Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lib...@packages.debian.org, siret...@tauware.de
Control: affects -1 + src:libpod
[ Reason ]
This code change picks up code changes in golang-github-containers-psgo
and golang-github-containers-storage to fix CVE-2022-1227. This is reported
as 1020907. This addresses a priviledge escalation issue when using
'podman top'. Upstream has more information in this issue in
https://bugzilla.redhat.com/show_bug.cgi?id=2070368
Additionally, another upstream code change is being backported to address
CVE-2022-27649. This is reported as #1020906. This is to address a
capability escalation issue on file descriptors that were not intended
to have inheritable capabilities.
[ Impact ]
Without this update, users remain vulnerable to the issues explained above.
[ Tests ]
I've manually built and installed the built package in a kvm virtual machine
and conducted some basic tests.
[ Risks ]
All patches have been cherry picked from the branches that redhat also
includes in RHEL.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
diff --git a/debian/changelog b/debian/changelog
index 12a2268bb..dbd215727 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libpod (3.0.1+dfsg1-3+deb11u2) bullseye; urgency=medium
+
+ * CVE-2022-1227: pickup changes in containers/psgo, Closes: #1020907
+ * CVE-2022-27649: do not set the inheritable capabilities, Closes: #1020906
+
+ -- Reinhard Tartler Wed, 05 Apr 2023 21:00:36 -0400
+
libpod (3.0.1+dfsg1-3+deb11u1) bullseye; urgency=medium
* Rebuild against containers-common to pickup seccomp updates required
diff --git a/debian/control b/debian/control
index 3df797b30..a8834b883 100644
--- a/debian/control
+++ b/debian/control
@@ -21,8 +21,8 @@ Build-Depends: debhelper-compat (= 12)
,golang-github-containers-common-dev (>= 0.33.4+ds1-1+deb11u1)
,golang-github-containers-image-dev (>= 5.10.2)
,golang-github-containers-ocicrypt-dev
-,golang-github-containers-psgo-dev
-,golang-github-containers-storage-dev (>= 1.24.6)
+,golang-github-containers-psgo-dev (>= 1.5.2-1+deb11u1)
+,golang-github-containers-storage-dev (>= 1.24.6+dfsg1-1+deb11u1)
,golang-github-coreos-bbolt-dev (>= 1.3.3~)
,golang-github-coreos-go-iptables-dev (>= 0.4.2~)
,golang-github-coreos-go-systemd-dev (>= 20~)
diff --git a/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch
b/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch
new file mode 100644
index 0..3d7666b91
--- /dev/null
+++ b/debian/patches/0001-do-not-set-the-inheritable-capabilities.patch
@@ -0,0 +1,109 @@
+From d2848c0281ed94992c4b23c5899e36afc1af Mon Sep 17 00:00:00 2001
+From: Andre Moreira Magalhaes
+Date: Mon, 19 Sep 2022 11:03:21 -0300
+Subject: [PATCH] do not set the inheritable capabilities
+
+The kernel never sets the inheritable capabilities for a process, they
+are only set by userspace. Emulate the same behavior.
+
+Closes: CVE-2022-27649
+
+(backported from upstream commit 7b368768c2990b9781b2b6813e1c7f91c7e6cb13)
+---
+ libpod/oci_conmon_linux.go | 7 +--
+ pkg/specgen/generate/security.go | 7 +--
+ test/e2e/run_test.go | 6 +++---
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
+index 38ffba7d2..b073feee1 100644
+--- a/libpod/oci_conmon_linux.go
b/libpod/oci_conmon_linux.go
+@@ -1281,11 +1281,14 @@ func prepareProcessExec(c *Container, options
*ExecOptions, env []string, sessio
+ } else {
+ pspec.Capabilities.Bounding =
ctrSpec.Process.Capabilities.Bounding
+ }
++
++ // Always unset the inheritable capabilities similarly to what the
Linux kernel does
++ // They are used only when using capabilities with uid != 0.
++ pspec.Capabilities.Inheritable = []string{}
++
+ if execUser.Uid == 0 {
+ pspec.Capabilities.Effective = pspec.Capabilities.Bounding
+- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
+ pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
+- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
+ } else {
+ if user == c.config.User {
+ pspec.Capabilities.Effective =
ctrSpec.Process.Capabilities.Effective
+diff --git a/pkg/specgen/generate/security.go
b/pkg/specgen/generate/security.go
+index fb45d87db..c18f83217 100644
+--- a/pkg/specgen/generate/security.go
b/pkg/specgen/generate/security.go
+@@ -130,6 +130,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator,
g *generate.Generator,
+
+ configSpec := g.Config
+