Bug#1072248: bullseye-pu: package runc/1.0.0~rc93+ds1-5+deb11u4
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: runc@packages.debian.org
Control: affects -1 + src:runc
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
This proposed update fixes all the outstanding CVEs in runc that have already
been fixed in Buster, Bookworm, and Trixie/Sid. The affected CVEs are:
- - CVE-2021-43784
- - CVE-2023-25809
- - CVE-2023-27561/CVE-2023-28642
This upload also fixes the autopkgtest runs by fixing the location of the
busybox tarball and a test that is not compatible with modern kernels. I'm
actually wondering why this hasn't been caught by the last upload to b-pu.
This upload is in preparation for the upcoming start of Bullseye-LTS and to fix
CVEs in Bullseye that have already been fixed in Buster
(https://lists.debian.org/debian-lts/2024/04/msg00113.html).
[ Impact ]
Systems will be vulnerable against the discovered issues in the listed CVEs.
[ Tests ]
Both, build-time tests and autopkgtests cover the code. For CVE-2023-25809 and
CVE-2023-27561/CVE-2023-28642, tests added by upstream are part of the patches.
[ Risks ]
The worst case would be that regressions or bugs might be introduced. However,
no regressions have been detected yet. And all tests have been successful.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* d/patches/0025-Fix-busybox-tarball-url-in-integration-test.patch: Updated.
- Fixed download URLs again.
* d/patches/CVE-2021-43784.patch: Added to fix CVE-2021-43784.
- When writing netlink messages, it is possible to have a byte array larger
than UINT16_MAX which would result in the length field overflowing and
allowing user-controlled data to be parsed as control characters (such as
creating custom mount points, changing which set of namespaces to allow,
and so on).
* d/patches/0027-Fix-test-for-newer-kernels.patch: Added.
- Fix test for newer kernels.
* d/patches/CVE-2023-25809.patch: Added to fix CVE-2023-25809.
- It was found that rootless runc makes `/sys/fs/cgroup` writable under
specific conditions. A container may then gain the write access to
user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host.
* d/patches/CVE-2023-27561-and-CVE-2023-28642: Added to fix CVE-2023-27561
and CVE-2023-27561.
- It was found that the fix for CVE-2021-30465 introduced a regression in
regards to CVE-2019-19921 which results in an incorrect access control
leading to privilege escalation and bypassing apparmor.
[ Other info ]
n/a
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmZZBsQACgkQS80FZ8KW
0F0GhRAAp11w2HCzkMQ020IDMcOKs9JrN5BlWc4HXm9CfAFv1WpiiGHbTfUt+mBZ
T3QqiGuEIOP7hKdp5YegUXJutKVoDumK5E+CGzA11HqzxpMhEG+Lh+oVQr9sBzMA
lwpXRDwZ77gw034xVhDZMLoPKzO5rwA/oy7Am1fHcxtyqEQkFV1bFOShIzog2L4+
U93xM+ixp6rQJsOb0bY9K+h+xP21RczdZu4WqBZ4e447cI0V5CniI72fcp9mjEt9
IRTLyWB0AlbziqSX1nkMevVdoKZSOk5Z9O4izpV/g1v0RLI9Hrbip3RE9Ve6Kl8p
a1JtjYm/01uMD8HrMUowuRiHvKkd4Or2Z6QyT5kboWMQg6M15BRfWrjrsD3/DUJJ
WGnj78VuoPVWIYrrPD3fOn58xXtMm4HY+CdxFHZDMPgnIXTtEkErGqjiW61O5C6S
73i7HFQB9YCdHHkb4lhkcb1nN3B1Cy35Ez+CzQ3aZ4XjNaq9Yr5s3DvztEyzU1j0
c0K/Ds0k01aKIQm5J7bXeJDHyL3KRv9IgLp25pA+TKv/QgESZ8AEaUu6LaOaETwg
Vo93R1zyg0PlMJhriIJX2dtjNjKA5X3WSb/ClZvqtODB6kfBAb27dnjivObK66N8
kFWsaSs5aRzXsL8qlWyDjT7Al6jYY+5yTGqscZStGjS6DMWKa+0=
=HO6L
-----END PGP SIGNATURE-----
diff -Nru runc-1.0.0~rc93+ds1/debian/changelog runc-1.0.0~rc93+ds1/debian/changelog
--- runc-1.0.0~rc93+ds1/debian/changelog 2024-02-02 16:14:13.000000000 +0100
+++ runc-1.0.0~rc93+ds1/debian/changelog 2024-05-31 00:39:22.000000000 +0200
@@ -1,3 +1,28 @@
+runc (1.0.0~rc93+ds1-5+deb11u4) bullseye; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * d/patches/0025-Fix-busybox-tarball-url-in-integration-test.patch: Updated.
