Your message dated Wed, 19 Apr 2023 21:17:08 +0000
with message-id <[email protected]>
and subject line Bug#1020906: fixed in libpod 3.0.1+dfsg1-3+deb11u4
has caused the Debian Bug report #1020906,
regarding libpod: CVE-2022-27649
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1020906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020906
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpod
Version: 3.0.1+dfsg1-3+deb11u1
Severity: important
Tags: patch
X-Debbugs-Cc: [email protected]
Dear Maintainer,
The following vulnerability for libpod is fixed in bookworm,
https://security-tracker.debian.org/tracker/CVE-2022-27649
We have backported the CVE fixes to bullseye since we are working on
debian bullseye derivative and want to send the patches to debian.
We understand these issues are not DSA and have to go though a point
release.
Please could you review the attached patch and apply in bullseye.
Have created a merge request also for review
https://salsa.debian.org/debian/libpod/-/merge_requests/7
Regards,
Vignesh
-- System Information:
Debian Release: 11.1
APT prefers stable
APT policy: (700, 'stable'), (650, 'testing'), (600, 'unstable'), (500,
'stable-updates'), (500, 'stable-security')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
>From d2848c44440281ed94992c4b23c5899e36afc1af Mon Sep 17 00:00:00 2001
From: Andre Moreira Magalhaes <[email protected]>
Date: Mon, 19 Sep 2022 11:03:21 -0300
Subject: [PATCH] do not set the inheritable capabilities
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27649
(backported from upstream commit 7b368768c2990b9781b2b6813e1c7f91c7e6cb13)
---
libpod/oci_conmon_linux.go | 7 +++++--
pkg/specgen/generate/security.go | 7 +++++--
test/e2e/run_test.go | 6 +++---
3 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 38ffba7d2..b073feee1 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1281,11 +1281,14 @@ func prepareProcessExec(c *Container, options
*ExecOptions, env []string, sessio
} else {
pspec.Capabilities.Bounding =
ctrSpec.Process.Capabilities.Bounding
}
+
+ // Always unset the inheritable capabilities similarly to what the
Linux kernel does
+ // They are used only when using capabilities with uid != 0.
+ pspec.Capabilities.Inheritable = []string{}
+
if execUser.Uid == 0 {
pspec.Capabilities.Effective = pspec.Capabilities.Bounding
- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
} else {
if user == c.config.User {
pspec.Capabilities.Effective =
ctrSpec.Process.Capabilities.Effective
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index fb45d87db..c18f83217 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -130,6 +130,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator,
g *generate.Generator,
configSpec := g.Config
configSpec.Process.Capabilities.Ambient = []string{}
+
+ // Always unset the inheritable capabilities similarly to what the
Linux kernel does
+ // They are used only when using capabilities with uid != 0.
+ configSpec.Process.Capabilities.Inheritable = []string{}
configSpec.Process.Capabilities.Bounding = caplist
user := strings.Split(s.User, ":")[0]
@@ -137,7 +141,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g
*generate.Generator,
if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root"
|| user == "0" {
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Permitted = caplist
- configSpec.Process.Capabilities.Inheritable = caplist
} else {
userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd,
nil)
if err != nil {
@@ -145,12 +148,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator,
g *generate.Generator,
}
configSpec.Process.Capabilities.Effective = userCaps
configSpec.Process.Capabilities.Permitted = userCaps
- configSpec.Process.Capabilities.Inheritable = userCaps
// Ambient capabilities were added to Linux 4.3. Set ambient
// capabilities only when the kernel supports them.
