Your message dated Sat, 08 Apr 2023 16:17:09 +0000
with message-id <[email protected]>
and subject line Bug#1020906: fixed in libpod 3.0.1+dfsg1-3+deb11u2
has caused the Debian Bug report #1020906,
regarding libpod: CVE-2022-27649
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1020906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020906
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpod
Version: 3.0.1+dfsg1-3+deb11u1
Severity: important
Tags: patch
X-Debbugs-Cc: [email protected]
Dear Maintainer,
The following vulnerability for libpod is fixed in bookworm,
https://security-tracker.debian.org/tracker/CVE-2022-27649
We have backported the CVE fixes to bullseye since we are working on
debian bullseye derivative and want to send the patches to debian.
We understand these issues are not DSA and have to go though a point
release.
Please could you review the attached patch and apply in bullseye.
Have created a merge request also for review
https://salsa.debian.org/debian/libpod/-/merge_requests/7
Regards,
Vignesh
-- System Information:
Debian Release: 11.1
APT prefers stable
APT policy: (700, 'stable'), (650, 'testing'), (600, 'unstable'), (500,
'stable-updates'), (500, 'stable-security')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
>From d2848c44440281ed94992c4b23c5899e36afc1af Mon Sep 17 00:00:00 2001
From: Andre Moreira Magalhaes <[email protected]>
Date: Mon, 19 Sep 2022 11:03:21 -0300
Subject: [PATCH] do not set the inheritable capabilities
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27649
(backported from upstream commit 7b368768c2990b9781b2b6813e1c7f91c7e6cb13)
---
libpod/oci_conmon_linux.go | 7 +++++--
pkg/specgen/generate/security.go | 7 +++++--
test/e2e/run_test.go | 6 +++---
3 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 38ffba7d2..b073feee1 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1281,11 +1281,14 @@ func prepareProcessExec(c *Container, options
*ExecOptions, env []string, sessio
} else {
pspec.Capabilities.Bounding =
ctrSpec.Process.Capabilities.Bounding
}
+
+ // Always unset the inheritable capabilities similarly to what the
Linux kernel does
+ // They are used only when using capabilities with uid != 0.
+ pspec.Capabilities.Inheritable = []string{}
+
if execUser.Uid == 0 {
pspec.Capabilities.Effective = pspec.Capabilities.Bounding
- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
} else {
if user == c.config.User {
pspec.Capabilities.Effective =
ctrSpec.Process.Capabilities.Effective
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index fb45d87db..c18f83217 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -130,6 +130,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator,
g *generate.Generator,
configSpec := g.Config
configSpec.Process.Capabilities.Ambient = []string{}
+
+ // Always unset the inheritable capabilities similarly to what the
Linux kernel does
+ // They are used only when using capabilities with uid != 0.
+ configSpec.Process.Capabilities.Inheritable = []string{}
configSpec.Process.Capabilities.Bounding = caplist
user := strings.Split(s.User, ":")[0]
@@ -137,7 +141,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g
*generate.Generator,
if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root"
|| user == "0" {
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Permitted = caplist
- configSpec.Process.Capabilities.Inheritable = caplist
} else {
userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd,
nil)
if err != nil {
@@ -145,12 +148,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator,
g *generate.Generator,
}
configSpec.Process.Capabilities.Effective = userCaps
configSpec.Process.Capabilities.Permitted = userCaps
- configSpec.Process.Capabilities.Inheritable = userCaps
// Ambient capabilities were added to Linux 4.3. Set ambient
// capabilities only when the kernel supports them.
