Hi Jonathan, Am Montag, dem 01.07.2024 um 18:49 +0100 schrieb Jonathan Wiltshire:
[..] > Please don't change history, and send a debdiff (relative to u4) of a > proposed upload fixing the regressions as 1.0.0~rc93+ds1-5+deb11u5 and a > proper changelog. Do not upload without further approval. Please find attached the debdiff. The u4 upload was missing just one patch. I'm currently looking into the build issues you mentioned. Regards, Daniel
diff -Nru runc-1.0.0~rc93+ds1/debian/changelog runc-1.0.0~rc93+ds1/debian/changelog
--- runc-1.0.0~rc93+ds1/debian/changelog 2024-06-28 00:16:20.000000000 +0200
+++ runc-1.0.0~rc93+ds1/debian/changelog 2024-06-28 00:56:20.000000000 +0200
@@ -1,3 +1,16 @@
+runc (1.0.0~rc93+ds1-5+deb11u5) bullseye; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * d/changelog: Cleaned up the last entry for 1.0.0~rc93+ds1-5+deb11u4
+ removing some superflous entries.
+ * d/patches/CVE-2023-27561-and-CVE-2023-28642: Added to fix CVE-2023-27561
+ and CVE-2023-27561.
+ - It was found that the fix for CVE-2021-30465 introduced a regression in
+ regards to CVE-2019-19921 which results in an incorrect access control
+ leading to privilege escalation and bypassing apparmor.
+
+ -- Daniel Leidert <dleid...@debian.org> Fri, 28 Jun 2024 00:56:20 +0200
+
runc (1.0.0~rc93+ds1-5+deb11u4) bullseye; urgency=medium
* Non-maintainer upload by the Debian LTS Team.
@@ -15,11 +28,6 @@
- It was found that rootless runc makes `/sys/fs/cgroup` writable under
specific conditions. A container may then gain the write access to
user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host.
- * Update changelog for 1.0.0~rc93+ds1-5+deb11u4~1.gbpce2b39 release
- * Update patch for download URLs of busybox tarball
- * Add patch to fix CVE-2021-43784.patch
- * Add patch to fix tests with newer kernels
- * Add patch to fix CVE-2023-25809
-- Daniel Leidert <dleid...@debian.org> Fri, 28 Jun 2024 00:16:20 +0200
diff -Nru runc-1.0.0~rc93+ds1/debian/.gitlab-ci.yml runc-1.0.0~rc93+ds1/debian/.gitlab-ci.yml
--- runc-1.0.0~rc93+ds1/debian/.gitlab-ci.yml 2024-06-28 00:16:20.000000000 +0200
+++ runc-1.0.0~rc93+ds1/debian/.gitlab-ci.yml 2024-06-28 00:56:20.000000000 +0200
@@ -1,37 +1,10 @@
---
-# https://docs.gitlab.com/ce/ci/yaml/#include
include:
- - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-## "amd64-unstable" always runs by default followed by lintian.
-
-## Only for arch:all packages - remove if not required:
-binary-indep:
- extends: .build-indep
-
-## Job to check Build-Depends versioning:
-amd64-testing_unstable:
- extends: .build
- variables:
- arch: amd64
- dist: testing_unstable
-
-i386-unstable:
- extends: .build
- variables:
- arch: i386
- dist: unstable
-
-amd64-experimental:
- extends: .build
- variables:
- arch: amd64
- dist: experimental
-
-amd64-stable:
- extends: .build
- when: manual
- allow_failure: true
- variables:
- arch: amd64
- dist: stable
+variables:
+ RELEASE: 'bullseye'
+ SALSA_CI_COMPONENTS: 'main contrib non-free'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
diff -Nru runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-27561-and-CVE-2023-28642.patch runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-27561-and-CVE-2023-28642.patch
--- runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-27561-and-CVE-2023-28642.patch 1970-01-01 01:00:00.000000000 +0100
+++ runc-1.0.0~rc93+ds1/debian/patches/CVE-2023-27561-and-CVE-2023-28642.patch 2024-06-28 00:56:20.000000000 +0200
@@ -0,0 +1,109 @@
+From: Kir Kolyshkin <kolysh...@gmail.com>
+Date: Thu, 16 Mar 2023 14:35:50 -0700
+Subject: [PATCH] Prohibit /proc and /sys to be symlinks
+
+Commit 3291d66b9844 introduced a check for /proc and /sys, making sure
+the destination (dest) is a directory (and not e.g. a symlink).
+
+Later, a hunk from commit 0ca91f44f switched from using filepath.Join
+to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
+the check whether dest is a symlink no longer works.
