--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: containerd@packages.debian.org, zhsj@debian.org
Control: affects -1 + src:containerd
[ Reason ]
Backport patch for CVE-2022-23471.
https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9
> A bug was found in containerd's CRI implementation where a user can exhaust
> memory on the host.
[ Impact ]
[ Tests ]
No new test is added, but the patch is simple and easy to review.
It is taken from upstream 1.5 release branch without modification.
[ Risks ]
Code is trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
See attachment
[ Other info ]
No
diff -Nru containerd-1.4.13~ds1/debian/changelog containerd-1.4.13~ds1/debian/changelog
--- containerd-1.4.13~ds1/debian/changelog 2022-06-07 03:07:20.000000000 +0800
+++ containerd-1.4.13~ds1/debian/changelog 2022-12-08 10:24:34.000000000 +0800
@@ -1,3 +1,9 @@
+containerd (1.4.13~ds1-1~deb11u3) bullseye; urgency=medium
+
+ * CVE-2022-23471: CRI plugin: Fix goroutine leak during Exec
+
+ -- Shengjing Zhu <zhsj@debian.org> Thu, 08 Dec 2022 10:24:34 +0800
+
containerd (1.4.13~ds1-1~deb11u2) bullseye-security; urgency=high
* CVE-2022-31030: CRI plugin: Host memory exhaustion through ExecSync
diff -Nru containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch
--- containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch 1970-01-01 08:00:00.000000000 +0800
+++ containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch 2022-12-08 10:24:34.000000000 +0800
@@ -0,0 +1,56 @@
+From: Danny Canter <danny@dcantah.dev>
+Date: Mon, 28 Nov 2022 14:45:34 -0800
+Subject: CVE-2022-23471
+
+Origin: backport, https://github.com/containerd/containerd/commit/6cd11527
+---
+ .../cri/pkg/streaming/remotecommand/httpstream.go | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go b/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go
+index 0417a1a..9177fa7 100644
+--- a/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go
++++ b/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go
+@@ -33,6 +33,7 @@ limitations under the License.
+ package remotecommand
+
+ import (
++ gocontext "context"
+ "encoding/json"
+ "errors"
+ "fmt"
+@@ -132,7 +133,7 @@ func createStreams(req *http.Request, w http.ResponseWriter, opts *Options, supp
+
+ if ctx.resizeStream != nil {
+ ctx.resizeChan = make(chan remotecommand.TerminalSize)
+- go handleResizeEvents(ctx.resizeStream, ctx.resizeChan)
++ go handleResizeEvents(req.Context(), ctx.resizeStream, ctx.resizeChan)
+ }
+
+ return ctx, true
+@@ -425,7 +426,7 @@ WaitForStreams:
+ // supportsTerminalResizing returns false because v1ProtocolHandler doesn't support it.
+ func (*v1ProtocolHandler) supportsTerminalResizing() bool { return false }
+
+-func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalSize) {
++func handleResizeEvents(ctx gocontext.Context, stream io.Reader, channel chan<- remotecommand.TerminalSize) {
+ defer runtime.HandleCrash()
+ defer close(channel)
+
+@@ -435,7 +436,15 @@ func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalS
+ if err := decoder.Decode(&size); err != nil {
+ break
+ }
+- channel <- size
++
++ select {
++ case channel <- size:
++ case <-ctx.Done():
++ // To avoid leaking this routine, exit if the http request finishes. This path
++ // would generally be hit if starting the process fails and nothing is started to
++ // ingest these resize events.
++ return
++ }
+ }
+ }
+
diff -Nru containerd-1.4.13~ds1/debian/patches/series containerd-1.4.13~ds1/debian/patches/series
--- containerd-1.4.13~ds1/debian/patches/series 2022-06-07 03:07:20.000000000 +0800
+++ containerd-1.4.13~ds1/debian/patches/series 2022-12-08 10:24:34.000000000 +0800
@@ -8,3 +8,4 @@
0008-Add-RPi1-RPi0-workaround.patch
0009-CVE-2022-31030.patch
0010-CVE-2022-24769.patch
+0011-CVE-2022-23471.patch
--- End Message ---