Bug#1027257: bullseye-pu: package golang-github-containers-storage/1.24.8+dfsg1-2~deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1027257: bullseye-pu: package golang-github-containers-storage/1.24.8+dfsg1-2~deb11u1
From: Reinhard Tartler <siretart@debian.org>
Date: Wed, 28 Dec 2022 22:26:14 -0500
Message-id: <[🔎] 167228437462.1462456.2327494504899233938.reportbug@x1.int.tauware.de>
Reply-to: Reinhard Tartler <siretart@debian.org>, 1027257@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: golang-github-containers-storage@packages.debian.org, siretart@tauware.de, siretart@gmail.com, Vignesh Raman vignesh.raman@collabora.com
Control: affects -1 + src:golang-github-containers-storage


[ Reason ]
In order to fix CVE-2022-1227, an update to golang-github-containers-psgo
is needed, more specifically, https://github.com/containers/psgo/pull/92

That patch introduces a dependency on golang-github-containers-storage, and uses
the helper functions RawTo{Container,Host} which are introduced with this patch.

[ Impact ]

[ Tests ]
No new tests are added. The patch was taken from upstream and required
little modificaiton to apply.

[ Risks ]
The code changes adds a helper function that isn't used otherwise yet.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
diff --git a/debian/changelog b/debian/changelog
index 837efeeb1..640a90134 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+golang-github-containers-storage (1.24.8+dfsg1-2~deb11u1) bullseye; urgency=medium
+
+  [ Vignesh Raman ]
+  * prereq to fix CVE-2022-1227: pkg: idtools: export RawTo{Container,Host}
+
+ -- Reinhard Tartler <siretart@tauware.de>  Wed, 28 Dec 2022 21:39:17 -0500
+
 golang-github-containers-storage (1.24.8+dfsg1-1) unstable; urgency=medium

   * New upstream release, focused on targetted bugfixes for podman 3.0
diff --git a/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch b/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch
new file mode 100644
index 000000000..d00cbd0e9
--- /dev/null
+++ b/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch
@@ -0,0 +1,111 @@
+From 3da85a122411a57b5a65dc243ae56f89d7fd2564 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Wed, 12 Jan 2022 12:56:56 +1100
+Subject: [PATCH 1/4] pkg: idtools: export RawTo{Container,Host}
+
+While the IDMapping methods are preferable for most users, sometimes it
+is necessary to map a single ID using a given mapping. In particular
+this is needed for psgo to be able to map the user and group entries in
+/proc/$pid/status using the user namespace of the target process.
+
+Required to resolve CVE-2022-1227.
+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+Backported-by: Valentin Rothberg <vrothberg@redhat.com>
+---
+ pkg/idtools/idtools.go | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/pkg/idtools/idtools.go b/pkg/idtools/idtools.go
+index 83bc8c34f..d3d56066e 100644
+--- a/pkg/idtools/idtools.go
++++ b/pkg/idtools/idtools.go
+@@ -82,7 +82,7 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
+ 	if len(uidMap) == 1 && uidMap[0].Size == 1 {
+ 		uid = uidMap[0].HostID
+ 	} else {
+-		uid, err = toHost(0, uidMap)
++		uid, err = RawToHost(0, uidMap)
+ 		if err != nil {
+ 			return -1, -1, err
+ 		}
+@@ -90,7 +90,7 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
+ 	if len(gidMap) == 1 && gidMap[0].Size == 1 {
+ 		gid = gidMap[0].HostID
+ 	} else {
+-		gid, err = toHost(0, gidMap)
++		gid, err = RawToHost(0, gidMap)
+ 		if err != nil {
+ 			return -1, -1, err
+ 		}
+@@ -98,10 +98,14 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
+ 	return uid, gid, nil
+ }
+
+-// toContainer takes an id mapping, and uses it to translate a
+-// host ID to the remapped ID. If no map is provided, then the translation
+-// assumes a 1-to-1 mapping and returns the passed in id
+-func toContainer(hostID int, idMap []IDMap) (int, error) {
++// RawToContainer takes an id mapping, and uses it to translate a host ID to
++// the remapped ID. If no map is provided, then the translation assumes a
++// 1-to-1 mapping and returns the passed in id.
++//
++// If you wish to map a (uid,gid) combination you should use the corresponding
++// IDMappings methods, which ensure that you are mapping the correct ID against
++// the correct mapping.
++func RawToContainer(hostID int, idMap []IDMap) (int, error) {
+ 	if idMap == nil {
+ 		return hostID, nil
+ 	}
+@@ -114,10 +118,14 @@ func toContainer(hostID int, idMap []IDMap) (int, error) {
+ 	return -1, fmt.Errorf("Host ID %d cannot be mapped to a container ID", hostID)
+ }
+
+-// toHost takes an id mapping and a remapped ID, and translates the
+-// ID to the mapped host ID. If no map is provided, then the translation
+-// assumes a 1-to-1 mapping and returns the passed in id #
+-func toHost(contID int, idMap []IDMap) (int, error) {
++// RawToHost takes an id mapping and a remapped ID, and translates the ID to
++// the mapped host ID. If no map is provided, then the translation assumes a
++// 1-to-1 mapping and returns the passed in id.
++//
++// If you wish to map a (uid,gid) combination you should use the corresponding
++// IDMappings methods, which ensure that you are mapping the correct ID against
++// the correct mapping.
++func RawToHost(contID int, idMap []IDMap) (int, error) {
+ 	if idMap == nil {
+ 		return contID, nil
+ 	}
+@@ -188,25 +196,25 @@ func (i *IDMappings) ToHost(pair IDPair) (IDPair, error) {
+ 	target := i.RootPair()
+
+ 	if pair.UID != target.UID {
+-		target.UID, err = toHost(pair.UID, i.uids)
++		target.UID, err = RawToHost(pair.UID, i.uids)
+ 		if err != nil {
+ 			return target, err
+ 		}
+ 	}
+
+ 	if pair.GID != target.GID {
+-		target.GID, err = toHost(pair.GID, i.gids)
++		target.GID, err = RawToHost(pair.GID, i.gids)
+ 	}
+ 	return target, err
+ }
+
+ // ToContainer returns the container UID and GID for the host uid and gid
+ func (i *IDMappings) ToContainer(pair IDPair) (int, int, error) {
+-	uid, err := toContainer(pair.UID, i.uids)
++	uid, err := RawToContainer(pair.UID, i.uids)
+ 	if err != nil {
+ 		return -1, -1, err
+ 	}
+-	gid, err := toContainer(pair.GID, i.gids)
++	gid, err := RawToContainer(pair.GID, i.gids)
+ 	return uid, gid, err
+ }
+
+--
+2.30.2
+
diff --git a/debian/patches/series b/debian/patches/series
index d802103b9..51bc5bf6b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 test.patch
+0001-pkg-idtools-export-RawTo-Container-Host.patch


[ Other info ]
The actual code change to fix CVE-2022-1227 will require a code-change
to the golang-github-containers-psgo package, for which I'll file a separate
unlock request.

Reply to:

Follow-Ups:
- Processed: bullseye-pu: package golang-github-containers-storage/1.24.8+dfsg1-2~deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1027044: transition: numpy 1.24.x
Next by Date: Processed: bullseye-pu: package golang-github-containers-storage/1.24.8+dfsg1-2~deb11u1
Previous by thread: Bug#1008495: marked as done (transition: tinyobjloader)
Next by thread: Processed: bullseye-pu: package golang-github-containers-storage/1.24.8+dfsg1-2~deb11u1
Index(es):
- Date
- Thread