Bug#1031109: bullseye-pu: package crun/0.17+dfsg-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: onlyjob@debian.org, siretart@tauware.de
[ Reason ]
A no-dsa security vulnerability, CVE-2022-27650:
https://security-tracker.debian.org/tracker/CVE-2022-27650
[ Impact ]
Copying from the CVE:
"A flaw was found in crun where containers were incorrectly started with
non-empty default permissions. A vulnerability was found in Moby (Docker
Engine) where containers were started incorrectly with non-empty
inheritable Linux process capabilities. This flaw allows an attacker
with access to programs with inheritable file capabilities to elevate
those capabilities to the permitted set when execve(2) runs."
[ Tests ]
Smoke-tested manually with podman. No automated tests on the Debian end,
sadly. The change has been tested on upstream's CI system and in
deployments in the wild, however.
[ Risks ]
Low risk: the diff is pretty trivial and a direct backport of two
upstream commits, that apply cleanly. They have also been included in a
version released almost a year ago (March 24, 2022), v1.4.4.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Backport of upstream commits:
https://github.com/containers/crun/commit/b847d146d496c9d7beba166fd595488e85488562
https://github.com/containers/crun/commit/1aeeed2e4fdeffb4875c0d0b439915894594c8c6
Syncing Uploaders with unstable, including adding myself, to indicate
this is a Maintainer upload.
[ Other info ]
The diff is staged in salsa, under the debian/bullseye branch, in the
debian/crun repository.
Thank you for your consideration!
Best,
Faidon
diff -Nru crun-0.17+dfsg/debian/changelog crun-0.17+dfsg/debian/changelog
--- crun-0.17+dfsg/debian/changelog 2021-02-01 03:33:51.000000000 +0200
+++ crun-0.17+dfsg/debian/changelog 2023-02-11 23:44:44.000000000 +0200
@@ -1,3 +1,13 @@
+crun (0.17+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Backport upstream commits b847d14 ("spec: do not set inheritable
+ capabilities") and 1aeeed2 ("exec: --cap do not set inheritable
+ capabilities") to address CVE-2022-27650, a flaw where containers were
+ incorrectly started with non-empty default permissions.
+ * Sync Uploaders from unstable, to indicate that this a maintainer upload.
+
+ -- Faidon Liambotis <paravoid@debian.org> Sat, 11 Feb 2023 23:44:44 +0200
+
crun (0.17+dfsg-1) unstable; urgency=medium
* New upstream release.
diff -Nru crun-0.17+dfsg/debian/control crun-0.17+dfsg/debian/control
--- crun-0.17+dfsg/debian/control 2020-07-17 16:20:31.000000000 +0300
+++ crun-0.17+dfsg/debian/control 2023-02-11 23:29:43.000000000 +0200
@@ -3,6 +3,9 @@
Priority: optional
Standards-Version: 4.5.0
Maintainer: Dmitry Smirnov <onlyjob@debian.org>
+Uploaders:
+ Faidon Liambotis <paravoid@debian.org>,
+ Reinhard Tartler <siretart@tauware.de>,
Build-Depends: debhelper-compat (= 12)
,automake
,golang-github-opencontainers-image-spec-dev
diff -Nru crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch
--- crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch 1970-01-01 02:00:00.000000000 +0200
+++ crun-0.17+dfsg/debian/patches/CVE-2022-27650-1aeeed2.patch 2023-02-11 23:42:25.000000000 +0200
@@ -0,0 +1,15 @@
+diff --git a/src/exec.c b/src/exec.c
+index 7a8931e5..c876ecd1 100644
+--- a/src/exec.c
++++ b/src/exec.c
+@@ -304,8 +304,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a
+ capabilities->effective = exec_options.cap;
+ capabilities->effective_len = exec_options.cap_size;
+
+- capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size);
+- capabilities->inheritable_len = exec_options.cap_size;
++ capabilities->inheritable = NULL;
++ capabilities->inheritable_len = 0;
+
+ capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size);
+ capabilities->bounding_len = exec_options.cap_size;
diff -Nru crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch
--- crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch 1970-01-01 02:00:00.000000000 +0200
+++ crun-0.17+dfsg/debian/patches/CVE-2022-27650-b847d14.patch 2023-02-11 23:14:40.000000000 +0200
@@ -0,0 +1,14 @@
+diff --git a/src/libcrun/container.c b/src/libcrun/container.c
+index 5a0744ff..f60740d8 100644
+--- a/src/libcrun/container.c
++++ b/src/libcrun/container.c
+@@ -120,9 +120,6 @@ static const char spec_file[] = "\
+ \"CAP_NET_BIND_SERVICE\"\n\
+ ],\n\
+ \"inheritable\": [\n\
+- \"CAP_AUDIT_WRITE\",\n\
+- \"CAP_KILL\",\n\
+- \"CAP_NET_BIND_SERVICE\"\n\
+ ],\n\
+ \"permitted\": [\n\
+ \"CAP_AUDIT_WRITE\",\n\
diff -Nru crun-0.17+dfsg/debian/patches/series crun-0.17+dfsg/debian/patches/series
--- crun-0.17+dfsg/debian/patches/series 1970-01-01 02:00:00.000000000 +0200
+++ crun-0.17+dfsg/debian/patches/series 2023-02-11 23:43:29.000000000 +0200
@@ -0,0 +1,2 @@
+CVE-2022-27650-b847d14.patch
+CVE-2022-27650-1aeeed2.patch
Reply to: