--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libpod
[ Reason ]
This will address the no-dsa CVE-2022-2989. The vulnerability has been
fixed upstream and has been in bookworm, trixie and sid for a long
time now.
[ Impact ]
Absence of this patch, podman in bullseye will remain vulnerable to
CVE-2022-2989, as detailed here:
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
[ Changes ]
bullseye has v3.0.1. The original fix was included in v4.3.0, and was:
https://github.com/containers/podman/commit/d82a41687e614d9ac8b2d169dee47fe226835e4c
However, upstream (which is mostly RedHat) maintains a separate
"v3.0.1-rhel" branch, where they're backporting fixes to RHEL.
The patch included in this upload is lifted directly from that branch,
with no further changes:
https://github.com/containers/podman/commit/a256d7188c9db64a00a37798e6a2f0f59b5d798f
[ Tests ]
Upstream has an extensive test suite, including unit and integration
testing. Some of those tests running as part of the Debian build
process. The fix has been presumably tested by RHEL users as well.
Furthermore, I've verified that the current package is vulnerable, and
the proposed package addresses the vulnerability, by testing both
deb11u4 and deb11u5 with this PoC code:
https://github.com/sjmurdoch/permission-experiment
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Risks ]
Minimal: upstream has backported and tested this patch themselves, and
versions including this exact patch have been deployed to end (RHEL)
users for over a year now.
[ Other info ]
Thanks,
Faidon
diff -Nru libpod-3.0.1+dfsg1/debian/changelog
libpod-3.0.1+dfsg1/debian/changelog
--- libpod-3.0.1+dfsg1/debian/changelog 2023-04-17 01:16:11.000000000 +0300
+++ libpod-3.0.1+dfsg1/debian/changelog 2023-12-29 17:26:49.000000000 +0200
@@ -1,3 +1,12 @@
+libpod (3.0.1+dfsg1-3+deb11u5) bullseye; urgency=medium
+
+ * CVE-2022-2989: Cherry-pick "Add container GID to additional groups" patch
+ from the v3.0.1-rhel upstream branch (itself a backport from v4.3.0), to
+ address an incorrect handling of supplementary groups. (Closes: #1019591)
+ * Add myself to Uploaders.
+
+ -- Faidon Liambotis <[email protected]> Fri, 29 Dec 2023 17:26:49 +0200
+
libpod (3.0.1+dfsg1-3+deb11u4) bullseye; urgency=medium
* Recompile to fix parsing of DBUS_SESSION_BUS_ADDRESS (Closes: #1018816)
diff -Nru libpod-3.0.1+dfsg1/debian/control libpod-3.0.1+dfsg1/debian/control
--- libpod-3.0.1+dfsg1/debian/control 2023-04-17 01:16:11.000000000 +0300
+++ libpod-3.0.1+dfsg1/debian/control 2023-12-29 17:26:49.000000000 +0200
@@ -3,7 +3,10 @@
Priority: optional
Standards-Version: 4.5.0
Maintainer: Debian Go Packaging Team
<[email protected]>
-Uploaders: Dmitry Smirnov <[email protected]>, Reinhard Tartler
<[email protected]>
+Uploaders:
+ Dmitry Smirnov <[email protected]>,
+ Reinhard Tartler <[email protected]>,
+ Faidon Liambotis <[email protected]>,
Build-Depends: debhelper-compat (= 12)
,bash-completion
,conmon
diff -Nru libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml
libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml
--- libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml 2023-04-17 01:16:11.000000000
+0300
+++ libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml 1970-01-01 02:00:00.000000000
+0200
@@ -1,25 +0,0 @@
----
-# https://docs.gitlab.com/ce/ci/yaml/#include
-include:
- - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
-
-## "amd64-unstable" always runs by default followed by lintian.
-
-## Job to check Build-Depends versioning:
-amd64-testing_unstable:
- extends: .build
- variables:
- arch: amd64
- dist: testing_unstable
-
-i386-unstable:
- extends: .build
- variables:
- arch: i386
- dist: unstable
-
-amd64-experimental:
- extends: .build
- variables:
- arch: amd64
- dist: experimental
diff -Nru
libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch
libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch
---
libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch
1970-01-01 02:00:00.000000000 +0200
+++
libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch
2023-12-29 17:26:49.000000000 +0200
@@ -0,0 +1,89 @@
+From a256d7188c9db64a00a37798e6a2f0f59b5d798f Mon Sep 17 00:00:00 2001
+From: Matthew Heon <[email protected]>
+Date: Fri, 2 Sep 2022 13:40:29 -0400
+Subject: [PATCH] Add container GID to additional groups
+
+Mitigates a potential permissions issue. Mirrors Buildah PR #4200
+and CRI-O PR #6159.
