Apertis CI robot · b19bb9d4 · 8ebd0f8c · b19bb9d4
--- a/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch 0 → 100644

+ 89

− 0
+++ b/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch 0 → 100644

+ 89

− 0
+From a256d7188c9db64a00a37798e6a2f0f59b5d798f Mon Sep 17 00:00:00 2001
+From: Matthew Heon <mheon@redhat.com>
+Date: Fri, 2 Sep 2022 13:40:29 -0400
+Subject: [PATCH] Add container GID to additional groups
+
+Mitigates a potential permissions issue. Mirrors Buildah PR #4200
+and CRI-O PR #6159.
+
+Cherry-pick conflicts for v3.0.1-rhel branch have been addressed.
+
+Signed-off-by: Matthew Heon <mheon@redhat.com>
+---
+ libpod/container_internal_linux.go |  1 +
+ pkg/specgen/generate/namespaces.go |  1 +
+ test/e2e/run_test.go               | 14 +++++++++++---
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
+index fb97a4867..48929d8f6 100644
+--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
+@@ -473,6 +473,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
+ 		// User and Group must go together
+ 		g.SetProcessUID(uint32(execUser.Uid))
+ 		g.SetProcessGID(uint32(execUser.Gid))
+		g.AddProcessAdditionalGid(uint32(execUser.Gid))
+ 	}
+ 
+ 	if c.config.Umask != "" {
+diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
+index b87375a92..16f79d868 100644
+--- a/pkg/specgen/generate/namespaces.go
+++ b/pkg/specgen/generate/namespaces.go
+@@ -398,6 +398,7 @@ func specConfigureNamespaces(s *specgen.SpecGenerator, g *generate.Generator, rt
+ 		}
+ 		g.SetProcessUID(uint32(uid))
+ 		g.SetProcessGID(uint32(gid))
+		g.AddProcessAdditionalGid(uint32(gid))
+ 		fallthrough
+ 	case specgen.Private:
+ 		if err := g.AddOrReplaceLinuxNamespace(string(spec.UserNamespace), ""); err != nil {
+diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
+index bf122a4c0..deba95b28 100644
+--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
+@@ -771,7 +771,7 @@ USER bin`
+ 		session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "id"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session.ExitCode()).To(Equal(0))
+-		Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root)"))
+		Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root) groups=0(root)"))
+ 	})
+ 
+ 	It("podman run with user (integer, in /etc/passwd)", func() {
+@@ -792,14 +792,14 @@ USER bin`
+ 		session := podmanTest.Podman([]string{"run", "--rm", "--user=mail:21", ALPINE, "id"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session.ExitCode()).To(Equal(0))
+-		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
+		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
+ 	})
+ 
+ 	It("podman run with user:group (integer:groupname)", func() {
+ 		session := podmanTest.Podman([]string{"run", "--rm", "--user=8:ftp", ALPINE, "id"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session.ExitCode()).To(Equal(0))
+-		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
+		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
+ 	})
+ 
+ 	It("podman run with user, verify caps dropped", func() {
+@@ -810,6 +810,14 @@ USER bin`
+ 		Expect("0000000000000000").To(Equal(capEff[1]))
+ 	})
+ 
+	It("podman run with user, verify group added", func() {
+		session := podmanTest.Podman([]string{"run", "--rm", "--user=1000:1000", ALPINE, "grep", "Groups:", "/proc/self/status"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		groups := strings.Split(session.OutputToString(), " ")[1]
+		Expect("1000").To(Equal(groups))
+	})
+
+ 	It("podman run with attach stdin outputs container ID", func() {
+ 		session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"})
+ 		session.WaitWithDefaultTimeout()
+-- 
+2.39.2
+