+ - Fixed download URLs again.
+ * d/patches/CVE-2021-43784.patch: Added to fix CVE-2021-43784.
+ - When writing netlink messages, it is possible to have a byte array larger
+ than UINT16_MAX which would result in the length field overflowing and
+ allowing user-controlled data to be parsed as control characters (such as
+ creating custom mount points, changing which set of namespaces to allow,
+ and so on).
+ * d/patches/0027-Fix-test-for-newer-kernels.patch: Added.
+ - Fix test for newer kernels.
+ * d/patches/CVE-2023-25809.patch: Added to fix CVE-2023-25809.
+ - It was found that rootless runc makes `/sys/fs/cgroup` writable under
+ specific conditions. A container may then gain the write access to
+ user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host.
+ * d/patches/CVE-2023-27561-and-CVE-2023-28642: Added to fix CVE-2023-27561
+ and CVE-2023-27561.
+ - It was found that the fix for CVE-2021-30465 introduced a regression in
+ regards to CVE-2019-19921 which results in an incorrect access control
+ leading to privilege escalation and bypassing apparmor.
+
+ -- Daniel Leidert <dleidert@debian.org> Fri, 31 May 2024 00:39:22 +0200
+
runc (1.0.0~rc93+ds1-5+deb11u3) bullseye-security; urgency=high
* Team upload.
diff -Nru runc-1.0.0~rc93+ds1/debian/.gitlab-ci.yml runc-1.0.0~rc93+ds1/debian/.gitlab-ci.yml
--- runc-1.0.0~rc93+ds1/debian/.gitlab-ci.yml 2024-02-02 16:14:13.000000000 +0100
+++ runc-1.0.0~rc93+ds1/debian/.gitlab-ci.yml 2024-05-31 00:39:22.000000000 +0200
@@ -1,37 +1,10 @@
---
-# https://docs.gitlab.com/ce/ci/yaml/#include
include:
- - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-## "amd64-unstable" always runs by default followed by lintian.
-
-## Only for arch:all packages - remove if not required:
-binary-indep:
- extends: .build-indep
-
-## Job to check Build-Depends versioning:
-amd64-testing_unstable:
- extends: .build
- variables:
- arch: amd64
- dist: testing_unstable
-
-i386-unstable:
- extends: .build
- variables:
- arch: i386
- dist: unstable
-
-amd64-experimental:
- extends: .build
- variables:
- arch: amd64
- dist: experimental
-
-amd64-stable:
- extends: .build
- when: manual
- allow_failure: true
- variables:
- arch: amd64
- dist: stable
+variables:
+ RELEASE: 'bullseye'
+ SALSA_CI_COMPONENTS: 'main contrib non-free'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
diff -Nru runc-1.0.0~rc93+ds1/debian/patches/0025-Fix-busybox-tarball-url-in-integration-test.patch runc-1.0.0~rc93+ds1/debian/patches/0025-Fix-busybox-tarball-url-in-integration-test.patch
--- runc-1.0.0~rc93+ds1/debian/patches/0025-Fix-busybox-tarball-url-in-integration-test.patch 2024-02-02 16:14:13.000000000 +0100
+++ runc-1.0.0~rc93+ds1/debian/patches/0025-Fix-busybox-tarball-url-in-integration-test.patch 2024-05-31 00:39:22.000000000 +0200
@@ -2,12 +2,15 @@
Date: Sat, 3 Feb 2024 00:02:52 +0800
Subject: Fix busybox tarball url in integration test
+https://github.com/opencontainers/runc/blob/main/tests/integration/get-images.sh
+
+Reviewed-by: Daniel Leidert <dleidert@debian.org>
---
tests/integration/multi-arch.bash | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/integration/multi-arch.bash b/tests/integration/multi-arch.bash
-index 1dd751b..91d2c1d 100644
+index 1dd751b..0e07a11 100644
--- a/tests/integration/multi-arch.bash
+++ b/tests/integration/multi-arch.bash
@@ -2,10 +2,10 @@
@@ -15,11 +18,11 @@
case $(go env GOARCH) in
arm64)