if supportAmbientCapabilities() {
configSpec.Process.Capabilities.Ambient = userCaps
+ configSpec.Process.Capabilities.Inheritable = userCaps
}
}
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index bff3995df..17fea3b99 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -383,7 +383,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run", "--rm", "--user",
"root", ALPINE, "grep", "CapInh", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
-
Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
session = podmanTest.Podman([]string{"run", "--rm", ALPINE,
"grep", "CapBnd", "/proc/self/status"})
session.WaitWithDefaultTimeout()
@@ -418,7 +418,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run", "--user=0:0",
"--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
"/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
-
Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
if os.Geteuid() > 0 {
if os.Getenv("SKIP_USERNS") != "" {
@@ -435,7 +435,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run",
"--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh",
"/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
-
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+
Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
session = podmanTest.Podman([]string{"run",
"--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
"/proc/self/status"})
session.WaitWithDefaultTimeout()
--
2.37.2
--- End Message ---
--- Begin Message ---
Source: libpod
Source-Version: 3.0.1+dfsg1-3+deb11u4
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpod, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated libpod package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 16 Apr 2023 18:16:11 -0400
Source: libpod
Architecture: source
Version: 3.0.1+dfsg1-3+deb11u4
Distribution: bullseye
Urgency: medium
Maintainer: Debian Go Packaging Team
<[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1018816 1020906 1020907
Changes:
libpod (3.0.1+dfsg1-3+deb11u4) bullseye; urgency=medium
.
* Recompile to fix parsing of DBUS_SESSION_BUS_ADDRESS (Closes: #1018816)
.
libpod (3.0.1+dfsg1-3+deb11u3) bullseye; urgency=medium
.
* Fix and tighten dependencies
.
libpod (3.0.1+dfsg1-3+deb11u2) bullseye; urgency=medium
.
* CVE-2022-1227: pickup changes in containers/psgo, Closes: #1020907
* CVE-2022-27649: do not set the inheritable capabilities, Closes: #1020906
Checksums-Sha1:
9c5dccfa400387091e83c175bcbaf47380699a48 5032 libpod_3.0.1+dfsg1-3+deb11u4.dsc
f2ec53c66d25681ca8860e1461fd589bba10c7fe 18320
libpod_3.0.1+dfsg1-3+deb11u4.debian.tar.xz
Checksums-Sha256:
6ff3ead5390c895014fd39ea1a74b1653bf8d7cf458f4ee3b2798a244142ee88 5032
libpod_3.0.1+dfsg1-3+deb11u4.dsc
dcc36991516c2a228149330aff987e739905a749b5d249ca0faae0db8ffc843c 18320
libpod_3.0.1+dfsg1-3+deb11u4.debian.tar.xz
Files:
b449ce025d4dfcbcdb5e78ea7a2b48cd 5032 admin optional
libpod_3.0.1+dfsg1-3+deb11u4.dsc
e89e833f5e50424bbcbca9e7624db4a4 18320 admin optional
libpod_3.0.1+dfsg1-3+deb11u4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmQ8dHoUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsuZKA//R/JX0frLjPCSSdJUySW0zrkv63Cg
QkIXLnJY16VyrLS+C4itbRH4Uh+5tXceJlbRjyfrRqNaZ9T9vn6uGIo5zeYYFJR+
e7hfjP76vXWelsUyyqzUKzyP1neIqECjTfhrqO0FJVn3VFptT8cefNGd/HHbwToD
BJZ3BWW1dj9SlRtRDm1hi48PmANFQwFraMAtrNl5eRbX4f9pUowpe7LZSMlY5Xz9
8sukQ/cCV1pK52/fS6HPWqLISH/MjETbIgRuCRUis6tMp+JvNvp8vVL/sUUv5UDl
7GtL+xTd3Z04CJ8Q4P7cPRWfIBuL1r83JiCwN4wEEbdjVlw8EQgyuJuET+sTHiaX
2HptOC8R4JTRN1JzlUNSGdiBaecT7LFpWbiNadpcZ9WdLb38u14xcBRhZsgKTpWV
+PFbCcfS3pQ6Hlnm1gMGhtwESnqEhrxMEt21rbiZqxY2D+AVi4DA8YEtfWMuDhjP
rDi5Qv3KyqQiBme3xJfy9UAR/J3opHJpAnd2SezrYfGwN7liQcGVvyrf/IDNVqpU
El4QW8fxc3Gu+iLeOD4mDlYQfZ83nZK1scWmGYZcqG8qmP14QalZFBcaAEs+hsrT
jhzFxnhYqfeVKEdCYqPs0y169R/O699vzs499/INkqD//ecw2AqPe0gfkEZsgP3N
Co9MsFdmjI/Kwls=
=m+MK
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-go-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-go-maintainers
