--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package libpod/3.0.1+dfsg1-3+deb11u5
- From: Faidon Liambotis <paravoid@debian.org>
- Date: Sat, 30 Dec 2023 01:31:56 +0200
- Message-id: <ZY9W7E4n-Q9C0N4r@tty.gr>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libpod@packages.debian.org, siretart@tauware.de
Control: affects -1 + src:libpod
[ Reason ]
This will address the no-dsa CVE-2022-2989. The vulnerability has been
fixed upstream and has been in bookworm, trixie and sid for a long
time now.
[ Impact ]
Absence of this patch, podman in bullseye will remain vulnerable to
CVE-2022-2989, as detailed here:
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
[ Changes ]
bullseye has v3.0.1. The original fix was included in v4.3.0, and was:
https://github.com/containers/podman/commit/d82a41687e614d9ac8b2d169dee47fe226835e4c
However, upstream (which is mostly RedHat) maintains a separate
"v3.0.1-rhel" branch, where they're backporting fixes to RHEL.
The patch included in this upload is lifted directly from that branch,
with no further changes:
https://github.com/containers/podman/commit/a256d7188c9db64a00a37798e6a2f0f59b5d798f
[ Tests ]
Upstream has an extensive test suite, including unit and integration
testing. Some of those tests running as part of the Debian build
process. The fix has been presumably tested by RHEL users as well.
Furthermore, I've verified that the current package is vulnerable, and
the proposed package addresses the vulnerability, by testing both
deb11u4 and deb11u5 with this PoC code:
https://github.com/sjmurdoch/permission-experiment
[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
[ Risks ]
Minimal: upstream has backported and tested this patch themselves, and
versions including this exact patch have been deployed to end (RHEL)
users for over a year now.
[ Other info ]
Thanks,
Faidon
diff -Nru libpod-3.0.1+dfsg1/debian/changelog libpod-3.0.1+dfsg1/debian/changelog
--- libpod-3.0.1+dfsg1/debian/changelog	2023-04-17 01:16:11.000000000 +0300
+++ libpod-3.0.1+dfsg1/debian/changelog	2023-12-29 17:26:49.000000000 +0200
@@ -1,3 +1,12 @@
+libpod (3.0.1+dfsg1-3+deb11u5) bullseye; urgency=medium
+
+  * CVE-2022-2989: Cherry-pick "Add container GID to additional groups" patch
+    from the v3.0.1-rhel upstream branch (itself a backport from v4.3.0), to
+    address an incorrect handling of supplementary groups. (Closes: #1019591)
+  * Add myself to Uploaders.
+
+ -- Faidon Liambotis <paravoid@debian.org>  Fri, 29 Dec 2023 17:26:49 +0200
+
 libpod (3.0.1+dfsg1-3+deb11u4) bullseye; urgency=medium
 
   * Recompile to fix parsing of DBUS_SESSION_BUS_ADDRESS (Closes: #1018816)
diff -Nru libpod-3.0.1+dfsg1/debian/control libpod-3.0.1+dfsg1/debian/control
--- libpod-3.0.1+dfsg1/debian/control	2023-04-17 01:16:11.000000000 +0300
+++ libpod-3.0.1+dfsg1/debian/control	2023-12-29 17:26:49.000000000 +0200
@@ -3,7 +3,10 @@
 Priority: optional
 Standards-Version: 4.5.0
 Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
-Uploaders: Dmitry Smirnov <onlyjob@debian.org>, Reinhard Tartler <siretart@tauware.de>
+Uploaders:
+ Dmitry Smirnov <onlyjob@debian.org>,
+ Reinhard Tartler <siretart@tauware.de>,
+ Faidon Liambotis <paravoid@debian.org>,
 Build-Depends: debhelper-compat (= 12)
     ,bash-completion
     ,conmon
diff -Nru libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml
--- libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml	2023-04-17 01:16:11.000000000 +0300
+++ libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml	1970-01-01 02:00:00.000000000 +0200
@@ -1,25 +0,0 @@
----
-# https://docs.gitlab.com/ce/ci/yaml/#include
-include:
-  - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
-
-## "amd64-unstable" always runs by default followed by lintian.