+
+Cherry-pick conflicts for v3.0.1-rhel branch have been addressed.
+
+Signed-off-by: Matthew Heon <[email protected]>
+---
+ libpod/container_internal_linux.go | 1 +
+ pkg/specgen/generate/namespaces.go | 1 +
+ test/e2e/run_test.go | 14 +++++++++++---
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libpod/container_internal_linux.go
b/libpod/container_internal_linux.go
+index fb97a4867..48929d8f6 100644
+--- a/libpod/container_internal_linux.go
++++ b/libpod/container_internal_linux.go
+@@ -473,6 +473,7 @@ func (c *Container) generateSpec(ctx context.Context)
(*spec.Spec, error) {
+ // User and Group must go together
+ g.SetProcessUID(uint32(execUser.Uid))
+ g.SetProcessGID(uint32(execUser.Gid))
++ g.AddProcessAdditionalGid(uint32(execUser.Gid))
+ }
+
+ if c.config.Umask != "" {
+diff --git a/pkg/specgen/generate/namespaces.go
b/pkg/specgen/generate/namespaces.go
+index b87375a92..16f79d868 100644
+--- a/pkg/specgen/generate/namespaces.go
++++ b/pkg/specgen/generate/namespaces.go
+@@ -398,6 +398,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g
*generate.Generator, rt
+ }
+ g.SetProcessUID(uint32(uid))
+ g.SetProcessGID(uint32(gid))
++ g.AddProcessAdditionalGid(uint32(gid))
+ fallthrough
+ case specgen.Private:
+ if err :=
g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
+diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
+index bf122a4c0..deba95b28 100644
+--- a/test/e2e/run_test.go
++++ b/test/e2e/run_test.go
+@@ -771,7 +771,7 @@ USER bin`
+ session := podmanTest.Podman([]string{"run", "--rm",
"--user=1234", ALPINE, "id"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+- Expect(session.OutputToString()).To(Equal("uid=1234(1234)
gid=0(root)"))
++ Expect(session.OutputToString()).To(Equal("uid=1234(1234)
gid=0(root) groups=0(root)"))
+ })
+
+ It("podman run with user (integer, in /etc/passwd)", func() {
+@@ -792,14 +792,14 @@ USER bin`
+ session := podmanTest.Podman([]string{"run", "--rm",
"--user=mail:21", ALPINE, "id"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+- Expect(session.OutputToString()).To(Equal("uid=8(mail)
gid=21(ftp)"))
++ Expect(session.OutputToString()).To(Equal("uid=8(mail)
gid=21(ftp) groups=21(ftp)"))
+ })
+
+ It("podman run with user:group (integer:groupname)", func() {
+ session := podmanTest.Podman([]string{"run", "--rm",
"--user=8:ftp", ALPINE, "id"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+- Expect(session.OutputToString()).To(Equal("uid=8(mail)
gid=21(ftp)"))
++ Expect(session.OutputToString()).To(Equal("uid=8(mail)
gid=21(ftp) groups=21(ftp)"))
+ })
+
+ It("podman run with user, verify caps dropped", func() {
+@@ -810,6 +810,14 @@ USER bin`
+ Expect("0000000000000000").To(Equal(capEff[1]))
+ })
+
++ It("podman run with user, verify group added", func() {
++ session := podmanTest.Podman([]string{"run", "--rm",
"--user=1000:1000", ALPINE, "grep", "Groups:", "/proc/self/status"})
++ session.WaitWithDefaultTimeout()
++ Expect(session.ExitCode()).To(Equal(0))
++ groups := strings.Split(session.OutputToString(), " ")[1]
++ Expect("1000").To(Equal(groups))
++ })
++
+ It("podman run with attach stdin outputs container ID", func() {
+ session := podmanTest.Podman([]string{"run", "--attach",
"stdin", ALPINE, "printenv"})
+ session.WaitWithDefaultTimeout()
+--
+2.39.2
+
diff -Nru libpod-3.0.1+dfsg1/debian/patches/series
libpod-3.0.1+dfsg1/debian/patches/series
--- libpod-3.0.1+dfsg1/debian/patches/series 2023-04-17 01:16:11.000000000
+0300
+++ libpod-3.0.1+dfsg1/debian/patches/series 2023-12-29 17:26:49.000000000
+0200
@@ -3,3 +3,4 @@
systemd-tweaks.patch
networking-lookup-child-IP-in-networks.patch
0001-do-not-set-the-inheritable-capabilities.patch
+CVE-2022-2989-Add-container-GID-to-additional-groups.patch
--- End Message ---