if supportAmbientCapabilities() {
configSpec.Process.Capabilities.Ambient = userCaps
+ configSpec.Process.Capabilities.Inheritable = userCaps
}
}
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index bff3995df..17fea3b99 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -383,7 +383,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run", "--rm", "--user",
"root", ALPINE, "grep", "CapInh", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
-
Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
session = podmanTest.Podman([]string{"run", "--rm", ALPINE,
"grep", "CapBnd", "/proc/self/status"})
session.WaitWithDefaultTimeout()
@@ -418,7 +418,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run", "--user=0:0",
"--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
"/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
-
Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
if os.Geteuid() > 0 {
if os.Getenv("SKIP_USERNS") != "" {
@@ -435,7 +435,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run",
"--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh",
"/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
-
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+
Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
session = podmanTest.Podman([]string{"run",
"--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
"/proc/self/status"})
session.WaitWithDefaultTimeout()
--
2.37.2
--- End Message ---
--- Begin Message ---
Source: libpod
Source-Version: 3.0.1+dfsg1-3+deb11u2
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpod, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated libpod package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 05 Apr 2023 21:00:36 -0400
Source: libpod
Architecture: source
Version: 3.0.1+dfsg1-3+deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Debian Go Packaging Team
<[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1020906 1020907
Changes:
libpod (3.0.1+dfsg1-3+deb11u2) bullseye; urgency=medium
.
* CVE-2022-1227: pickup changes in containers/psgo, Closes: #1020907
* CVE-2022-27649: do not set the inheritable capabilities, Closes: #1020906
Checksums-Sha1:
ac54728f686cad4ea497f9c4131f70cdbdf65aab 5032 libpod_3.0.1+dfsg1-3+deb11u2.dsc
38f2582e11e0101dc358ba0a89b410e435da22d9 18268
libpod_3.0.1+dfsg1-3+deb11u2.debian.tar.xz
Checksums-Sha256:
95a1b3825a2b4719a636cd1a336aeff5dd69395fde3c93a8521e938d420aa834 5032
libpod_3.0.1+dfsg1-3+deb11u2.dsc
1f8247b8c6dfe19b34059fc3c82a8d8c5a88a1b2570b1639732395cc8ccb1292 18268
libpod_3.0.1+dfsg1-3+deb11u2.debian.tar.xz
Files:
f6d038e973e33dd7cb04c75f8b6e521e 5032 admin optional
libpod_3.0.1+dfsg1-3+deb11u2.dsc
63dc099cc350608ce2aea6fffe4fc1f1 18268 admin optional
libpod_3.0.1+dfsg1-3+deb11u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmQvWnIUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsvOBA/9F9mrx4Eqh5McOlRD75+cTTXrqVEX
WdTIF5Xuxgfudhrp4I8a+Gkz2t1OVV9EQIzCdsV1Y9YZ/q9ELf+jonvmZSOZ0HpE
4+1pK9CGtA6vfAGCsXg7ujWbfIdkI5rIb3lJuKWoIkfqyJnPEyEN2CyBwJex1L6d
cj/VeuZk0kcEed2H6JQHRrWQnjnzJvzCdHYLQX/pJGs/CpzFphHLpT5iNb+uyUqq
nZeryuS8RguWHFuKoZoBL0wL+xfcyey3GFRsVzNY/o+mpcBxATENMPmYHI3znmsA
yi+KyPEmIsJJ8GAEaD0OVqk19ahw4iYRzOVU3g86y5Kuyw2YLnWpl7gIQp5zcHdM
EhZo3UpUROhlYlqkU5gGIzOahUAiuEIoHO5jHA311KhpoCOy51/3rJZ39s2Xze8T
Es2DzdV26Bz/ovQMbqUTnT6KRL7Uj9V4QsU6lE1qZnOuGMgp67Sj532sza1UHRD/
q8rjNAnkpScNHC3IZ43/MeHVXWdJi8MFcmYhf9OjKeID7m9mSQ0yxZkGg5V1T+hY
Tn1Bo3x7nZGSRsLnefioYDRGBUj9gpzkxKehXWHswsOwiXFJjYiJ/8O2AvarmgPS
onFUtfC9JEvMkFBN4EV0pcpfeawT3QKYMnFeX75XzWyTbKSyMGOEgs9ahi+rvUKy
fFRyZLwAHtBq5j8=
=9V64
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-go-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-go-maintainers