- echo 'https://github.com/docker-library/busybox/raw/dist-arm64v8/stable/glibc/busybox.tar.xz'
-+ echo 'https://github.com/docker-library/busybox/raw/dist-arm64v8/latest/glibc/busybox.tar.xz'
++ echo 'https://github.com/docker-library/busybox/raw/94c664b5ca464546266bce54be0082874a44c7b2/stable/glibc/busybox.tar.xz'
;;
*)
- echo 'https://github.com/docker-library/busybox/raw/dist-amd64/stable/glibc/busybox.tar.xz'
-+ echo 'https://github.com/docker-library/busybox/raw/dist-amd64/latest/glibc/busybox.tar.xz'
++ echo 'https://github.com/docker-library/busybox/raw/31d342ad033e27c18723a516a2274ab39547be27/stable/glibc/busybox.tar.xz'
;;
esac
}
diff -Nru runc-1.0.0~rc93+ds1/debian/patches/0027-Fix-test-for-newer-kernels.patch runc-1.0.0~rc93+ds1/debian/patches/0027-Fix-test-for-newer-kernels.patch
--- runc-1.0.0~rc93+ds1/debian/patches/0027-Fix-test-for-newer-kernels.patch 1970-01-01 01:00:00.000000000 +0100
+++ runc-1.0.0~rc93+ds1/debian/patches/0027-Fix-test-for-newer-kernels.patch 2024-05-31 00:39:22.000000000 +0200
@@ -0,0 +1,43 @@
+From: Kir Kolyshkin <kolyshkin@gmail.com>
+Date: Tue, 29 Jun 2021 13:19:42 -0700
+Subject: [PATCH] tests/int/no_pivot: fix for new kernels
+
+The test is failing like this:
+
+ not ok 70 runc run --no-pivot must not expose bare /proc
+ # (in test file tests/integration/no_pivot.bats, line 20)
+ # `[[ "$output" == *"mount: permission denied"* ]]' failed
+ # runc spec (status=0):
+ #
+ # runc run --no-pivot test_no_pivot (status=1):
+ # unshare: write error: Operation not permitted
+
+Apparently, a recent kernel commit db2e718a47984b9d prevents
+root from doing unshare -r unless it has CAP_SETFPCAP.
+
+Add the capability for this specific test.
+
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+
+Acked-by: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/opencontainers/runc/commit/1bbeadae72603c44932d46ade275219dbf718950.patch
+Forwarded: not-needed
+---
+ tests/integration/no_pivot.bats | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/integration/no_pivot.bats b/tests/integration/no_pivot.bats
+index 844a0ca..da6e386 100644
+--- a/tests/integration/no_pivot.bats
++++ b/tests/integration/no_pivot.bats
+@@ -14,7 +14,9 @@ function teardown() {
+ @test "runc run --no-pivot must not expose bare /proc" {
+ requires root
+
+- update_config '.process.args |= ["unshare", "-mrpf", "sh", "-euxc", "mount -t proc none /proc && echo h > /proc/sysrq-trigger"]'
++ update_config ' .process.args |= ["unshare", "-mrpf", "sh", "-euxc", "mount -t proc none /proc && echo h > /proc/sysrq-trigger"]
++ | .process.capabilities.bounding += ["CAP_SETFCAP"]
++ | .process.capabilities.permitted += ["CAP_SETFCAP"]'
+
+ runc run --no-pivot test_no_pivot
+ [ "$status" -eq 1 ]
diff -Nru runc-1.0.0~rc93+ds1/debian/patches/CVE-2021-43784.patch runc-1.0.0~rc93+ds1/debian/patches/CVE-2021-43784.patch
--- runc-1.0.0~rc93+ds1/debian/patches/CVE-2021-43784.patch 1970-01-01 01:00:00.000000000 +0100
+++ runc-1.0.0~rc93+ds1/debian/patches/CVE-2021-43784.patch 2024-05-31 00:39:22.000000000 +0200
@@ -0,0 +1,87 @@
+From: Kir Kolyshkin <kolyshkin@gmail.com>
+Date: Sun, 18 Feb 2024 22:46:19 +0100
+Subject: Fix CVE-2021-43784
+
+When writing netlink messages, it is possible to have a byte array
+larger than UINT16_MAX which would result in the length field
+overflowing and allowing user-controlled data to be parsed as control
+characters (such as creating custom mount points, changing which set of
+namespaces to allow, and so on).
