Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: contain...@packages.debian.org, z...@debian.org Control: affects -1 + src:containerd
[ Reason ] Backport patch for CVE-2022-23471. https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9 > A bug was found in containerd's CRI implementation where a user can exhaust > memory on the host. [ Impact ] [ Tests ] No new test is added, but the patch is simple and easy to review. It is taken from upstream 1.5 release branch without modification. [ Risks ] Code is trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] See attachment [ Other info ] No
diff -Nru containerd-1.4.13~ds1/debian/changelog containerd-1.4.13~ds1/debian/changelog --- containerd-1.4.13~ds1/debian/changelog 2022-06-07 03:07:20.000000000 +0800 +++ containerd-1.4.13~ds1/debian/changelog 2022-12-08 10:24:34.000000000 +0800 @@ -1,3 +1,9 @@ +containerd (1.4.13~ds1-1~deb11u3) bullseye; urgency=medium + + * CVE-2022-23471: CRI plugin: Fix goroutine leak during Exec + + -- Shengjing Zhu <z...@debian.org> Thu, 08 Dec 2022 10:24:34 +0800 + containerd (1.4.13~ds1-1~deb11u2) bullseye-security; urgency=high * CVE-2022-31030: CRI plugin: Host memory exhaustion through ExecSync diff -Nru containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch --- containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch 1970-01-01 08:00:00.000000000 +0800 +++ containerd-1.4.13~ds1/debian/patches/0011-CVE-2022-23471.patch 2022-12-08 10:24:34.000000000 +0800 @@ -0,0 +1,56 @@ +From: Danny Canter <da...@dcantah.dev> +Date: Mon, 28 Nov 2022 14:45:34 -0800 +Subject: CVE-2022-23471 + +Origin: backport, https://github.com/containerd/containerd/commit/6cd11527 +--- + .../cri/pkg/streaming/remotecommand/httpstream.go | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go b/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go +index 0417a1a..9177fa7 100644 +--- a/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go ++++ b/vendor/github.com/containerd/cri/pkg/streaming/remotecommand/httpstream.go +@@ -33,6 +33,7 @@ limitations under the License. + package remotecommand + + import ( ++ gocontext "context" + "encoding/json" + "errors" + "fmt" +@@ -132,7 +133,7 @@ func createStreams(req *http.Request, w http.ResponseWriter, opts *Options, supp + + if ctx.resizeStream != nil { + ctx.resizeChan = make(chan remotecommand.TerminalSize) +- go handleResizeEvents(ctx.resizeStream, ctx.resizeChan) ++ go handleResizeEvents(req.Context(), ctx.resizeStream, ctx.resizeChan) + } + + return ctx, true +@@ -425,7 +426,7 @@ WaitForStreams: + // supportsTerminalResizing returns false because v1ProtocolHandler doesn't support it. + func (*v1ProtocolHandler) supportsTerminalResizing() bool { return false } + +-func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalSize) { ++func handleResizeEvents(ctx gocontext.Context, stream io.Reader, channel chan<- remotecommand.TerminalSize) { + defer runtime.HandleCrash() + defer close(channel) + +@@ -435,7 +436,15 @@ func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalS + if err := decoder.Decode(&size); err != nil { + break + } +- channel <- size ++ ++ select { ++ case channel <- size: ++ case <-ctx.Done(): ++ // To avoid leaking this routine, exit if the http request finishes. This path ++ // would generally be hit if starting the process fails and nothing is started to ++ // ingest these resize events. ++ return ++ } + } + } + diff -Nru containerd-1.4.13~ds1/debian/patches/series containerd-1.4.13~ds1/debian/patches/series --- containerd-1.4.13~ds1/debian/patches/series 2022-06-07 03:07:20.000000000 +0800 +++ containerd-1.4.13~ds1/debian/patches/series 2022-12-08 10:24:34.000000000 +0800 @@ -8,3 +8,4 @@ 0008-Add-RPi1-RPi0-workaround.patch 0009-CVE-2022-31030.patch 0010-CVE-2022-24769.patch +0011-CVE-2022-23471.patch
