Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id
<502b8fb37ece620c9723446611a9287974ba5a0c.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1031109,
regarding bullseye-pu: package crun/0.17+dfsg-1+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1031109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031109
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]
[ Reason ]
A no-dsa security vulnerability, CVE-2022-27650:
https://security-tracker.debian.org/tracker/CVE-2022-27650
[ Impact ]
Copying from the CVE:
"A flaw was found in crun where containers were incorrectly started with
non-empty default permissions. A vulnerability was found in Moby (Docker
Engine) where containers were started incorrectly with non-empty
inheritable Linux process capabilities. This flaw allows an attacker
with access to programs with inheritable file capabilities to elevate
those capabilities to the permitted set when execve(2) runs."
[ Tests ]
Smoke-tested manually with podman. No automated tests on the Debian end,
sadly. The change has been tested on upstream's CI system and in
deployments in the wild, however.
[ Risks ]
Low risk: the diff is pretty trivial and a direct backport of two
upstream commits, that apply cleanly. They have also been included in a
version released almost a year ago (March 24, 2022), v1.4.4.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Backport of upstream commits:
https://github.com/containers/crun/commit/b847d146d496c9d7beba166fd595488e85488562
https://github.com/containers/crun/commit/1aeeed2e4fdeffb4875c0d0b439915894594c8c6
Syncing Uploaders with unstable, including adding myself, to indicate
this is a Maintainer upload.
[ Other info ]
The diff is staged in salsa, under the debian/bullseye branch, in the
debian/crun repository.
Thank you for your consideration!
Best,
Faidon
diff -Nru crun-0.17+dfsg/debian/changelog crun-0.17+dfsg/debian/changelog
--- crun-0.17+dfsg/debian/changelog 2021-02-01 03:33:51.000000000 +0200
+++ crun-0.17+dfsg/debian/changelog 2023-02-11 23:44:44.000000000 +0200
@@ -1,3 +1,13 @@
+crun (0.17+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Backport upstream commits b847d14 ("spec: do not set inheritable
+ capabilities") and 1aeeed2 ("exec: --cap do not set inheritable
+ capabilities") to address CVE-2022-27650, a flaw where containers were
+ incorrectly started with non-empty default permissions.
+ * Sync Uploaders from unstable, to indicate that this a maintainer upload.
+
+ -- Faidon Liambotis <[email protected]> Sat, 11 Feb 2023 23:44:44 +0200
+
crun (0.17+dfsg-1) unstable; urgency=medium
* New upstream release.
diff -Nru crun-0.17+dfsg/debian/control crun-0.17+dfsg/debian/control
--- crun-0.17+dfsg/debian/control 2020-07-17 16:20:31.000000000 +0300
+++ crun-0.17+dfsg/debian/control 2023-02-11 23:29:43.000000000 +0200
@@ -3,6 +3,9 @@
Priority: optional
Standards-Version: 4.5.0
Maintainer: Dmitry Smirnov <[email protected]>
+Uploaders:
+ Faidon Liambotis <[email protected]>,
+ Reinhard Tartler <[email protected]>,
Build-Depends: debhelper-compat (= 12)
,automake
,golang-github-opencontainers-image-spec-dev
diff -Nru crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch
crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch
--- crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch 1970-01-01
02:00:00.000000000 +0200
+++ crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch 2023-02-11
23:42:25.000000000 +0200
@@ -0,0 +1,15 @@
+diff --git a/src/exec.c b/src/exec.c
+index 7a8931e5..c876ecd1 100644
+--- a/src/exec.c
++++ b/src/exec.c
+@@ -304,8 +304,8 @@ crun_command_exec (struct crun_global_arguments
*global_args, int argc, char **a
+ capabilities->effective = exec_options.cap;
+ capabilities->effective_len = exec_options.cap_size;
+
+- capabilities->inheritable = dup_array (exec_options.cap,
exec_options.cap_size);
+- capabilities->inheritable_len = exec_options.cap_size;
++ capabilities->inheritable = NULL;
++ capabilities->inheritable_len = 0;
+
+ capabilities->bounding = dup_array (exec_options.cap,
exec_options.cap_size);
+ capabilities->bounding_len = exec_options.cap_size;
diff -Nru crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch
crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch
--- crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch 1970-01-01
02:00:00.000000000 +0200
+++ crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch 2023-02-11
23:14:40.000000000 +0200
@@ -0,0 +1,14 @@
+diff --git a/src/libcrun/container.c b/src/libcrun/container.c
+index 5a0744ff..f60740d8 100644
+--- a/src/libcrun/container.c
++++ b/src/libcrun/container.c
+@@ -120,9 +120,6 @@ static const char spec_file[] = "\
+ \"CAP_NET_BIND_SERVICE\"\n\
+ ],\n\
+ \"inheritable\": [\n\
+- \"CAP_AUDIT_WRITE\",\n\
+- \"CAP_KILL\",\n\
+- \"CAP_NET_BIND_SERVICE\"\n\
+ ],\n\
+ \"permitted\": [\n\
+ \"CAP_AUDIT_WRITE\",\n\
diff -Nru crun-0.17+dfsg/debian/patches/series
crun-0.17+dfsg/debian/patches/series
--- crun-0.17+dfsg/debian/patches/series 1970-01-01 02:00:00.000000000
+0200
+++ crun-0.17+dfsg/debian/patches/series 2023-02-11 23:43:29.000000000
+0200
@@ -0,0 +1,2 @@
+CVE-2022-27650-b847d14.patch
+CVE-2022-27650-1aeeed2.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.7
Hi,
Each of the updates referred to in these requests was included in this
morning's 11.7 point release.
Regards,
Adam
--- End Message ---
