Bug#1025754: bullseye-pu: package containerd/1.4.13~ds1-1~deb11u3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1025754: bullseye-pu: package containerd/1.4.13~ds1-1~deb11u3
From: Shengjing Zhu <zhsj@debian.org>
Date: Fri, 09 Dec 2022 00:49:05 +0800
Message-id: <[🔎] 167051814573.3261866.86603055429726046.reportbug@debian>
Reply-to: Shengjing Zhu <zhsj@debian.org>, 1025754@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: containerd@packages.debian.org, zhsj@debian.org
Control: affects -1 + src:containerd

[ Reason ]

Backport patch for CVE-2022-23471.

https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9

> A bug was found in containerd's CRI implementation where a user can exhaust
> memory on the host.

[ Impact ]


[ Tests ]

No new test is added, but the patch is simple and easy to review.
It is taken from upstream 1.5 release branch without modification.

[ Risks ]

Code is trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

See attachment

[ Other info ]

No

diff -Nru containerd-1.4.13~ds1/debian/changelog containerd-1.4.13~ds1/debian/changelog
--- containerd-1.4.13~ds1/debian/changelog	2022-06-07 03:07:20.000000000 +0800
+++ containerd-1.4.13~ds1/debian/changelog	2022-12-08 10:24:34.000000000 +0800
@@ -1,3 +1,9 @@
+containerd (1.4.13~ds1-1~deb11u3) bullseye; urgency=medium
+
+  * CVE-2022-23471: CRI plugin: Fix goroutine leak during Exec
+
+ -- Shengjing Zhu <zhsj@debian.org>  Thu, 08 Dec 2022 10:24:34 +0800
+
 containerd (1.4.13~ds1-1~deb11u2) bullseye-security; urgency=high
 
   * CVE-2022-31030: CRI plugin: Host memory exhaustion through ExecSync
diff -Nru containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch
--- containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch	1970-01-01 08:00:00.000000000 +0800
+++ containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch	2022-12-08 10:24:34.000000000 +0800
@@ -0,0 +1,56 @@
+From: Danny Canter <danny@dcantah.dev>
+Date: Mon, 28 Nov 2022 14:45:34 -0800
+Subject: CVE-2022-23471
+
+Origin: backport, https://github.com/containerd/containerd/commit/6cd11527
+---
+ .../cri/pkg/streaming/remotecommand/httpstream.go         | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go b/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go
+index 0417a1a..9177fa7 100644
+--- a/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go
++++ b/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go
+@@ -33,6 +33,7 @@ limitations under the License.
+ package remotecommand
+ 
+ import (
++	gocontext "context"
+ 	"encoding/json"
+ 	"errors"
+ 	"fmt"
+@@ -132,7 +133,7 @@ func createStreams(req *http.Request, w http.ResponseWriter, opts *Options, supp
+ 
+ 	if ctx.resizeStream != nil {
+ 		ctx.resizeChan = make(chan remotecommand.TerminalSize)
+-		go handleResizeEvents(ctx.resizeStream, ctx.resizeChan)
++		go handleResizeEvents(req.Context(), ctx.resizeStream, ctx.resizeChan)
+ 	}
+ 
+ 	return ctx, true
+@@ -425,7 +426,7 @@ WaitForStreams:
+ // supportsTerminalResizing returns false because v1ProtocolHandler doesn't support it.
+ func (*v1ProtocolHandler) supportsTerminalResizing() bool { return false }
+ 
+-func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalSize) {
++func handleResizeEvents(ctx gocontext.Context, stream io.Reader, channel chan<- remotecommand.TerminalSize) {
+ 	defer runtime.HandleCrash()
+ 	defer close(channel)
+ 
+@@ -435,7 +436,15 @@ func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalS
+ 		if err := decoder.Decode(&size); err != nil {
+ 			break
+ 		}
+-		channel <- size
++
++		select {
++		case channel <- size:
++		case <-ctx.Done():
++			// To avoid leaking this routine, exit if the http request finishes. This path
++			// would generally be hit if starting the process fails and nothing is started to
++			// ingest these resize events.
++			return
++		}
+ 	}
+ }
+ 
diff -Nru containerd-1.4.13~ds1/debian/patches/series containerd-1.4.13~ds1/debian/patches/series
--- containerd-1.4.13~ds1/debian/patches/series	2022-06-07 03:07:20.000000000 +0800
+++ containerd-1.4.13~ds1/debian/patches/series	2022-12-08 10:24:34.000000000 +0800
@@ -8,3 +8,4 @@
 0008-Add-RPi1-RPi0-workaround.patch
 0009-CVE-2022-31030.patch
 0010-CVE-2022-24769.patch
+0011-CVE-2022-23471.patch

Reply to:

Follow-Ups:
- Processed: bullseye-pu: package containerd/1.4.13~ds1-1~deb11u3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1025754: bullseye-pu: package containerd/1.4.13~ds1-1~deb11u3
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#1025754: bullseye-pu: package containerd/1.4.13~ds1-1~deb11u3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1025754: containerd 1.4.13~ds1-1~deb11u3 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#1025754: marked as done (bullseye-pu: package containerd/1.4.13~ds1-1~deb11u3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: bullseye-pu: package containerd/1.4.13~ds1-1~deb11u3
Next by Date: Bug#1025755: bullseye-pu: package dovecot-fts-xapian/1.4.9a-1+deb11u1
Previous by thread: Bug#1025750: marked as done (bullseye-pu: package nvidia-graphics-drivers-tesla-470/470.161.03-1~deb11u1)
Next by thread: Processed: bullseye-pu: package containerd/1.4.13~ds1-1~deb11u3
Index(es):
- Date
- Thread