Bug#1031109: bullseye-pu: package crun/0.17+dfsg-1+deb11u1

Sat, 11 Feb 2023 14:27:32 -0800 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: only...@debian.org, siret...@tauware.de

[ Reason ]
A no-dsa security vulnerability, CVE-2022-27650:
https://security-tracker.debian.org/tracker/CVE-2022-27650

[ Impact ]
Copying from the CVE:

"A flaw was found in crun where containers were incorrectly started with
non-empty default permissions. A vulnerability was found in Moby (Docker
Engine) where containers were started incorrectly with non-empty
inheritable Linux process capabilities. This flaw allows an attacker
with access to programs with inheritable file capabilities to elevate
those capabilities to the permitted set when execve(2) runs."

[ Tests ]
Smoke-tested manually with podman. No automated tests on the Debian end,
sadly. The change has been tested on upstream's CI system and in
deployments in the wild, however.

[ Risks ]
Low risk: the diff is pretty trivial and a direct backport of two
upstream commits, that apply cleanly. They have also been included in a
version released almost a year ago (March 24, 2022), v1.4.4.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backport of upstream commits:
https://github.com/containers/crun/commit/b847d146d496c9d7beba166fd595488e85488562
https://github.com/containers/crun/commit/1aeeed2e4fdeffb4875c0d0b439915894594c8c6

Syncing Uploaders with unstable, including adding myself, to indicate
this is a Maintainer upload.

[ Other info ]
The diff is staged in salsa, under the debian/bullseye branch, in the
debian/crun repository.

Thank you for your consideration!

Best,
Faidon

diff -Nru crun-0.17+dfsg/debian/changelog crun-0.17+dfsg/debian/changelog
--- crun-0.17+dfsg/debian/changelog     2021-02-01 03:33:51.000000000 +0200
+++ crun-0.17+dfsg/debian/changelog     2023-02-11 23:44:44.000000000 +0200
@@ -1,3 +1,13 @@
+crun (0.17+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Backport upstream commits b847d14 ("spec: do not set inheritable
+    capabilities") and 1aeeed2 ("exec: --cap do not set inheritable
+    capabilities") to address CVE-2022-27650, a flaw where containers were
+    incorrectly started with non-empty default permissions.
+  * Sync Uploaders from unstable, to indicate that this a maintainer upload.
+
+ -- Faidon Liambotis <parav...@debian.org>  Sat, 11 Feb 2023 23:44:44 +0200
+
 crun (0.17+dfsg-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru crun-0.17+dfsg/debian/control crun-0.17+dfsg/debian/control
--- crun-0.17+dfsg/debian/control       2020-07-17 16:20:31.000000000 +0300
+++ crun-0.17+dfsg/debian/control       2023-02-11 23:29:43.000000000 +0200
@@ -3,6 +3,9 @@
 Priority: optional
 Standards-Version: 4.5.0
 Maintainer: Dmitry Smirnov <only...@debian.org>
+Uploaders:
+ Faidon Liambotis <parav...@debian.org>,
+ Reinhard Tartler <siret...@tauware.de>,
 Build-Depends: debhelper-compat (= 12)
     ,automake
     ,golang-github-opencontainers-image-spec-dev
diff -Nru crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch 
crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch
--- crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch  1970-01-01 
02:00:00.000000000 +0200
+++ crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch  2023-02-11 
23:42:25.000000000 +0200
@@ -0,0 +1,15 @@
+diff --git a/src/exec.c b/src/exec.c
+index 7a8931e5..c876ecd1 100644
+--- a/src/exec.c
++++ b/src/exec.c
+@@ -304,8 +304,8 @@ crun_command_exec (struct crun_global_arguments 
*global_args, int argc, char **a
+           capabilities->effective = exec_options.cap;
+           capabilities->effective_len = exec_options.cap_size;
+ 
+-          capabilities->inheritable = dup_array (exec_options.cap, 
exec_options.cap_size);
+-          capabilities->inheritable_len = exec_options.cap_size;
++          capabilities->inheritable = NULL;
++          capabilities->inheritable_len = 0;
+ 
+           capabilities->bounding = dup_array (exec_options.cap, 
exec_options.cap_size);
+           capabilities->bounding_len = exec_options.cap_size;
diff -Nru crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch 
crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch
--- crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch  1970-01-01 
02:00:00.000000000 +0200
+++ crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch  2023-02-11 
23:14:40.000000000 +0200
@@ -0,0 +1,14 @@
+diff --git a/src/libcrun/container.c b/src/libcrun/container.c
+index 5a0744ff..f60740d8 100644
+--- a/src/libcrun/container.c
++++ b/src/libcrun/container.c
+@@ -120,9 +120,6 @@ static const char spec_file[] = "\
+                               \"CAP_NET_BIND_SERVICE\"\n\
+                       ],\n\
+                       \"inheritable\": [\n\
+-                              \"CAP_AUDIT_WRITE\",\n\
+-                              \"CAP_KILL\",\n\
+-                              \"CAP_NET_BIND_SERVICE\"\n\
+                       ],\n\
+                       \"permitted\": [\n\
+                               \"CAP_AUDIT_WRITE\",\n\
diff -Nru crun-0.17+dfsg/debian/patches/series 
crun-0.17+dfsg/debian/patches/series
--- crun-0.17+dfsg/debian/patches/series        1970-01-01 02:00:00.000000000 
+0200
+++ crun-0.17+dfsg/debian/patches/series        2023-02-11 23:43:29.000000000 
+0200
@@ -0,0 +1,2 @@
+CVE-2022-27650-b847d14.patch
+CVE-2022-27650-1aeeed2.patch

Reply via email to