[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1034039: marked as done (bullseye-pu: package libpod/3.0.1+dfsg1-3+deb11u1)

Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id <502b8fb37ece620c9723446611a9287974ba5a0c.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1034039,
regarding bullseye-pu: package libpod/3.0.1+dfsg1-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1034039: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034039
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libpod@packages.debian.org, siretart@tauware.de
Control: affects -1 + src:libpod

[ Reason ]
This code change picks up code changes in golang-github-containers-psgo
and golang-github-containers-storage to fix CVE-2022-1227. This is reported
as 1020907. This addresses a priviledge escalation issue when using
'podman top'. Upstream has more information in this issue in
https://bugzilla.redhat.com/show_bug.cgi?id=2070368

Additionally, another upstream code change is being backported to address
CVE-2022-27649. This is reported as #1020906. This is to address a
capability escalation issue on file descriptors that were not intended
to have inheritable capabilities.

[ Impact ]
Without this update, users remain vulnerable to the issues explained above.

[ Tests ]
I've manually built and installed the built package in a kvm virtual machine
and conducted some basic tests.

[ Risks ]
All patches have been cherry picked from the branches that redhat also
includes in RHEL.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
diff --git a/debian/changelog b/debian/changelog
index 12a2268bb..dbd215727 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libpod (3.0.1+dfsg1-3+deb11u2) bullseye; urgency=medium
+
+  * CVE-2022-1227: pickup changes in containers/psgo, Closes: #1020907
+  * CVE-2022-27649: do not set the inheritable capabilities, Closes: #1020906
+
+ -- Reinhard Tartler <siretart@tauware.de>  Wed, 05 Apr 2023 21:00:36 -0400
+
 libpod (3.0.1+dfsg1-3+deb11u1) bullseye; urgency=medium
 
   * Rebuild against containers-common to pickup seccomp updates required
diff --git a/debian/control b/debian/control
index 3df797b30..a8834b883 100644
--- a/debian/control
+++ b/debian/control
@@ -21,8 +21,8 @@ Build-Depends: debhelper-compat (= 12)
     ,golang-github-containers-common-dev (>= 0.33.4+ds1-1+deb11u1)
     ,golang-github-containers-image-dev (>= 5.10.2)
     ,golang-github-containers-ocicrypt-dev
-    ,golang-github-containers-psgo-dev
-    ,golang-github-containers-storage-dev (>= 1.24.6)
+    ,golang-github-containers-psgo-dev (>= 1.5.2-1+deb11u1)
+    ,golang-github-containers-storage-dev (>= 1.24.6+dfsg1-1+deb11u1)
     ,golang-github-coreos-bbolt-dev (>= 1.3.3~)
     ,golang-github-coreos-go-iptables-dev (>= 0.4.2~)
     ,golang-github-coreos-go-systemd-dev (>= 20~)
diff --git a/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch b/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch
new file mode 100644
index 000000000..3d7666b91
--- /dev/null
+++ b/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch
@@ -0,0 +1,109 @@
+From d2848c44440281ed94992c4b23c5899e36afc1af Mon Sep 17 00:00:00 2001
+From: Andre Moreira Magalhaes <andrunko@gmail.com>
+Date: Mon, 19 Sep 2022 11:03:21 -0300
+Subject: [PATCH] do not set the inheritable capabilities
+
+The kernel never sets the inheritable capabilities for a process, they
+are only set by userspace.  Emulate the same behavior.
+
+Closes: CVE-2022-27649
+
+(backported from upstream commit 7b368768c2990b9781b2b6813e1c7f91c7e6cb13)
+---
+ libpod/oci_conmon_linux.go       | 7 +++++--
+ pkg/specgen/generate/security.go | 7 +++++--
+ test/e2e/run_test.go             | 6 +++---
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
+index 38ffba7d2..b073feee1 100644
+--- a/libpod/oci_conmon_linux.go
++++ b/libpod/oci_conmon_linux.go
+@@ -1281,11 +1281,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
+ 	} else {
+ 		pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
+ 	}
++
++	// Always unset the inheritable capabilities similarly to what the Linux kernel does
++	// They are used only when using capabilities with uid != 0.
++	pspec.Capabilities.Inheritable = []string{}
++
+ 	if execUser.Uid == 0 {
+ 		pspec.Capabilities.Effective = pspec.Capabilities.Bounding
+-		pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
+ 		pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
+-		pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
+ 	} else {
+ 		if user == c.config.User {
+ 			pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective
+diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
+index fb45d87db..c18f83217 100644
+--- a/pkg/specgen/generate/security.go
++++ b/pkg/specgen/generate/security.go
+@@ -130,6 +130,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+ 
+ 	configSpec := g.Config
+ 	configSpec.Process.Capabilities.Ambient = []string{}
++
++	// Always unset the inheritable capabilities similarly to what the Linux kernel does
++	// They are used only when using capabilities with uid != 0.
++	configSpec.Process.Capabilities.Inheritable = []string{}
+ 	configSpec.Process.Capabilities.Bounding = caplist
+ 
+ 	user := strings.Split(s.User, ":")[0]
+@@ -137,7 +141,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+ 	if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
+ 		configSpec.Process.Capabilities.Effective = caplist
+ 		configSpec.Process.Capabilities.Permitted = caplist
+-		configSpec.Process.Capabilities.Inheritable = caplist
+ 	} else {
+ 		userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
+ 		if err != nil {
+@@ -145,12 +148,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+ 		}
+ 		configSpec.Process.Capabilities.Effective = userCaps
+ 		configSpec.Process.Capabilities.Permitted = userCaps
+-		configSpec.Process.Capabilities.Inheritable = userCaps
+ 
+ 		// Ambient capabilities were added to Linux 4.3.  Set ambient
+ 		// capabilities only when the kernel supports them.
+ 		if supportAmbientCapabilities() {
+ 			configSpec.Process.Capabilities.Ambient = userCaps
++			configSpec.Process.Capabilities.Inheritable = userCaps
+ 		}
+ 	}
+ 
+diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
+index bff3995df..17fea3b99 100644
+--- a/test/e2e/run_test.go
++++ b/test/e2e/run_test.go
+@@ -383,7 +383,7 @@ var _ = Describe("Podman run", func() {
+ 		session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session.ExitCode()).To(Equal(0))
+-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
++		Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+ 
+ 		session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"})
+ 		session.WaitWithDefaultTimeout()
+@@ -418,7 +418,7 @@ var _ = Describe("Podman run", func() {
+ 		session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session.ExitCode()).To(Equal(0))
+-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
++		Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+ 
+ 		if os.Geteuid() > 0 {
+ 			if os.Getenv("SKIP_USERNS") != "" {
+@@ -435,7 +435,7 @@ var _ = Describe("Podman run", func() {
+ 			session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ 			session.WaitWithDefaultTimeout()
+ 			Expect(session.ExitCode()).To(Equal(0))
+-			Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
++			Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
+ 
+ 			session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ 			session.WaitWithDefaultTimeout()
+-- 
+2.37.2
+
diff --git a/debian/patches/series b/debian/patches/series
index d1470bd5c..38f2e9ff7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ test--skip-TestPostDeleteHooks.patch
 rm-containers-mounts-5.patch
 systemd-tweaks.patch
 networking-lookup-child-IP-in-networks.patch
+0001-do-not-set-the-inheritable-capabilities.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.7

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.7 point release.

Regards,

Adam

--- End Message ---
Reply to: