Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: lib...@packages.debian.org, siret...@tauware.de Control: affects -1 + src:libpod
[ Reason ] This will address the no-dsa CVE-2022-2989. The vulnerability has been fixed upstream and has been in bookworm, trixie and sid for a long time now. [ Impact ] Absence of this patch, podman in bullseye will remain vulnerable to CVE-2022-2989, as detailed here: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/ [ Changes ] bullseye has v3.0.1. The original fix was included in v4.3.0, and was: https://github.com/containers/podman/commit/d82a41687e614d9ac8b2d169dee47fe226835e4c However, upstream (which is mostly RedHat) maintains a separate "v3.0.1-rhel" branch, where they're backporting fixes to RHEL. The patch included in this upload is lifted directly from that branch, with no further changes: https://github.com/containers/podman/commit/a256d7188c9db64a00a37798e6a2f0f59b5d798f [ Tests ] Upstream has an extensive test suite, including unit and integration testing. Some of those tests running as part of the Debian build process. The fix has been presumably tested by RHEL users as well. Furthermore, I've verified that the current package is vulnerable, and the proposed package addresses the vulnerability, by testing both deb11u4 and deb11u5 with this PoC code: https://github.com/sjmurdoch/permission-experiment [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Risks ] Minimal: upstream has backported and tested this patch themselves, and versions including this exact patch have been deployed to end (RHEL) users for over a year now. [ Other info ] Thanks, Faidon
diff -Nru libpod-3.0.1+dfsg1/debian/changelog libpod-3.0.1+dfsg1/debian/changelog --- libpod-3.0.1+dfsg1/debian/changelog 2023-04-17 01:16:11.000000000 +0300 +++ libpod-3.0.1+dfsg1/debian/changelog 2023-12-29 17:26:49.000000000 +0200 @@ -1,3 +1,12 @@ +libpod (3.0.1+dfsg1-3+deb11u5) bullseye; urgency=medium + + * CVE-2022-2989: Cherry-pick "Add container GID to additional groups" patch + from the v3.0.1-rhel upstream branch (itself a backport from v4.3.0), to + address an incorrect handling of supplementary groups. (Closes: #1019591) + * Add myself to Uploaders. + + -- Faidon Liambotis <parav...@debian.org> Fri, 29 Dec 2023 17:26:49 +0200 + libpod (3.0.1+dfsg1-3+deb11u4) bullseye; urgency=medium * Recompile to fix parsing of DBUS_SESSION_BUS_ADDRESS (Closes: #1018816) diff -Nru libpod-3.0.1+dfsg1/debian/control libpod-3.0.1+dfsg1/debian/control --- libpod-3.0.1+dfsg1/debian/control 2023-04-17 01:16:11.000000000 +0300 +++ libpod-3.0.1+dfsg1/debian/control 2023-12-29 17:26:49.000000000 +0200 @@ -3,7 +3,10 @@ Priority: optional Standards-Version: 4.5.0 Maintainer: Debian Go Packaging Team <pkg-go-maintain...@lists.alioth.debian.org> -Uploaders: Dmitry Smirnov <only...@debian.org>, Reinhard Tartler <siret...@tauware.de> +Uploaders: + Dmitry Smirnov <only...@debian.org>, + Reinhard Tartler <siret...@tauware.de>, + Faidon Liambotis <parav...@debian.org>, Build-Depends: debhelper-compat (= 12) ,bash-completion ,conmon diff -Nru libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml --- libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml 2023-04-17 01:16:11.000000000 +0300 +++ libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml 1970-01-01 02:00:00.000000000 +0200 @@ -1,25 +0,0 @@ ---- -# https://docs.gitlab.com/ce/ci/yaml/#include -include: - - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml - -## "amd64-unstable" always runs by default followed by lintian. - -## Job to check Build-Depends versioning: -amd64-testing_unstable: - extends: .build - variables: - arch: amd64 - dist: testing_unstable - -i386-unstable: - extends: .build - variables: - arch: i386 - dist: unstable - -amd64-experimental: - extends: .build - variables: - arch: amd64 - dist: experimental diff -Nru libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch --- libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch 1970-01-01 02:00:00.000000000 +0200 +++ libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch 2023-12-29 17:26:49.000000000 +0200 @@ -0,0 +1,89 @@ +From a256d7188c9db64a00a37798e6a2f0f59b5d798f Mon Sep 17 00:00:00 2001 +From: Matthew Heon <mh...@redhat.com> +Date: Fri, 2 Sep 2022 13:40:29 -0400 +Subject: [PATCH] Add container GID to additional groups + +Mitigates a potential permissions issue. Mirrors Buildah PR #4200 +and CRI-O PR #6159. + +Cherry-pick conflicts for v3.0.1-rhel branch have been addressed. + +Signed-off-by: Matthew Heon <mh...@redhat.com> +--- + libpod/container_internal_linux.go | 1 + + pkg/specgen/generate/namespaces.go | 1 + + test/e2e/run_test.go | 14 +++++++++++--- + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go +index fb97a4867..48929d8f6 100644 +--- a/libpod/container_internal_linux.go ++++ b/libpod/container_internal_linux.go +@@ -473,6 +473,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { + // User and Group must go together + g.SetProcessUID(uint32(execUser.Uid)) + g.SetProcessGID(uint32(execUser.Gid)) ++ g.AddProcessAdditionalGid(uint32(execUser.Gid)) + } + + if c.config.Umask != "" { +diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go +index b87375a92..16f79d868 100644 +--- a/pkg/specgen/generate/namespaces.go ++++ b/pkg/specgen/generate/namespaces.go +@@ -398,6 +398,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt + } + g.SetProcessUID(uint32(uid)) + g.SetProcessGID(uint32(gid)) ++ g.AddProcessAdditionalGid(uint32(gid)) + fallthrough + case specgen.Private: + if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil { +diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go +index bf122a4c0..deba95b28 100644 +--- a/test/e2e/run_test.go ++++ b/test/e2e/run_test.go +@@ -771,7 +771,7 @@ USER bin` + session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "id"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) +- Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root)")) ++ Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root) groups=0(root)")) + }) + + It("podman run with user (integer, in /etc/passwd)", func() { +@@ -792,14 +792,14 @@ USER bin` + session := podmanTest.Podman([]string{"run", "--rm", "--user=mail:21", ALPINE, "id"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) +- Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)")) ++ Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)")) + }) + + It("podman run with user:group (integer:groupname)", func() { + session := podmanTest.Podman([]string{"run", "--rm", "--user=8:ftp", ALPINE, "id"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) +- Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)")) ++ Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)")) + }) + + It("podman run with user, verify caps dropped", func() { +@@ -810,6 +810,14 @@ USER bin` + Expect("0000000000000000").To(Equal(capEff[1])) + }) + ++ It("podman run with user, verify group added", func() { ++ session := podmanTest.Podman([]string{"run", "--rm", "--user=1000:1000", ALPINE, "grep", "Groups:", "/proc/self/status"}) ++ session.WaitWithDefaultTimeout() ++ Expect(session.ExitCode()).To(Equal(0)) ++ groups := strings.Split(session.OutputToString(), " ")[1] ++ Expect("1000").To(Equal(groups)) ++ }) ++ + It("podman run with attach stdin outputs container ID", func() { + session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"}) + session.WaitWithDefaultTimeout() +-- +2.39.2 + diff -Nru libpod-3.0.1+dfsg1/debian/patches/series libpod-3.0.1+dfsg1/debian/patches/series --- libpod-3.0.1+dfsg1/debian/patches/series 2023-04-17 01:16:11.000000000 +0300 +++ libpod-3.0.1+dfsg1/debian/patches/series 2023-12-29 17:26:49.000000000 +0200 @@ -3,3 +3,4 @@ systemd-tweaks.patch networking-lookup-child-IP-in-networks.patch 0001-do-not-set-the-inheritable-capabilities.patch +CVE-2022-2989-Add-container-GID-to-additional-groups.patch