-
-## Job to check Build-Depends versioning:
-amd64-testing_unstable:
-  extends: .build
-  variables:
-    arch: amd64
-    dist: testing_unstable
-
-i386-unstable:
-  extends: .build
-  variables:
-    arch: i386
-    dist: unstable
-
-amd64-experimental:
-  extends: .build
-  variables:
-    arch: amd64
-    dist: experimental
diff -Nru libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch
--- libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch	1970-01-01 02:00:00.000000000 +0200
+++ libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch	2023-12-29 17:26:49.000000000 +0200
@@ -0,0 +1,89 @@
+From a256d7188c9db64a00a37798e6a2f0f59b5d798f Mon Sep 17 00:00:00 2001
+From: Matthew Heon <mheon@redhat.com>
+Date: Fri, 2 Sep 2022 13:40:29 -0400
+Subject: [PATCH] Add container GID to additional groups
+
+Mitigates a potential permissions issue. Mirrors Buildah PR #4200
+and CRI-O PR #6159.
+
+Cherry-pick conflicts for v3.0.1-rhel branch have been addressed.
+
+Signed-off-by: Matthew Heon <mheon@redhat.com>
+---
+ libpod/container_internal_linux.go |  1 +
+ pkg/specgen/generate/namespaces.go |  1 +
+ test/e2e/run_test.go               | 14 +++++++++++---
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
+index fb97a4867..48929d8f6 100644
+--- a/libpod/container_internal_linux.go
++++ b/libpod/container_internal_linux.go
+@@ -473,6 +473,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
+ 		// User and Group must go together
+ 		g.SetProcessUID(uint32(execUser.Uid))
+ 		g.SetProcessGID(uint32(execUser.Gid))
++		g.AddProcessAdditionalGid(uint32(execUser.Gid))
+ 	}
+ 
+ 	if c.config.Umask != "" {
+diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
+index b87375a92..16f79d868 100644
+--- a/pkg/specgen/generate/namespaces.go
++++ b/pkg/specgen/generate/namespaces.go
+@@ -398,6 +398,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
+ 		}
+ 		g.SetProcessUID(uint32(uid))
+ 		g.SetProcessGID(uint32(gid))
++		g.AddProcessAdditionalGid(uint32(gid))
+ 		fallthrough
+ 	case specgen.Private:
+ 		if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
+diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
+index bf122a4c0..deba95b28 100644
+--- a/test/e2e/run_test.go
++++ b/test/e2e/run_test.go
+@@ -771,7 +771,7 @@ USER bin`
+ 		session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "id"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session.ExitCode()).To(Equal(0))
+-		Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root)"))
++		Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root) groups=0(root)"))
+ 	})
+ 
+ 	It("podman run with user (integer, in /etc/passwd)", func() {
+@@ -792,14 +792,14 @@ USER bin`
+ 		session := podmanTest.Podman([]string{"run", "--rm", "--user=mail:21", ALPINE, "id"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session.ExitCode()).To(Equal(0))
+-		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
++		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
+ 	})
+ 
+ 	It("podman run with user:group (integer:groupname)", func() {
+ 		session := podmanTest.Podman([]string{"run", "--rm", "--user=8:ftp", ALPINE, "id"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session.ExitCode()).To(Equal(0))
+-		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
++		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
+ 	})
+ 
+ 	It("podman run with user, verify caps dropped", func() {
+@@ -810,6 +810,14 @@ USER bin`
+ 		Expect("0000000000000000").To(Equal(capEff[1]))
+ 	})
+ 
++	It("podman run with user, verify group added", func() {
++		session := podmanTest.Podman([]string{"run", "--rm", "--user=1000:1000", ALPINE, "grep", "Groups:", "/proc/self/status"})
++		session.WaitWithDefaultTimeout()
++		Expect(session.ExitCode()).To(Equal(0))
++		groups := strings.Split(session.OutputToString(), " ")[1]
++		Expect("1000").To(Equal(groups))
++	})
++
+ 	It("podman run with attach stdin outputs container ID", func() {
+ 		session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"})
+ 		session.WaitWithDefaultTimeout()
+-- 
+2.39.2
+
diff -Nru libpod-3.0.1+dfsg1/debian/patches/series libpod-3.0.1+dfsg1/debian/patches/series
--- libpod-3.0.1+dfsg1/debian/patches/series	2023-04-17 01:16:11.000000000 +0300
+++ libpod-3.0.1+dfsg1/debian/patches/series	2023-12-29 17:26:49.000000000 +0200
@@ -3,3 +3,4 @@
 systemd-tweaks.patch
 networking-lookup-child-IP-in-networks.patch
 0001-do-not-set-the-inheritable-capabilities.patch
+CVE-2022-2989-Add-container-GID-to-additional-groups.patch
--- End Message ---