On Tue, Jun 14, 2022 at 5:54 AM Emilio Pozuelo Monfort <po...@debian.org> wrote:
> On 13/06/2022 19:12, Adam D. Barratt wrote: > > On Mon, 2022-06-13 at 10:55 +0800, Shengjing Zhu wrote: > >> X-Debbugs-CC: siret...@debian.org, t...@security.debian.org > >> > >> Hi, > >> > >> On Sun, Jun 12, 2022 at 05:33:48PM -0400, Reinhard Tartler wrote: > >>> diff -Nru runc-1.0.0~rc93+ds1/debian/changelog runc- > >>> 1.0.0~rc93+ds1/debian/changelog > >>> --- runc-1.0.0~rc93+ds1/debian/changelog 2022-06-12 > >>> 14:49:36.000000000 -0400 > >>> +++ runc-1.0.0~rc93+ds1/debian/changelog 2021-05-19 > >>> 14:46:14.000000000 -0400 > >>> @@ -1,10 +1,3 @@ > >>> -runc (1.0.0~rc93+ds1-5+deb11u1) bullseye; urgency=medium > >>> - > >>> - * Team upload. > >>> - * backport upstream patch: Honor seccomp defaultErrnoRet, > >>> Closes: #1012030 > >>> - > >>> - -- Reinhard Tartler <siret...@tauware.de> Sun, 12 Jun 2022 > >>> 14:49:36 -0400 > >>> - > >> > >> Could you include the patch for CVE-2022-29162? > >> > >> https://security-tracker.debian.org/tracker/CVE-2022-29162 > >> > >> If you don't have time, I can work on this later in this week. > > > > The Security Tracker says it's not fixed in unstable - is that correct? > > If so, that needs addressing first before it can be considered for p-u. > > The tracker is corrected now, the issue was fixed in 1.1.2. > > Thanks, I've tested the new runc and concluded it works fine. The effective (additional) security patch reads: --- a/exec.go +++ b/exec.go @@ -193,7 +193,6 @@ if caps := context.StringSlice("cap"); len(caps) > 0 { for _, c := range caps { p.Capabilities.Bounding = append(p.Capabilities.Bounding, c) - p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c) p.Capabilities.Effective = append(p.Capabilities.Effective, c) p.Capabilities.Permitted = append(p.Capabilities.Permitted, c) p.Capabilities.Ambient = append(p.Capabilities.Ambient, c) --- a/libcontainer/README.md +++ b/libcontainer/README.md @@ -92,22 +92,6 @@ "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Permitted: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", --- a/libcontainer/integration/exec_test.go +++ b/libcontainer/integration/exec_test.go @@ -412,7 +412,6 @@ pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN") pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN") pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN") - pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN") err = container.Run(&pconfig) ok(t, err) @@ -1593,7 +1592,6 @@ pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN") pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN") pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN") - pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN") err = container.Run(pconfig2) stdinR2.Close() --- a/libcontainer/integration/template_test.go +++ b/libcontainer/integration/template_test.go @@ -69,22 +69,6 @@ "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Ambient: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", --- a/libcontainer/specconv/example.go +++ b/libcontainer/specconv/example.go @@ -41,11 +41,6 @@ "CAP_KILL", "CAP_NET_BIND_SERVICE", }, - Inheritable: []string{ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - }, Ambient: []string{ "CAP_AUDIT_WRITE", "CAP_KILL", Full updated debdiff attached to this email -- regards, Reinhard
runc_1.0.0~rc93+ds1-5+deb11u2.debdiff
Description: Binary data