Your message dated Sat, 08 Apr 2023 16:17:09 +0000
with message-id <[email protected]>
and subject line Bug#1020906: fixed in libpod 3.0.1+dfsg1-3+deb11u3
has caused the Debian Bug report #1020906,
regarding libpod: CVE-2022-27649
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1020906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020906
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpod
Version: 3.0.1+dfsg1-3+deb11u1
Severity: important
Tags: patch
X-Debbugs-Cc: [email protected]
Dear Maintainer,
The following vulnerability for libpod is fixed in bookworm,
https://security-tracker.debian.org/tracker/CVE-2022-27649
We have backported the CVE fixes to bullseye since we are working on
debian bullseye derivative and want to send the patches to debian.
We understand these issues are not DSA and have to go though a point
release.
Please could you review the attached patch and apply in bullseye.
Have created a merge request also for review
https://salsa.debian.org/debian/libpod/-/merge_requests/7
Regards,
Vignesh
-- System Information:
Debian Release: 11.1
APT prefers stable
APT policy: (700, 'stable'), (650, 'testing'), (600, 'unstable'), (500,
'stable-updates'), (500, 'stable-security')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
>From d2848c44440281ed94992c4b23c5899e36afc1af Mon Sep 17 00:00:00 2001
From: Andre Moreira Magalhaes <[email protected]>
Date: Mon, 19 Sep 2022 11:03:21 -0300
Subject: [PATCH] do not set the inheritable capabilities
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27649
(backported from upstream commit 7b368768c2990b9781b2b6813e1c7f91c7e6cb13)
---
libpod/oci_conmon_linux.go | 7 +++++--
pkg/specgen/generate/security.go | 7 +++++--
test/e2e/run_test.go | 6 +++---
3 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 38ffba7d2..b073feee1 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1281,11 +1281,14 @@ func prepareProcessExec(c *Container, options
*ExecOptions, env []string, sessio
} else {
pspec.Capabilities.Bounding =
ctrSpec.Process.Capabilities.Bounding
}
+
+ // Always unset the inheritable capabilities similarly to what the
Linux kernel does
+ // They are used only when using capabilities with uid != 0.
+ pspec.Capabilities.Inheritable = []string{}
+
if execUser.Uid == 0 {
pspec.Capabilities.Effective = pspec.Capabilities.Bounding
- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
} else {
if user == c.config.User {
pspec.Capabilities.Effective =
ctrSpec.Process.Capabilities.Effective
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index fb45d87db..c18f83217 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -130,6 +130,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator,
g *generate.Generator,
configSpec := g.Config
configSpec.Process.Capabilities.Ambient = []string{}
+
+ // Always unset the inheritable capabilities similarly to what the
Linux kernel does
+ // They are used only when using capabilities with uid != 0.
+ configSpec.Process.Capabilities.Inheritable = []string{}
configSpec.Process.Capabilities.Bounding = caplist
user := strings.Split(s.User, ":")[0]
@@ -137,7 +141,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g
*generate.Generator,
if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root"
|| user == "0" {
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Permitted = caplist
- configSpec.Process.Capabilities.Inheritable = caplist
} else {
userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd,
nil)
if err != nil {
@@ -145,12 +148,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator,
g *generate.Generator,
}
configSpec.Process.Capabilities.Effective = userCaps
configSpec.Process.Capabilities.Permitted = userCaps
- configSpec.Process.Capabilities.Inheritable = userCaps
// Ambient capabilities were added to Linux 4.3. Set ambient
// capabilities only when the kernel supports them.
