Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: lib...@packages.debian.org, siret...@tauware.de Control: affects -1 + src:libpod
[ Reason ] This code change picks up code changes in golang-github-containers-psgo and golang-github-containers-storage to fix CVE-2022-1227. This is reported as 1020907. This addresses a priviledge escalation issue when using 'podman top'. Upstream has more information in this issue in https://bugzilla.redhat.com/show_bug.cgi?id=2070368 Additionally, another upstream code change is being backported to address CVE-2022-27649. This is reported as #1020906. This is to address a capability escalation issue on file descriptors that were not intended to have inheritable capabilities. [ Impact ] Without this update, users remain vulnerable to the issues explained above. [ Tests ] I've manually built and installed the built package in a kvm virtual machine and conducted some basic tests. [ Risks ] All patches have been cherry picked from the branches that redhat also includes in RHEL. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] diff --git a/debian/changelog b/debian/changelog index 12a2268bb..dbd215727 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libpod (3.0.1+dfsg1-3+deb11u2) bullseye; urgency=medium + + * CVE-2022-1227: pickup changes in containers/psgo, Closes: #1020907 + * CVE-2022-27649: do not set the inheritable capabilities, Closes: #1020906 + + -- Reinhard Tartler <siret...@tauware.de> Wed, 05 Apr 2023 21:00:36 -0400 + libpod (3.0.1+dfsg1-3+deb11u1) bullseye; urgency=medium * Rebuild against containers-common to pickup seccomp updates required diff --git a/debian/control b/debian/control index 3df797b30..a8834b883 100644 --- a/debian/control +++ b/debian/control @@ -21,8 +21,8 @@ Build-Depends: debhelper-compat (= 12) ,golang-github-containers-common-dev (>= 0.33.4+ds1-1+deb11u1) ,golang-github-containers-image-dev (>= 5.10.2) ,golang-github-containers-ocicrypt-dev - ,golang-github-containers-psgo-dev - ,golang-github-containers-storage-dev (>= 1.24.6) + ,golang-github-containers-psgo-dev (>= 1.5.2-1+deb11u1) + ,golang-github-containers-storage-dev (>= 1.24.6+dfsg1-1+deb11u1) ,golang-github-coreos-bbolt-dev (>= 1.3.3~) ,golang-github-coreos-go-iptables-dev (>= 0.4.2~) ,golang-github-coreos-go-systemd-dev (>= 20~) diff --git a/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch b/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch new file mode 100644 index 000000000..3d7666b91 --- /dev/null +++ b/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch @@ -0,0 +1,109 @@ +From d2848c44440281ed94992c4b23c5899e36afc1af Mon Sep 17 00:00:00 2001 +From: Andre Moreira Magalhaes <andru...@gmail.com> +Date: Mon, 19 Sep 2022 11:03:21 -0300 +Subject: [PATCH] do not set the inheritable capabilities + +The kernel never sets the inheritable capabilities for a process, they +are only set by userspace. Emulate the same behavior. + +Closes: CVE-2022-27649 + +(backported from upstream commit 7b368768c2990b9781b2b6813e1c7f91c7e6cb13) +--- + libpod/oci_conmon_linux.go | 7 +++++-- + pkg/specgen/generate/security.go | 7 +++++-- + test/e2e/run_test.go | 6 +++--- + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go +index 38ffba7d2..b073feee1 100644 +--- a/libpod/oci_conmon_linux.go ++++ b/libpod/oci_conmon_linux.go +@@ -1281,11 +1281,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio + } else { + pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding + } ++ ++ // Always unset the inheritable capabilities similarly to what the Linux kernel does ++ // They are used only when using capabilities with uid != 0. ++ pspec.Capabilities.Inheritable = []string{} ++ + if execUser.Uid == 0 { + pspec.Capabilities.Effective = pspec.Capabilities.Bounding +- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding + pspec.Capabilities.Permitted = pspec.Capabilities.Bounding +- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding + } else { + if user == c.config.User { + pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective +diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go +index fb45d87db..c18f83217 100644 +--- a/pkg/specgen/generate/security.go ++++ b/pkg/specgen/generate/security.go +@@ -130,6 +130,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, + + configSpec := g.Config + configSpec.Process.Capabilities.Ambient = []string{} ++ ++ // Always unset the inheritable capabilities similarly to what the Linux kernel does ++ // They are used only when using capabilities with uid != 0. ++ configSpec.Process.Capabilities.Inheritable = []string{} + configSpec.Process.Capabilities.Bounding = caplist + + user := strings.Split(s.User, ":")[0] +@@ -137,7 +141,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, + if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" { + configSpec.Process.Capabilities.Effective = caplist + configSpec.Process.Capabilities.Permitted = caplist +- configSpec.Process.Capabilities.Inheritable = caplist + } else { + userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil) + if err != nil { +@@ -145,12 +148,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, + } + configSpec.Process.Capabilities.Effective = userCaps + configSpec.Process.Capabilities.Permitted = userCaps +- configSpec.Process.Capabilities.Inheritable = userCaps + + // Ambient capabilities were added to Linux 4.3. Set ambient + // capabilities only when the kernel supports them. + if supportAmbientCapabilities() { + configSpec.Process.Capabilities.Ambient = userCaps ++ configSpec.Process.Capabilities.Inheritable = userCaps + } + } + +diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go +index bff3995df..17fea3b99 100644 +--- a/test/e2e/run_test.go ++++ b/test/e2e/run_test.go +@@ -383,7 +383,7 @@ var _ = Describe("Podman run", func() { + session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) + + session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"}) + session.WaitWithDefaultTimeout() +@@ -418,7 +418,7 @@ var _ = Describe("Podman run", func() { + session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) + + if os.Geteuid() > 0 { + if os.Getenv("SKIP_USERNS") != "" { +@@ -435,7 +435,7 @@ var _ = Describe("Podman run", func() { + session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) +- Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000002")) + + session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) + session.WaitWithDefaultTimeout() +-- +2.37.2 + diff --git a/debian/patches/series b/debian/patches/series index d1470bd5c..38f2e9ff7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ test--skip-TestPostDeleteHooks.patch rm-containers-mounts-5.patch systemd-tweaks.patch networking-lookup-child-IP-in-networks.patch +0001-do-not-set-the-inheritable-capabilities.patch