+
+Reviewed-by: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
+Bug: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
+Forwarded: not-needed
+---
+ libcontainer/container_linux.go | 20 +++++++++++++++++++-
+ libcontainer/message_linux.go | 10 ++++++++++
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
+index c95b83e..6c2cfd3 100644
+--- a/libcontainer/container_linux.go
++++ b/libcontainer/container_linux.go
+@@ -1982,16 +1982,34 @@ func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) {
+ return data.Bytes(), nil
+ }
+
++// netlinkError is an error wrapper type for use by custom netlink message
++// types. Panics with errors are wrapped in netlinkError so that the recover
++// in bootstrapData can distinguish intentional panics.
++type netlinkError struct{ error }
++
+ // bootstrapData encodes the necessary data in netlink binary format
+ // as a io.Reader.
+ // Consumer can write the data to a bootstrap program
+ // such as one that uses nsenter package to bootstrap the container's
+ // init process correctly, i.e. with correct namespaces, uid/gid
+ // mapping etc.
+-func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (io.Reader, error) {
++func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (_ io.Reader, Err error) {
+ // create the netlink message
+ r := nl.NewNetlinkRequest(int(InitMsg), 0)
+
++ // Our custom messages cannot bubble up an error using returns, instead
++ // they will panic with the specific error type, netlinkError. In that
++ // case, recover from the panic and return that as an error.
++ defer func() {
++ if r := recover(); r != nil {
++ if e, ok := r.(netlinkError); ok {
++ Err = e.error
++ } else {
++ panic(r)
++ }
++ }
++ }()
++
+ // write cloneFlags
+ r.AddData(&Int32msg{
+ Type: CloneFlagsAttr,
+diff --git a/libcontainer/message_linux.go b/libcontainer/message_linux.go
+index 1d4f503..4726f37 100644
+--- a/libcontainer/message_linux.go
++++ b/libcontainer/message_linux.go
+@@ -3,6 +3,9 @@
+ package libcontainer
+
+ import (
++ "fmt"
++ "math"
++
+ "github.com/vishvananda/netlink/nl"
+ "golang.org/x/sys/unix"
+ )
+@@ -32,6 +35,13 @@ type Int32msg struct {
+ // | nlattr len | nlattr type |
+ // | uint32 value |
+ func (msg *Int32msg) Serialize() []byte {
++ l := msg.Len()
++ if l > math.MaxUint16 {
++ // We cannot return nil nor an error here, so we panic with
++ // a specific type instead, which is handled via recover in
++ // bootstrapData.
++ panic(netlinkError{fmt.Errorf("netlink: cannot serialize bytemsg of length %d (larger than UINT16_MAX)", l)})
++ }
+ buf := make([]byte, msg.Len())
+ native := nl.NativeEndian()
+ native.PutUint16(buf[0:2], uint16(msg.Len()))
diff -Nru runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-25809.patch runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-25809.patch
--- runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-25809.patch 1970-01-01 01:00:00.000000000 +0100
+++ runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-25809.patch 2024-05-31 00:39:22.000000000 +0200
@@ -0,0 +1,124 @@
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Mon, 26 Dec 2022 12:04:26 +0900
+Subject: [PATCH] rootless: fix /sys/fs/cgroup mounts
+
+It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:
+
+1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared
+ (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)
+2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro`
+ (e.g., `runc spec --rootless`; this condition is very rare)
+
+A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host.
+Other users's cgroup hierarchies are not affected.
+
+To fix the issue, this commit does:
+1. Remount `/sys/fs/cgroup` to apply `MS_RDONLY` when it is being bind-mounted
+2. Mask `/sys/fs/cgroup` when the bind source is unavailable
+
+Fix CVE-2023-25809 (GHSA-m8cg-xc2p-r3fc)
+
+Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+(cherry picked from commit df4eae457b8ccffa619c659c2def5c777d8ff507)
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+
+Acked-by: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/opencontainers/runc/commit/0e6b818a2b0d24fdb6697614e5c5f115bbe8e3a5.patch
+Bug: https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
+Forwarded: not-needed
+---
+ libcontainer/rootfs_linux.go | 53 +++++++++++++++++++++++++++----------------
+ tests/integration/mounts.bats | 17 ++++++++++++++
+ 2 files changed, 51 insertions(+), 19 deletions(-)
+
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index 96be669..4791ceb 100644
+--- a/libcontainer/rootfs_linux.go
++++ b/libcontainer/rootfs_linux.go
+@@ -309,26 +309,41 @@ func mountCgroupV2(m *configs.Mount, c *mountConfig) error {
+ if err := os.MkdirAll(dest, 0755); err != nil {
+ return err
+ }
+- return utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
+- if err := unix.Mount(m.Source, procfd, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
+- // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
+- if err == unix.EPERM || err == unix.EBUSY {
+- src := fs2.UnifiedMountpoint
+- if c.cgroupns && c.cgroup2Path != "" {
+- // Emulate cgroupns by bind-mounting
+- // the container cgroup path rather than
+- // the whole /sys/fs/cgroup.