if supportAmbientCapabilities() {
configSpec.Process.Capabilities.Ambient = userCaps
+ configSpec.Process.Capabilities.Inheritable = userCaps
}
}
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index bff3995df..17fea3b99 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -383,7 +383,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run", "--rm", "--user",
"root", ALPINE, "grep", "CapInh", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
-
Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
session = podmanTest.Podman([]string{"run", "--rm", ALPINE,
"grep", "CapBnd", "/proc/self/status"})
session.WaitWithDefaultTimeout()
@@ -418,7 +418,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run", "--user=0:0",
"--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
"/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
-
Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
if os.Geteuid() > 0 {
if os.Getenv("SKIP_USERNS") != "" {
@@ -435,7 +435,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run",
"--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh",
"/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
-
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+
Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
session = podmanTest.Podman([]string{"run",
"--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
"/proc/self/status"})
session.WaitWithDefaultTimeout()
--
2.37.2
--- End Message ---
--- Begin Message ---
Source: libpod
Source-Version: 3.0.1+dfsg1-3+deb11u3
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpod, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated libpod package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Apr 2023 22:10:33 -0400
Source: libpod
Architecture: source
Version: 3.0.1+dfsg1-3+deb11u3
Distribution: bullseye
Urgency: medium
Maintainer: Debian Go Packaging Team
<[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1020906 1020907
Changes:
libpod (3.0.1+dfsg1-3+deb11u3) bullseye; urgency=medium
.
* Fix and tighten dependencies
.
libpod (3.0.1+dfsg1-3+deb11u2) bullseye; urgency=medium
.
* CVE-2022-1227: pickup changes in containers/psgo, Closes: #1020907
* CVE-2022-27649: do not set the inheritable capabilities, Closes: #1020906
Checksums-Sha1:
3a4c538f24385787ab02c0c7809222b983ce4075 5032 libpod_3.0.1+dfsg1-3+deb11u3.dsc
5d68cc2336e984b853f80175dab5d73af3fab7a6 18276
libpod_3.0.1+dfsg1-3+deb11u3.debian.tar.xz
Checksums-Sha256:
8601bc555768a66d746b3488fa3ef3c91f2e99f88e4ea2aad23734a8b04bfbd8 5032
libpod_3.0.1+dfsg1-3+deb11u3.dsc
05f82d38e26b531d1bb05c7a764bbd48b276723d80cf182acfb096a21a161e33 18276
libpod_3.0.1+dfsg1-3+deb11u3.debian.tar.xz
Files:
295effe510a15f1ae6596a29765192d6 5032 admin optional
libpod_3.0.1+dfsg1-3+deb11u3.dsc
55b9e6046999139f0607a88f38945249 18276 admin optional
libpod_3.0.1+dfsg1-3+deb11u3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmQwzZMUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsvflhAAuJCPMnqyzQG0bxMw+1pjrkHB2is5
SQVyPXtsv4rRJjEsdRxffoniCq8O7ze7sy+JV4g75+H48BcSNwCo3W8jajIf6JnQ
iwAMIX0U/0xgLTobTyXVgghS9lcSIeSWrTlKBECsglS4+I+d3JdKsjMR260tZsng
VvECPLAUghPm2qFs2xLf+X39viAdJLMighzRQa+IcYkFw6s+M8x0JqfY02fy/paG
Xa3PsjMihlMOuTIUREXhpOGQpc4CCcTU8JiFCjK/b1vobZBYg5JtayFyNUK/aZkv
wCAlMADXgrAMJc2dhG9y0Czg09JY2SYDqsKLc0BTs9OrVbxwxmYBM9060jkC8Glo
9zzHoBcPEfJYTDMVUtvB4z3uxMipIbIyJ/CwIVC0wzEeH17ECnaOFWN1gucCgHX1
TFkDrCJMIe/5/7bD3V19/PO/EokqPTmZJpWA/55YGzDE7JrMPwuLnEg2Ft91wxjK
RkUXx7H5BHCvy+wtoersQhTx4u0o4Ljis4H9q2w/9KQL8X42bT0Q1dOef4znK/0F
RxvrCb06YXlijTurOA2x0JwVBqrdzy7td9MKJhkRdFPYq0OdORBONnOJftYBln8t
yCgrih0AfJa30YzjZTOKLlxvc10Ham7f9+bkmMiTIDBuSkA713KEgX520CLU6agv
E+v/+0I3+XrVJ38=
=yUmx
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-go-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-go-maintainers
