Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: golang-github-containers-stor...@packages.debian.org, siret...@tauware.de, siret...@gmail.com, Vignesh Raman vignesh.ra...@collabora.com Control: affects -1 + src:golang-github-containers-storage
[ Reason ] In order to fix CVE-2022-1227, an update to golang-github-containers-psgo is needed, more specifically, https://github.com/containers/psgo/pull/92 That patch introduces a dependency on golang-github-containers-storage, and uses the helper functions RawTo{Container,Host} which are introduced with this patch. [ Impact ] [ Tests ] No new tests are added. The patch was taken from upstream and required little modificaiton to apply. [ Risks ] The code changes adds a helper function that isn't used otherwise yet. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] diff --git a/debian/changelog b/debian/changelog index 837efeeb1..640a90134 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +golang-github-containers-storage (1.24.8+dfsg1-2~deb11u1) bullseye; urgency=medium + + [ Vignesh Raman ] + * prereq to fix CVE-2022-1227: pkg: idtools: export RawTo{Container,Host} + + -- Reinhard Tartler <siret...@tauware.de> Wed, 28 Dec 2022 21:39:17 -0500 + golang-github-containers-storage (1.24.8+dfsg1-1) unstable; urgency=medium * New upstream release, focused on targetted bugfixes for podman 3.0 diff --git a/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch b/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch new file mode 100644 index 000000000..d00cbd0e9 --- /dev/null +++ b/debian/patches/0001-pkg-idtools-export-RawTo-Container-Host.patch @@ -0,0 +1,111 @@ +From 3da85a122411a57b5a65dc243ae56f89d7fd2564 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai <cyp...@cyphar.com> +Date: Wed, 12 Jan 2022 12:56:56 +1100 +Subject: [PATCH 1/4] pkg: idtools: export RawTo{Container,Host} + +While the IDMapping methods are preferable for most users, sometimes it +is necessary to map a single ID using a given mapping. In particular +this is needed for psgo to be able to map the user and group entries in +/proc/$pid/status using the user namespace of the target process. + +Required to resolve CVE-2022-1227. + +Signed-off-by: Aleksa Sarai <cyp...@cyphar.com> +Backported-by: Valentin Rothberg <vrothb...@redhat.com> +--- + pkg/idtools/idtools.go | 36 ++++++++++++++++++++++-------------- + 1 file changed, 22 insertions(+), 14 deletions(-) + +diff --git a/pkg/idtools/idtools.go b/pkg/idtools/idtools.go +index 83bc8c34f..d3d56066e 100644 +--- a/pkg/idtools/idtools.go ++++ b/pkg/idtools/idtools.go +@@ -82,7 +82,7 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) { + if len(uidMap) == 1 && uidMap[0].Size == 1 { + uid = uidMap[0].HostID + } else { +- uid, err = toHost(0, uidMap) ++ uid, err = RawToHost(0, uidMap) + if err != nil { + return -1, -1, err + } +@@ -90,7 +90,7 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) { + if len(gidMap) == 1 && gidMap[0].Size == 1 { + gid = gidMap[0].HostID + } else { +- gid, err = toHost(0, gidMap) ++ gid, err = RawToHost(0, gidMap) + if err != nil { + return -1, -1, err + } +@@ -98,10 +98,14 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) { + return uid, gid, nil + } + +-// toContainer takes an id mapping, and uses it to translate a +-// host ID to the remapped ID. If no map is provided, then the translation +-// assumes a 1-to-1 mapping and returns the passed in id +-func toContainer(hostID int, idMap []IDMap) (int, error) { ++// RawToContainer takes an id mapping, and uses it to translate a host ID to ++// the remapped ID. If no map is provided, then the translation assumes a ++// 1-to-1 mapping and returns the passed in id. ++// ++// If you wish to map a (uid,gid) combination you should use the corresponding ++// IDMappings methods, which ensure that you are mapping the correct ID against ++// the correct mapping. ++func RawToContainer(hostID int, idMap []IDMap) (int, error) { + if idMap == nil { + return hostID, nil + } +@@ -114,10 +118,14 @@ func toContainer(hostID int, idMap []IDMap) (int, error) { + return -1, fmt.Errorf("Host ID %d cannot be mapped to a container ID", hostID) + } + +-// toHost takes an id mapping and a remapped ID, and translates the +-// ID to the mapped host ID. If no map is provided, then the translation +-// assumes a 1-to-1 mapping and returns the passed in id # +-func toHost(contID int, idMap []IDMap) (int, error) { ++// RawToHost takes an id mapping and a remapped ID, and translates the ID to ++// the mapped host ID. If no map is provided, then the translation assumes a ++// 1-to-1 mapping and returns the passed in id. ++// ++// If you wish to map a (uid,gid) combination you should use the corresponding ++// IDMappings methods, which ensure that you are mapping the correct ID against ++// the correct mapping. ++func RawToHost(contID int, idMap []IDMap) (int, error) { + if idMap == nil { + return contID, nil + } +@@ -188,25 +196,25 @@ func (i *IDMappings) ToHost(pair IDPair) (IDPair, error) { + target := i.RootPair() + + if pair.UID != target.UID { +- target.UID, err = toHost(pair.UID, i.uids) ++ target.UID, err = RawToHost(pair.UID, i.uids) + if err != nil { + return target, err + } + } + + if pair.GID != target.GID { +- target.GID, err = toHost(pair.GID, i.gids) ++ target.GID, err = RawToHost(pair.GID, i.gids) + } + return target, err + } + + // ToContainer returns the container UID and GID for the host uid and gid + func (i *IDMappings) ToContainer(pair IDPair) (int, int, error) { +- uid, err := toContainer(pair.UID, i.uids) ++ uid, err := RawToContainer(pair.UID, i.uids) + if err != nil { + return -1, -1, err + } +- gid, err := toContainer(pair.GID, i.gids) ++ gid, err := RawToContainer(pair.GID, i.gids) + return uid, gid, err + } + +-- +2.30.2 + diff --git a/debian/patches/series b/debian/patches/series index d802103b9..51bc5bf6b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ test.patch +0001-pkg-idtools-export-RawTo-Container-Host.patch [ Other info ] The actual code change to fix CVE-2022-1227 will require a code-change to the golang-github-containers-psgo package, for which I'll file a separate unlock request.