On Thu, May 20, 2021 at 2:33 AM Shengjing Zhu <[email protected]> wrote: > > Package: release.debian.org > Severity: normal > User: [email protected] > Usertags: unblock > X-Debbugs-Cc: [email protected] > > Please unblock package runc > > [ Reason ] > Fix CVE-2021-30465 > https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r > > [ Impact ] > The package can migrate itself(have autopkgtest and not key package), > but I'd like to reduce the age. > > [ Tests ] > I have done some basic tests. But I'm not sure how to trigger the security > issue that I can't verify if it's really fixed. > > [ Risks ] > The patch provided by upstream can't be applied clearly to the version we have > in sid. So I look the changes and backport another two PR, which makes the > diff > a bit large. >
After I have uploaded -4, then I find upstream has provided a patchset for runc/1.0.0~rc93, but only on oss-security list, https://www.openwall.com/lists/oss-security/2021/05/19/2 So the patches I made in -4 are replaced by upstream one. $ cat debian/patches/CVE-2021-30465/*|diffstat b/libcontainer/container_linux.go | 7 +-- b/libcontainer/init_linux.go | 1 b/libcontainer/rootfs_linux.go | 42 +++++++++++------- b/libcontainer/specconv/example.go | 18 +++---- b/libcontainer/utils/utils.go | 54 +++++++++++++++++++++++ b/libcontainer/utils/utils_test.go | 35 +++++++++++++++ libcontainer/container_linux.go | 4 + libcontainer/rootfs_linux.go | 289 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------------------------------------------------- 8 files changed, 283 insertions(+), 167 deletions(-) The changes are almost the same with -4. Please unblock runc/1.0.0~rc93+ds1-5
