[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1027257: marked as done (bullseye-pu: package golang-github-containers-storage/1.24.8+dfsg1-2~deb11u1)

Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id <502b8fb37ece620c9723446611a9287974ba5a0c.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1027257,
regarding bullseye-pu: package golang-github-containers-storage/1.24.8+dfsg1-2~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1027257: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027257
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: golang-github-containers-storage@packages.debian.org, siretart@tauware.de, siretart@gmail.com, Vignesh Raman vignesh.raman@collabora.com
Control: affects -1 + src:golang-github-containers-storage


[ Reason ]
In order to fix CVE-2022-1227, an update to golang-github-containers-psgo
is needed, more specifically, https://github.com/containers/psgo/pull/92

That patch introduces a dependency on golang-github-containers-storage, and uses
the helper functions RawTo{Container,Host} which are introduced with this patch.

[ Impact ]

[ Tests ]
No new tests are added. The patch was taken from upstream and required
little modificaiton to apply.

[ Risks ]
The code changes adds a helper function that isn't used otherwise yet.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
diff --git a/debian/changelog b/debian/changelog
index 837efeeb1..640a90134 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+golang-github-containers-storage (1.24.8+dfsg1-2~deb11u1) bullseye; urgency=medium
+
+  [ Vignesh Raman ]
+  * prereq to fix CVE-2022-1227: pkg: idtools: export RawTo{Container,Host}
+
+ -- Reinhard Tartler <siretart@tauware.de>  Wed, 28 Dec 2022 21:39:17 -0500
+
 golang-github-containers-storage (1.24.8+dfsg1-1) unstable; urgency=medium

   * New upstream release, focused on targetted bugfixes for podman 3.0
diff --git a/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch b/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch
new file mode 100644
index 000000000..d00cbd0e9
--- /dev/null
+++ b/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch
@@ -0,0 +1,111 @@
+From 3da85a122411a57b5a65dc243ae56f89d7fd2564 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Wed, 12 Jan 2022 12:56:56 +1100
+Subject: [PATCH 1/4] pkg: idtools: export RawTo{Container,Host}
+
+While the IDMapping methods are preferable for most users, sometimes it
+is necessary to map a single ID using a given mapping. In particular
+this is needed for psgo to be able to map the user and group entries in
+/proc/$pid/status using the user namespace of the target process.
+
+Required to resolve CVE-2022-1227.
+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+Backported-by: Valentin Rothberg <vrothberg@redhat.com>
+---
+ pkg/idtools/idtools.go | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/pkg/idtools/idtools.go b/pkg/idtools/idtools.go
+index 83bc8c34f..d3d56066e 100644
+--- a/pkg/idtools/idtools.go
++++ b/pkg/idtools/idtools.go
+@@ -82,7 +82,7 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
+ 	if len(uidMap) == 1 && uidMap[0].Size == 1 {
+ 		uid = uidMap[0].HostID
+ 	} else {
+-		uid, err = toHost(0, uidMap)
++		uid, err = RawToHost(0, uidMap)
+ 		if err != nil {
+ 			return -1, -1, err
+ 		}
+@@ -90,7 +90,7 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
+ 	if len(gidMap) == 1 && gidMap[0].Size == 1 {
+ 		gid = gidMap[0].HostID
+ 	} else {
+-		gid, err = toHost(0, gidMap)
++		gid, err = RawToHost(0, gidMap)
+ 		if err != nil {
+ 			return -1, -1, err
+ 		}
+@@ -98,10 +98,14 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
+ 	return uid, gid, nil
+ }
+
+-// toContainer takes an id mapping, and uses it to translate a
+-// host ID to the remapped ID. If no map is provided, then the translation
+-// assumes a 1-to-1 mapping and returns the passed in id
+-func toContainer(hostID int, idMap []IDMap) (int, error) {
++// RawToContainer takes an id mapping, and uses it to translate a host ID to
++// the remapped ID. If no map is provided, then the translation assumes a
++// 1-to-1 mapping and returns the passed in id.
++//
++// If you wish to map a (uid,gid) combination you should use the corresponding
++// IDMappings methods, which ensure that you are mapping the correct ID against
++// the correct mapping.
++func RawToContainer(hostID int, idMap []IDMap) (int, error) {
+ 	if idMap == nil {
+ 		return hostID, nil
+ 	}
+@@ -114,10 +118,14 @@ func toContainer(hostID int, idMap []IDMap) (int, error) {
+ 	return -1, fmt.Errorf("Host ID %d cannot be mapped to a container ID", hostID)
+ }
+
+-// toHost takes an id mapping and a remapped ID, and translates the
+-// ID to the mapped host ID. If no map is provided, then the translation
+-// assumes a 1-to-1 mapping and returns the passed in id #
+-func toHost(contID int, idMap []IDMap) (int, error) {
++// RawToHost takes an id mapping and a remapped ID, and translates the ID to
++// the mapped host ID. If no map is provided, then the translation assumes a
++// 1-to-1 mapping and returns the passed in id.
++//
++// If you wish to map a (uid,gid) combination you should use the corresponding
++// IDMappings methods, which ensure that you are mapping the correct ID against
++// the correct mapping.
++func RawToHost(contID int, idMap []IDMap) (int, error) {
+ 	if idMap == nil {
+ 		return contID, nil
+ 	}
+@@ -188,25 +196,25 @@ func (i *IDMappings) ToHost(pair IDPair) (IDPair, error) {
+ 	target := i.RootPair()
+
+ 	if pair.UID != target.UID {
+-		target.UID, err = toHost(pair.UID, i.uids)
++		target.UID, err = RawToHost(pair.UID, i.uids)
+ 		if err != nil {
+ 			return target, err
+ 		}
+ 	}
+
+ 	if pair.GID != target.GID {
+-		target.GID, err = toHost(pair.GID, i.gids)
++		target.GID, err = RawToHost(pair.GID, i.gids)
+ 	}
+ 	return target, err
+ }
+
+ // ToContainer returns the container UID and GID for the host uid and gid
+ func (i *IDMappings) ToContainer(pair IDPair) (int, int, error) {
+-	uid, err := toContainer(pair.UID, i.uids)
++	uid, err := RawToContainer(pair.UID, i.uids)
+ 	if err != nil {
+ 		return -1, -1, err
+ 	}
+-	gid, err := toContainer(pair.GID, i.gids)
++	gid, err := RawToContainer(pair.GID, i.gids)
+ 	return uid, gid, err
+ }
+
+--
+2.30.2
+
diff --git a/debian/patches/series b/debian/patches/series
index d802103b9..51bc5bf6b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 test.patch
+0001-pkg-idtools-export-RawTo-Container-Host.patch


[ Other info ]
The actual code change to fix CVE-2022-1227 will require a code-change
to the golang-github-containers-psgo package, for which I'll file a separate
unlock request.

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.7

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.7 point release.

Regards,

Adam

--- End Message ---
Reply to: