Bug#1034039: bullseye-pu: package libpod/3.0.1+dfsg1-3+deb11u1

[Reinhard Tartler]

Argh, my bad, I'll upload a new version later today

Thanks for spotting

-rt

On April 7, 2023 4:41:41 AM EST, "Adam D. Barratt"  
wrote:
>On Thu, 2023-04-06 at 19:46 -0400, Reinhard Tartler wrote:
>> This code change picks up code changes in golang-github-containers-
>> psgo
>> and golang-github-containers-storage to fix CVE-2022-1227. This is
>> reported
>> as 1020907. This addresses a priviledge escalation issue when using
>> 'podman top'. Upstream has more information in this issue in
>> https://bugzilla.redhat.com/show_bug.cgi?id=2070368
>> 
>
>I see this has already been uploaded; unfortunately:
>
>-,golang-github-containers-psgo-dev
>-,golang-github-containers-storage-dev (>= 1.24.6)
>+,golang-github-containers-psgo-dev (>= 1.5.2-1+deb11u1)
>+,golang-github-containers-storage-dev (>= 1.24.6+dfsg1-1+deb11u1)
>
>The updated golang-github-containers-storage-dev version there isn't
>actually sufficient to ensure that the fixed version is picked up - you
>want 1.24.*8*+dfsg1-1+deb11u1.
>
>At this point, either I can reject the current upload, and you can then
>re-upload a fixed +deb11u1 or (possibly easier all around) you can
>upload +deb11u2 as an incremental change on top of +deb11u1 which
>simply fixes the dependency version.
>
>Regards,
>
>Adam
>
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Bug#1034039: bullseye-pu: package libpod/3.0.1+dfsg1-3+deb11u1

[Adam D. Barratt]

On Thu, 2023-04-06 at 19:46 -0400, Reinhard Tartler wrote:
> This code change picks up code changes in golang-github-containers-
> psgo
> and golang-github-containers-storage to fix CVE-2022-1227. This is
> reported
> as 1020907. This addresses a priviledge escalation issue when using
> 'podman top'. Upstream has more information in this issue in
> https://bugzilla.redhat.com/show_bug.cgi?id=2070368
> 

I see this has already been uploaded; unfortunately:

-,golang-github-containers-psgo-dev
-,golang-github-containers-storage-dev (>= 1.24.6)
+,golang-github-containers-psgo-dev (>= 1.5.2-1+deb11u1)
+,golang-github-containers-storage-dev (>= 1.24.6+dfsg1-1+deb11u1)

The updated golang-github-containers-storage-dev version there isn't
actually sufficient to ensure that the fixed version is picked up - you
want 1.24.*8*+dfsg1-1+deb11u1.

At this point, either I can reject the current upload, and you can then
re-upload a fixed +deb11u1 or (possibly easier all around) you can
upload +deb11u2 as an incremental change on top of +deb11u1 which
simply fixes the dependency version.

Regards,

Adam

Bug#1034039: bullseye-pu: package libpod/3.0.1+dfsg1-3+deb11u1

[Reinhard Tartler]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lib...@packages.debian.org, siret...@tauware.de
Control: affects -1 + src:libpod

[ Reason ]
This code change picks up code changes in golang-github-containers-psgo
and golang-github-containers-storage to fix CVE-2022-1227. This is reported
as 1020907. This addresses a priviledge escalation issue when using
'podman top'. Upstream has more information in this issue in
https://bugzilla.redhat.com/show_bug.cgi?id=2070368

Additionally, another upstream code change is being backported to address
CVE-2022-27649. This is reported as #1020906. This is to address a
capability escalation issue on file descriptors that were not intended
to have inheritable capabilities.

[ Impact ]
Without this update, users remain vulnerable to the issues explained above.

[ Tests ]
I've manually built and installed the built package in a kvm virtual machine
and conducted some basic tests.

[ Risks ]
All patches have been cherry picked from the branches that redhat also
includes in RHEL.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
diff --git a/debian/changelog b/debian/changelog
index 12a2268bb..dbd215727 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libpod (3.0.1+dfsg1-3+deb11u2) bullseye; urgency=medium
+
+  * CVE-2022-1227: pickup changes in containers/psgo, Closes: #1020907
+  * CVE-2022-27649: do not set the inheritable capabilities, Closes: #1020906
+
+ -- Reinhard Tartler   Wed, 05 Apr 2023 21:00:36 -0400
+
 libpod (3.0.1+dfsg1-3+deb11u1) bullseye; urgency=medium
 
   * Rebuild against containers-common to pickup seccomp updates required
diff --git a/debian/control b/debian/control
index 3df797b30..a8834b883 100644
--- a/debian/control
+++ b/debian/control
@@ -21,8 +21,8 @@ Build-Depends: debhelper-compat (= 12)
 ,golang-github-containers-common-dev (>= 0.33.4+ds1-1+deb11u1)
 ,golang-github-containers-image-dev (>= 5.10.2)
 ,golang-github-containers-ocicrypt-dev
-,golang-github-containers-psgo-dev
-,golang-github-containers-storage-dev (>= 1.24.6)
+,golang-github-containers-psgo-dev (>= 1.5.2-1+deb11u1)
+,golang-github-containers-storage-dev (>= 1.24.6+dfsg1-1+deb11u1)
 ,golang-github-coreos-bbolt-dev (>= 1.3.3~)
 ,golang-github-coreos-go-iptables-dev (>= 0.4.2~)
 ,golang-github-coreos-go-systemd-dev (>= 20~)
diff --git a/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch 
b/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch
new file mode 100644
index 0..3d7666b91
--- /dev/null
+++ b/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch
@@ -0,0 +1,109 @@
+From d2848c0281ed94992c4b23c5899e36afc1af Mon Sep 17 00:00:00 2001
+From: Andre Moreira Magalhaes 
+Date: Mon, 19 Sep 2022 11:03:21 -0300
+Subject: [PATCH] do not set the inheritable capabilities
+
+The kernel never sets the inheritable capabilities for a process, they
+are only set by userspace.  Emulate the same behavior.
+
+Closes: CVE-2022-27649
+
+(backported from upstream commit 7b368768c2990b9781b2b6813e1c7f91c7e6cb13)
+---
+ libpod/oci_conmon_linux.go   | 7 +--
+ pkg/specgen/generate/security.go | 7 +--
+ test/e2e/run_test.go | 6 +++---
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
+index 38ffba7d2..b073feee1 100644
+--- a/libpod/oci_conmon_linux.go
 b/libpod/oci_conmon_linux.go
+@@ -1281,11 +1281,14 @@ func prepareProcessExec(c *Container, options 
*ExecOptions, env []string, sessio
+   } else {
+   pspec.Capabilities.Bounding = 
ctrSpec.Process.Capabilities.Bounding
+   }
++
++  // Always unset the inheritable capabilities similarly to what the 
Linux kernel does
++  // They are used only when using capabilities with uid != 0.
++  pspec.Capabilities.Inheritable = []string{}
++
+   if execUser.Uid == 0 {
+   pspec.Capabilities.Effective = pspec.Capabilities.Bounding
+-  pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
+   pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
+-  pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
+   } else {
+   if user == c.config.User {
+   pspec.Capabilities.Effective = 
ctrSpec.Process.Capabilities.Effective
+diff --git a/pkg/specgen/generate/security.go 
b/pkg/specgen/generate/security.go
+index fb45d87db..c18f83217 100644
+--- a/pkg/specgen/generate/security.go
 b/pkg/specgen/generate/security.go
+@@ -130,6 +130,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, 
g *generate.Generator,
+ 
+   configSpec := g.Config
+