Control: tag -1 -moreinfo

On 4/1/23 7:04 PM, Reinhard Tartler wrote:


On 4/1/23 3:51 PM, Adam D. Barratt wrote:
Control: tags -1 + moreinfo

Apologies for the delay in getting back to you on this.

On Wed, 2022-12-28 at 22:26 -0500, Reinhard Tartler wrote:
In order to fix CVE-2022-1227, an update to golang-github-containers-
psgo
is needed, more specifically,
https://github.com/containers/psgo/pull/92

That patch introduces a dependency on golang-github-containers-
storage, and uses
the helper functions RawTo{Container,Host} which are introduced with
this patch.

[...]
The code changes adds a helper function that isn't used otherwise
yet.

Looking at the diff, it appears that what it actually does is rename
two existing helper functions, with no functional change to either. Am
I missing something?

You are correct. The patch renames the helper functions to an Uppercase 
spelling.
This exposes the function to other packages, which is being used in the patch
to fix CVE-2022-1227.

I would recommend approving this code change.

+golang-github-containers-storage (1.24.8+dfsg1-2~deb11u1) bullseye;
urgency=medium

Given what I can see of the package's upload history, the version
should rather be 1.24.8+dfsg1-1+deb11u1.

Will do!

Updated debdiff attached to this email.


Okay to upload now?


-rt
diff -Nru golang-github-containers-storage-1.24.8+dfsg1/debian/changelog 
golang-github-containers-storage-1.24.8+dfsg1/debian/changelog
--- golang-github-containers-storage-1.24.8+dfsg1/debian/changelog      
2021-02-21 14:40:55.000000000 -0500
+++ golang-github-containers-storage-1.24.8+dfsg1/debian/changelog      
2022-12-28 21:39:17.000000000 -0500
@@ -1,3 +1,12 @@
+golang-github-containers-storage (1.24.8+dfsg1-1+deb11u1) bullseye; 
urgency=medium
+
+  [ Vignesh Raman ]
+  * prereq to fix CVE-2022-1227: pkg: idtools: export RawTo{Container,Host}:
+    makes previously internal functions publicly accessible, which is being
+    used by later versions of golang-github-containers-psgo.
+
+ -- Reinhard Tartler <siret...@tauware.de>  Wed, 28 Dec 2022 21:39:17 -0500
+
 golang-github-containers-storage (1.24.8+dfsg1-1) unstable; urgency=medium
 
   * New upstream release, focused on targetted bugfixes for podman 3.0
diff -Nru 
golang-github-containers-storage-1.24.8+dfsg1/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch
 
