
+From 03aa748c11663e87a72fab92b7ab7c88c28bf13e Mon Sep 17 00:00:00 2001
+From: Derek McGowan <derek@mcg.dev>
+Date: Tue, 6 Jul 2021 12:37:54 -0700
+Subject: [PATCH 1/2] Use chmod path for checking symlink
+
+Signed-off-by: Derek McGowan <derek@mcg.dev>
+(cherry picked from commit 27597ccfd30d8aa06b448062896bccfb33ad8f22)
+Signed-off-by: Derek McGowan <derek@mcg.dev>
+---
+ archive/tar_unix.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/archive/tar_unix.go b/archive/tar_unix.go
+index 6e89d2fdbc9..c22e79bf2be 100644
+--- a/archive/tar_unix.go
++++ b/archive/tar_unix.go
+@@ -113,7 +113,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
+ 
+ func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error {
+ 	if hdr.Typeflag == tar.TypeLink {
+-		if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
++		if fi, err := os.Lstat(path); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
+ 			if err := os.Chmod(path, hdrInfo.Mode()); err != nil && !os.IsNotExist(err) {
+ 				return err
+ 			}
+
+From 664f93ead6c613a9f0e9932dfa75c602dbe35f41 Mon Sep 17 00:00:00 2001
+From: Derek McGowan <derek@mcg.dev>
+Date: Tue, 6 Jul 2021 16:23:03 -0700
+Subject: [PATCH 2/2] Add test for archive breakout test for lchmod
+
+Signed-off-by: Derek McGowan <derek@mcg.dev>
+(cherry picked from commit ad81d76219a75559cb9d74a214efe0d779d7cbef)
+Signed-off-by: Derek McGowan <derek@mcg.dev>
+---
+ archive/tar_test.go | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/archive/tar_test.go b/archive/tar_test.go
+index 568f5a95f1c..8ffd3f221b8 100644
+--- a/archive/tar_test.go
++++ b/archive/tar_test.go
+@@ -243,6 +243,11 @@ func TestBreakouts(t *testing.T) {
+ 		return nil
+ 	}
+ 	errFileDiff := errors.New("files differ")
++	td, err := ioutil.TempDir("", "test-breakouts-")
++	if err != nil {
++		t.Fatal(err)
++	}
++	defer os.RemoveAll(td)
+ 
+ 	isSymlinkFile := func(f string) func(string) error {
+ 		return func(root string) error {
+@@ -744,6 +749,36 @@ func TestBreakouts(t *testing.T) {
+ 			// resolution ends up just removing etc
+ 			validator: fileNotExists("etc/passwd"),
+ 		},
++		{
++
++			name: "HardlinkSymlinkChmod",
++			w: func() tartest.WriterToTar {
++				p := filepath.Join(td, "perm400")
++				if err := ioutil.WriteFile(p, []byte("..."), 0400); err != nil {
++					t.Fatal(err)
++				}
++				ep := filepath.Join(td, "also-exists-outside-root")
++				if err := ioutil.WriteFile(ep, []byte("..."), 0640); err != nil {
++					t.Fatal(err)
++				}
++
++				return tartest.TarAll(
++					tc.Symlink(p, ep),
++					tc.Link(ep, "sketchylink"),
++				)
++			}(),
++			validator: func(string) error {
++				p := filepath.Join(td, "perm400")
++				fi, err := os.Lstat(p)
++				if err != nil {
++					return err
++				}
++				if perm := fi.Mode() & os.ModePerm; perm != 0400 {
++					return errors.Errorf("%s perm changed from 0400 to %04o", p, perm)
++				}
++				return nil
++			},
++		},
+ 	}
+ 
+ 	for _, bo := range breakouts {
diff -Nru containerd-1.4.5~ds1/debian/patches/series containerd-1.4.5~ds1/debian/patches/series
--- containerd-1.4.5~ds1/debian/patches/series	2021-05-12 13:17:38.000000000 +0800
+++ containerd-1.4.5~ds1/debian/patches/series	2021-07-20 02:36:10.000000000 +0800
@@ -5,3 +5,4 @@
 0005-backport-github.com-containerd-containerd-remotes.patch
 0006-backport-apparmor-handle-signal-mediation.patch
 0007-backport-runtime-ignore-file-already-closed-error.patch
+0008-CVE-2021-32760.patch

--- End Message ---

--- Begin Message ---

To: 991287-done@bugs.debian.org

Subject: unblock containerd

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Tue, 20 Jul 2021 07:42:36 +0000

Message-id: <E1m5kOi-0001Ub-TE@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#991287: unblock: containerd/1.4.5~ds1-2
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: Bug#991286: marked as done (unblock: netdiscover/0.7-4)
Next by Date: Bug#991285: unblock: strip-nondeterminism/1.12-0.1
Previous by thread: Bug#991287: unblock: containerd/1.4.5~ds1-2
Next by thread: Bug#991298: unblock: pillow/8.1.2+dfsg-0.3
Index(es):
- Date
- Thread