Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock X-Debbugs-Cc: [email protected]
Please unblock package containerd [ Reason ] Backport patch for CVE-2021-32760: https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w [ Impact ] If it's blocked, the package has security issue. [ Tests ] Upstream has added a regression test to the patch. [ Risks ] Only one line change(in archive/tar_unix.go file), and a new test (in archive/tar_unix.go file). [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] unblock containerd/1.4.5~ds1-2 diff -Nru containerd-1.4.5~ds1/debian/changelog containerd-1.4.5~ds1/debian/changelog --- containerd-1.4.5~ds1/debian/changelog 2021-05-12 13:17:38.000000000 +0800 +++ containerd-1.4.5~ds1/debian/changelog 2021-07-20 02:36:10.000000000 +0800 @@ -1,3 +1,9 @@ +containerd (1.4.5~ds1-2) unstable; urgency=medium + + * Backport patches for CVE-2021-32760 + + -- Shengjing Zhu <[email protected]> Tue, 20 Jul 2021 02:36:10 +0800 + containerd (1.4.5~ds1-1) unstable; urgency=medium * New upstream patch version v1.4.5 diff -Nru containerd-1.4.5~ds1/debian/gbp.conf containerd-1.4.5~ds1/debian/gbp.conf --- containerd-1.4.5~ds1/debian/gbp.conf 2021-05-12 13:17:38.000000000 +0800 +++ containerd-1.4.5~ds1/debian/gbp.conf 2021-07-20 02:36:10.000000000 +0800 @@ -1,4 +1,5 @@ [DEFAULT] pristine-tar = True debian-branch = debian/sid +upstream-branch = upstream/sid dist = DEP14 diff -Nru containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch --- containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch 1970-01-01 08:00:00.000000000 +0800 +++ containerd-1.4.5~ds1/debian/patches/0008-CVE-2021-32760.patch 2021-07-20 02:36:10.000000000 +0800 @@ -0,0 +1,91 @@ +From 03aa748c11663e87a72fab92b7ab7c88c28bf13e Mon Sep 17 00:00:00 2001 +From: Derek McGowan <[email protected]> +Date: Tue, 6 Jul 2021 12:37:54 -0700 +Subject: [PATCH 1/2] Use chmod path for checking symlink + +Signed-off-by: Derek McGowan <[email protected]> +(cherry picked from commit 27597ccfd30d8aa06b448062896bccfb33ad8f22) +Signed-off-by: Derek McGowan <[email protected]> +--- + archive/tar_unix.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/archive/tar_unix.go b/archive/tar_unix.go +index 6e89d2fdbc9..c22e79bf2be 100644 +--- a/archive/tar_unix.go ++++ b/archive/tar_unix.go +@@ -113,7 +113,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error { + + func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error { + if hdr.Typeflag == tar.TypeLink { +- if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) { ++ if fi, err := os.Lstat(path); err == nil && (fi.Mode()&os.ModeSymlink == 0) { + if err := os.Chmod(path, hdrInfo.Mode()); err != nil && !os.IsNotExist(err) { + return err + } + +From 664f93ead6c613a9f0e9932dfa75c602dbe35f41 Mon Sep 17 00:00:00 2001 +From: Derek McGowan <[email protected]> +Date: Tue, 6 Jul 2021 16:23:03 -0700 +Subject: [PATCH 2/2] Add test for archive breakout test for lchmod + +Signed-off-by: Derek McGowan <[email protected]> +(cherry picked from commit ad81d76219a75559cb9d74a214efe0d779d7cbef) +Signed-off-by: Derek McGowan <[email protected]> +--- + archive/tar_test.go | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/archive/tar_test.go b/archive/tar_test.go +index 568f5a95f1c..8ffd3f221b8 100644 +--- a/archive/tar_test.go ++++ b/archive/tar_test.go +@@ -243,6 +243,11 @@ func TestBreakouts(t *testing.T) { + return nil + } + errFileDiff := errors.New("files differ") ++ td, err := ioutil.TempDir("", "test-breakouts-") ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer os.RemoveAll(td) + + isSymlinkFile := func(f string) func(string) error { + return func(root string) error { +@@ -744,6 +749,36 @@ func TestBreakouts(t *testing.T) { + // resolution ends up just removing etc + validator: fileNotExists("etc/passwd"), + }, ++ { ++ ++ name: "HardlinkSymlinkChmod", ++ w: func() tartest.WriterToTar { ++ p := filepath.Join(td, "perm400") ++ if err := ioutil.WriteFile(p, []byte("..."), 0400); err != nil { ++ t.Fatal(err) ++ } ++ ep := filepath.Join(td, "also-exists-outside-root") ++ if err := ioutil.WriteFile(ep, []byte("..."), 0640); err != nil { ++ t.Fatal(err) ++ } ++ ++ return tartest.TarAll( ++ tc.Symlink(p, ep), ++ tc.Link(ep, "sketchylink"), ++ ) ++ }(), ++ validator: func(string) error { ++ p := filepath.Join(td, "perm400") ++ fi, err := os.Lstat(p) ++ if err != nil { ++ return err ++ } ++ if perm := fi.Mode() & os.ModePerm; perm != 0400 { ++ return errors.Errorf("%s perm changed from 0400 to %04o", p, perm) ++ } ++ return nil ++ }, ++ }, + } + + for _, bo := range breakouts { diff -Nru containerd-1.4.5~ds1/debian/patches/series containerd-1.4.5~ds1/debian/patches/series --- containerd-1.4.5~ds1/debian/patches/series 2021-05-12 13:17:38.000000000 +0800 +++ containerd-1.4.5~ds1/debian/patches/series 2021-07-20 02:36:10.000000000 +0800 @@ -5,3 +5,4 @@ 0005-backport-github.com-containerd-containerd-remotes.patch 0006-backport-apparmor-handle-signal-mediation.patch 0007-backport-runtime-ignore-file-already-closed-error.patch +0008-CVE-2021-32760.patch