golang-github-containers-storage-1.24.8+dfsg1/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch
--- 
golang-github-containers-storage-1.24.8+dfsg1/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch
     1969-12-31 19:00:00.000000000 -0500
+++ 
golang-github-containers-storage-1.24.8+dfsg1/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch
     2022-12-28 21:39:17.000000000 -0500
@@ -0,0 +1,111 @@
+From 3da85a122411a57b5a65dc243ae56f89d7fd2564 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyp...@cyphar.com>
+Date: Wed, 12 Jan 2022 12:56:56 +1100
+Subject: [PATCH 1/4] pkg: idtools: export RawTo{Container,Host}
+
+While the IDMapping methods are preferable for most users, sometimes it
+is necessary to map a single ID using a given mapping. In particular
+this is needed for psgo to be able to map the user and group entries in
+/proc/$pid/status using the user namespace of the target process.
+
+Required to resolve CVE-2022-1227.
+
+Signed-off-by: Aleksa Sarai <cyp...@cyphar.com>
+Backported-by: Valentin Rothberg <vrothb...@redhat.com>
+---
+ pkg/idtools/idtools.go | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/pkg/idtools/idtools.go b/pkg/idtools/idtools.go
+index 83bc8c34f..d3d56066e 100644
+--- a/pkg/idtools/idtools.go
++++ b/pkg/idtools/idtools.go
+@@ -82,7 +82,7 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) 
{
+       if len(uidMap) == 1 && uidMap[0].Size == 1 {
+               uid = uidMap[0].HostID
+       } else {
+-              uid, err = toHost(0, uidMap)
++              uid, err = RawToHost(0, uidMap)
+               if err != nil {
+                       return -1, -1, err
+               }
+@@ -90,7 +90,7 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) 
{
+       if len(gidMap) == 1 && gidMap[0].Size == 1 {
+               gid = gidMap[0].HostID
+       } else {
+-              gid, err = toHost(0, gidMap)
++              gid, err = RawToHost(0, gidMap)
+               if err != nil {
+                       return -1, -1, err
+               }
+@@ -98,10 +98,14 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, 
error) {
+       return uid, gid, nil
+ }
+ 
+-// toContainer takes an id mapping, and uses it to translate a
+-// host ID to the remapped ID. If no map is provided, then the translation
+-// assumes a 1-to-1 mapping and returns the passed in id
+-func toContainer(hostID int, idMap []IDMap) (int, error) {
++// RawToContainer takes an id mapping, and uses it to translate a host ID to
++// the remapped ID. If no map is provided, then the translation assumes a
++// 1-to-1 mapping and returns the passed in id.
++//
++// If you wish to map a (uid,gid) combination you should use the corresponding
++// IDMappings methods, which ensure that you are mapping the correct ID 
against
++// the correct mapping.
++func RawToContainer(hostID int, idMap []IDMap) (int, error) {
+       if idMap == nil {
+               return hostID, nil
+       }
+@@ -114,10 +118,14 @@ func toContainer(hostID int, idMap []IDMap) (int, error) 
{
+       return -1, fmt.Errorf("Host ID %d cannot be mapped to a container ID", 
hostID)
+ }
+ 
+-// toHost takes an id mapping and a remapped ID, and translates the
+-// ID to the mapped host ID. If no map is provided, then the translation
+-// assumes a 1-to-1 mapping and returns the passed in id #
+-func toHost(contID int, idMap []IDMap) (int, error) {
++// RawToHost takes an id mapping and a remapped ID, and translates the ID to
++// the mapped host ID. If no map is provided, then the translation assumes a
++// 1-to-1 mapping and returns the passed in id.
++//
++// If you wish to map a (uid,gid) combination you should use the corresponding
++// IDMappings methods, which ensure that you are mapping the correct ID 
against
++// the correct mapping.
++func RawToHost(contID int, idMap []IDMap) (int, error) {
+       if idMap == nil {
+               return contID, nil
+       }
+@@ -188,25 +196,25 @@ func (i *IDMappings) ToHost(pair IDPair) (IDPair, error) 
{
+       target := i.RootPair()
+ 
+       if pair.UID != target.UID {
+-              target.UID, err = toHost(pair.UID, i.uids)
++              target.UID, err = RawToHost(pair.UID, i.uids)
+               if err != nil {
+                       return target, err
+               }
+       }
+ 
+       if pair.GID != target.GID {
+-              target.GID, err = toHost(pair.GID, i.gids)
++              target.GID, err = RawToHost(pair.GID, i.gids)
+       }
+       return target, err
+ }
+ 
+ // ToContainer returns the container UID and GID for the host uid and gid
+ func (i *IDMappings) ToContainer(pair IDPair) (int, int, error) {
+-      uid, err := toContainer(pair.UID, i.uids)
++      uid, err := RawToContainer(pair.UID, i.uids)
+       if err != nil {
+               return -1, -1, err
+       }
+-      gid, err := toContainer(pair.GID, i.gids)
++      gid, err := RawToContainer(pair.GID, i.gids)
+       return uid, gid, err
+ }
+ 
+-- 
+2.30.2
+
diff -Nru golang-github-containers-storage-1.24.8+dfsg1/debian/patches/series 
golang-github-containers-storage-1.24.8+dfsg1/debian/patches/series
--- golang-github-containers-storage-1.24.8+dfsg1/debian/patches/series 
2021-02-21 14:40:55.000000000 -0500
+++ golang-github-containers-storage-1.24.8+dfsg1/debian/patches/series 
2022-12-28 21:39:17.000000000 -0500
@@ -1 +1,2 @@
 test.patch
+0001-pkg-idtools-export-RawTo-Container-Host.patch

Reply via email to