+
+To fix, do the check without/before using SecureJoin.
+
+Add integration tests to make sure we won't regress.
+
+Signed-off-by: Kir Kolyshkin <kolysh...@gmail.com>
+(cherry picked from commit 0d72adf96dda1b687815bf89bb245b937a2f603c)
+Signed-off-by: Sebastiaan van Stijn <git...@gone.nl>
+
+This patch fixes both, CVE-2023-27561 and CVE-2023-28642
+
+Acked-by: Daniel Leidert <dleid...@debian.org>
+Origin: https://github.com/opencontainers/runc/commit/0abab45c9b97c113ff2cdc16f3a7388444c3fbec.patch
+Forwarded: not-needed
+---
+ libcontainer/rootfs_linux.go | 23 +++++++++++++++++------
+ tests/integration/mask.bats | 19 +++++++++++++++++++
+ 2 files changed, 36 insertions(+), 6 deletions(-)
+
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index 4791ceb..07303b0 100644
+--- a/libcontainer/rootfs_linux.go
++++ b/libcontainer/rootfs_linux.go
+@@ -393,12 +393,9 @@ func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
+
+ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ rootfs := c.root
+- mountLabel := c.label
+- dest, err := securejoin.SecureJoin(rootfs, m.Destination)
+- if err != nil {
+- return err
+- }
+
++ // procfs and sysfs are special because we need to ensure they are actually
++ // mounted on a specific path in a container without any funny business.
+ switch m.Device {
+ case "proc", "sysfs":
+ // If the destination already exists and is not a directory, we bail
+@@ -406,11 +403,16 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ // has been a "fun" attack scenario in the past.
+ // TODO: This won't be necessary once we switch to libpathrs and we can
+ // stop all of these symlink-exchange attacks.
++ dest := filepath.Clean(m.Destination)
++ if !strings.HasPrefix(dest, rootfs) {
++ // Do not use securejoin as it resolves symlinks.
++ dest = filepath.Join(rootfs, dest)
++ }
+ if fi, err := os.Lstat(dest); err != nil {
+ if !os.IsNotExist(err) {
+ return err
+ }
+- } else if fi.Mode()&os.ModeDir == 0 {
++ } else if !fi.IsDir() {
+ return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
+ }
+ if err := os.MkdirAll(dest, 0755); err != nil {
+@@ -418,6 +420,15 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ }
+ // Selinux kernels do not support labeling of /proc or /sys
+ return mountPropagate(m, rootfs, "")
++ }
++
++ mountLabel := c.label
++ dest, err := securejoin.SecureJoin(rootfs, m.Destination)
++ if err != nil {
++ return err
++ }
++
++ switch m.Device {
+ case "mqueue":
+ if err := os.MkdirAll(dest, 0755); err != nil {
+ return err
+diff --git a/tests/integration/mask.bats b/tests/integration/mask.bats
+index 0786c2a..107b924 100644
+--- a/tests/integration/mask.bats
++++ b/tests/integration/mask.bats
+@@ -57,3 +57,22 @@ function teardown() {
+ [ "$status" -eq 1 ]
+ [[ "${output}" == *"Operation not permitted"* ]]
+ }
++
++@test "mask paths [prohibit symlink /proc]" {
++ ln -s /symlink rootfs/proc
++ runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
++ [ "$status" -eq 1 ]
++ [[ "${output}" == *"must be mounted on ordinary directory"* ]]
++}
++
++@test "mask paths [prohibit symlink /sys]" {
++ # In rootless containers, /sys is a bind mount not a real sysfs.
++ requires root
++
++ ln -s /symlink rootfs/sys
++ runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
++ [ "$status" -eq 1 ]
++ # On cgroup v1, this may fail before checking if /sys is a symlink,
++ # so we merely check that it fails, and do not check the exact error
++ # message like for /proc above.
++}
diff -Nru runc-1.0.0~rc93+ds1/debian/patches/series runc-1.0.0~rc93+ds1/debian/patches/series
--- runc-1.0.0~rc93+ds1/debian/patches/series 2024-06-28 00:16:20.000000000 +0200
+++ runc-1.0.0~rc93+ds1/debian/patches/series 2024-06-28 00:56:20.000000000 +0200
@@ -26,3 +26,4 @@
CVE-2021-43784.patch
0027-Fix-test-for-newer-kernels.patch
CVE-2023-25809.patch
+CVE-2023-27561-and-CVE-2023-28642.patch
signature.asc
Description: This is a digitally signed message part