+- src = c.cgroup2Path
+- }
+- err = unix.Mount(src, procfd, "", uintptr(m.Flags)|unix.MS_BIND, "")
+- if err == unix.ENOENT && c.rootlessCgroups {
+- err = nil
+- }
+- }
+- return err
+- }
+- return nil
++ err = utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
++ return unix.Mount(m.Source, procfd, "cgroup2", uintptr(m.Flags), m.Data)
+ })
++ if err == nil || !(err == unix.EPERM || err == unix.EBUSY) {
++ return err
++ }
++
++ // When we are in UserNS but CgroupNS is not unshared, we cannot mount
++ // cgroup2 (#2158), so fall back to bind mount.
++ bindM := &configs.Mount{
++ Device: "bind",
++ Source: fs2.UnifiedMountpoint,
++ Destination: m.Destination,
++ Flags: unix.MS_BIND | m.Flags,
++ PropagationFlags: m.PropagationFlags,
++ }
++ if c.cgroupns && c.cgroup2Path != "" {
++ // Emulate cgroupns by bind-mounting the container cgroup path
++ // rather than the whole /sys/fs/cgroup.
++ bindM.Source = c.cgroup2Path
++ }
++ // mountToRootfs() handles remounting for MS_RDONLY.
++ // No need to set c.fd here, because mountToRootfs() calls utils.WithProcfd() by itself in mountPropagate().
++ err = mountToRootfs(bindM, c)
++ if c.rootlessCgroups && err == unix.ENOENT {
++ // ENOENT (for `src = c.cgroup2Path`) happens when rootless runc is being executed
++ // outside the userns+mountns.
++ //
++ // Mask `/sys/fs/cgroup` to ensure it is read-only, even when `/sys` is mounted
++ // with `rbind,ro` (`runc spec --rootless` produces `rbind,ro` for `/sys`).
++ err = utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
++ return maskPath(procfd, c.label)
++ })
++ }
++ return err
+ }
+
+ func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
+diff --git a/tests/integration/mounts.bats b/tests/integration/mounts.bats
+index a4b9f29..ae39a72 100644
+--- a/tests/integration/mounts.bats
++++ b/tests/integration/mounts.bats
+@@ -53,3 +53,20 @@ function teardown() {
+ runc run test_busybox
+ [ "$status" -eq 0 ]
+ }
++
++# https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
++@test "runc run [ro /sys/fs/cgroup mount]" {
++ # With cgroup namespace
++ update_config '.process.args |= ["sh", "-euc", "for f in `grep /sys/fs/cgroup /proc/mounts | awk \"{print \\\\$2}\"| uniq`; do grep -w $f /proc/mounts | tail -n1; done"]'
++ runc run test_busybox
++ [ "$status" -eq 0 ]
++ [ "${#lines[@]}" -ne 0 ]
++ for line in "${lines[@]}"; do [[ "${line}" == *'ro,'* ]]; done
++
++ # Without cgroup namespace
++ update_config '.linux.namespaces -= [{"type": "cgroup"}]'
++ runc run test_busybox
++ [ "$status" -eq 0 ]
++ [ "${#lines[@]}" -ne 0 ]
++ for line in "${lines[@]}"; do [[ "${line}" == *'ro,'* ]]; done
++}
diff -Nru runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-27561-and-CVE-2023-28642.patch runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-27561-and-CVE-2023-28642.patch
--- runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-27561-and-CVE-2023-28642.patch 1970-01-01 01:00:00.000000000 +0100
+++ runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-27561-and-CVE-2023-28642.patch 2024-05-31 00:39:22.000000000 +0200
@@ -0,0 +1,109 @@
+From: Kir Kolyshkin <kolyshkin@gmail.com>
+Date: Thu, 16 Mar 2023 14:35:50 -0700
+Subject: [PATCH] Prohibit /proc and /sys to be symlinks
+
+Commit 3291d66b9844 introduced a check for /proc and /sys, making sure
+the destination (dest) is a directory (and not e.g. a symlink).
+
+Later, a hunk from commit 0ca91f44f switched from using filepath.Join
+to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
+the check whether dest is a symlink no longer works.
