On Tue, Jun 14, 2022 at 5:54 AM Emilio Pozuelo Monfort <
pochu@debian.org> wrote:
On 13/06/2022 19:12, Adam D. Barratt wrote:
> On Mon, 2022-06-13 at 10:55 +0800, Shengjing Zhu wrote:
>> X-Debbugs-CC: siretart@debian.org, team@security.debian.org
>>
>> Hi,
>>
>> On Sun, Jun 12, 2022 at 05:33:48PM -0400, Reinhard Tartler wrote:
>>> diff -Nru runc-1.0.0~rc93+ds1/debian/changelog runc-
>>> 1.0.0~rc93+ds1/debian/changelog
>>> --- runc-1.0.0~rc93+ds1/debian/changelog 2022-06-12
>>> 14:49:36.000000000 -0400
>>> +++ runc-1.0.0~rc93+ds1/debian/changelog 2021-05-19
>>> 14:46:14.000000000 -0400
>>> @@ -1,10 +1,3 @@
>>> -runc (1.0.0~rc93+ds1-5+deb11u1) bullseye; urgency=medium
>>> -
>>> - * Team upload.
>>> - * backport upstream patch: Honor seccomp defaultErrnoRet,
>>> Closes: #1012030
>>> -
>>> - -- Reinhard Tartler <siretart@tauware.de> Sun, 12 Jun 2022
>>> 14:49:36 -0400
>>> -
>>
>> Could you include the patch for CVE-2022-29162?
>>
>> https://security-tracker.debian.org/tracker/CVE-2022-29162
>>
>> If you don't have time, I can work on this later in this week.
>
> The Security Tracker says it's not fixed in unstable - is that correct?
> If so, that needs addressing first before it can be considered for p-u.
The tracker is corrected now, the issue was fixed in 1.1.2.
Thanks, I've tested the new runc and concluded it works fine. The effective (additional) security patch reads:
--- a/exec.go
+++ b/exec.go
@@ -193,7 +193,6 @@
if caps := context.StringSlice("cap"); len(caps) > 0 {
for _, c := range caps {
p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
- p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
p.Capabilities.Effective = append(p.Capabilities.Effective, c)
p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
--- a/libcontainer/README.md
+++ b/libcontainer/README.md
@@ -92,22 +92,6 @@
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
- Inheritable: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
Permitted: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
--- a/libcontainer/integration/exec_test.go
+++ b/libcontainer/integration/exec_test.go
@@ -412,7 +412,6 @@
pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN")
pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN")
pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN")
- pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN")
err = container.Run(&pconfig)
ok(t, err)
@@ -1593,7 +1592,6 @@
pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN")
pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN")
pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN")
- pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN")
err = container.Run(pconfig2)
stdinR2.Close()
--- a/libcontainer/integration/template_test.go
+++ b/libcontainer/integration/template_test.go
@@ -69,22 +69,6 @@
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
- Inheritable: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
Ambient: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
--- a/libcontainer/specconv/example.go
+++ b/libcontainer/specconv/example.go
@@ -41,11 +41,6 @@
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
},
- Inheritable: []string{
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE",
- },
Ambient: []string{
"CAP_AUDIT_WRITE",
"CAP_KILL",
Full updated debdiff attached to this email