+
+To fix, do the check without/before using SecureJoin.
+
+Add integration tests to make sure we won't regress.
+
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+(cherry picked from commit 0d72adf96dda1b687815bf89bb245b937a2f603c)
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+
+This patch fixes both, CVE-2023-27561 and CVE-2023-28642
+
+Acked-by: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/opencontainers/runc/commit/0abab45c9b97c113ff2cdc16f3a7388444c3fbec.patch
+Forwarded: not-needed
+---
+ libcontainer/rootfs_linux.go | 23 +++++++++++++++++------
+ tests/integration/mask.bats | 19 +++++++++++++++++++
+ 2 files changed, 36 insertions(+), 6 deletions(-)
+
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index 4791ceb..07303b0 100644
+--- a/libcontainer/rootfs_linux.go
++++ b/libcontainer/rootfs_linux.go
+@@ -393,12 +393,9 @@ func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
+
+ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ rootfs := c.root
+- mountLabel := c.label
+- dest, err := securejoin.SecureJoin(rootfs, m.Destination)
+- if err != nil {
+- return err
+- }
+
++ // procfs and sysfs are special because we need to ensure they are actually
++ // mounted on a specific path in a container without any funny business.
+ switch m.Device {
+ case "proc", "sysfs":
+ // If the destination already exists and is not a directory, we bail
+@@ -406,11 +403,16 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ // has been a "fun" attack scenario in the past.
+ // TODO: This won't be necessary once we switch to libpathrs and we can
+ // stop all of these symlink-exchange attacks.
++ dest := filepath.Clean(m.Destination)
++ if !strings.HasPrefix(dest, rootfs) {
++ // Do not use securejoin as it resolves symlinks.
++ dest = filepath.Join(rootfs, dest)
++ }
+ if fi, err := os.Lstat(dest); err != nil {
+ if !os.IsNotExist(err) {
+ return err
+ }
+- } else if fi.Mode()&os.ModeDir == 0 {
++ } else if !fi.IsDir() {
+ return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
+ }
+ if err := os.MkdirAll(dest, 0755); err != nil {
+@@ -418,6 +420,15 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ }
+ // Selinux kernels do not support labeling of /proc or /sys
+ return mountPropagate(m, rootfs, "")
++ }
++
++ mountLabel := c.label
++ dest, err := securejoin.SecureJoin(rootfs, m.Destination)
++ if err != nil {
++ return err
++ }
++
++ switch m.Device {
+ case "mqueue":
+ if err := os.MkdirAll(dest, 0755); err != nil {
+ return err
+diff --git a/tests/integration/mask.bats b/tests/integration/mask.bats
+index 0786c2a..107b924 100644
+--- a/tests/integration/mask.bats
++++ b/tests/integration/mask.bats
+@@ -57,3 +57,22 @@ function teardown() {
+ [ "$status" -eq 1 ]
+ [[ "${output}" == *"Operation not permitted"* ]]
+ }
++
++@test "mask paths [prohibit symlink /proc]" {
++ ln -s /symlink rootfs/proc
++ runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
++ [ "$status" -eq 1 ]
++ [[ "${output}" == *"must be mounted on ordinary directory"* ]]
++}
++
++@test "mask paths [prohibit symlink /sys]" {
++ # In rootless containers, /sys is a bind mount not a real sysfs.
++ requires root
++
++ ln -s /symlink rootfs/sys
++ runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
++ [ "$status" -eq 1 ]
++ # On cgroup v1, this may fail before checking if /sys is a symlink,
++ # so we merely check that it fails, and do not check the exact error
++ # message like for /proc above.
++}
diff -Nru runc-1.0.0~rc93+ds1/debian/patches/series runc-1.0.0~rc93+ds1/debian/patches/series
--- runc-1.0.0~rc93+ds1/debian/patches/series 2024-02-02 16:14:13.000000000 +0100
+++ runc-1.0.0~rc93+ds1/debian/patches/series 2024-05-31 00:39:22.000000000 +0200
@@ -23,3 +23,7 @@
CVE-2024-21626/0023-libcontainer-mark-all-non-stdio-fds-O_CLOEXEC-before.patch
CVE-2024-21626/0024-init-don-t-special-case-logrus-fds.patch
0025-Fix-busybox-tarball-url-in-integration-test.patch
+CVE-2021-43784.patch
+0027-Fix-test-for-newer-kernels.patch
+CVE-2023-25809.patch
+CVE-2023-27561-and-CVE-2023-28642.patch
Reply to: