Version in base suite: 1.4.13~ds1-1~deb11u1

Base version: containerd_1.4.13~ds1-1~deb11u1
Target version: containerd_1.4.13~ds1-1~deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/containerd/containerd_1.4.13~ds1-1~deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/containerd/containerd_1.4.13~ds1-1~deb11u2.dsc

 changelog                         |    8 ++
 patches/0009-CVE-2022-31030.patch |   71 +++++++++++++++++++++
 patches/0010-CVE-2022-24769.patch |  126 ++++++++++++++++++++++++++++++++++++++
 patches/series                    |    2 
 4 files changed, 207 insertions(+)

diff -Nru containerd-1.4.13~ds1/debian/changelog containerd-1.4.13~ds1/debian/changelog
--- containerd-1.4.13~ds1/debian/changelog	2022-03-02 18:21:10.000000000 +0000
+++ containerd-1.4.13~ds1/debian/changelog	2022-06-06 19:07:20.000000000 +0000
@@ -1,3 +1,11 @@
+containerd (1.4.13~ds1-1~deb11u2) bullseye-security; urgency=high
+
+  * CVE-2022-31030: CRI plugin: Host memory exhaustion through ExecSync
+  * CVE-2022-24769: Default inheritable capabilities for linux container
+    should be empty
+
+ -- Shengjing Zhu <zhsj@debian.org>  Tue, 07 Jun 2022 03:07:20 +0800
+
 containerd (1.4.13~ds1-1~deb11u1) bullseye-security; urgency=high
 
   * New upstream version 1.4.13~ds1
diff -Nru containerd-1.4.13~ds1/debian/patches/0009-CVE-2022-31030.patch containerd-1.4.13~ds1/debian/patches/0009-CVE-2022-31030.patch
--- containerd-1.4.13~ds1/debian/patches/0009-CVE-2022-31030.patch	1970-01-01 00:00:00.000000000 +0000
+++ containerd-1.4.13~ds1/debian/patches/0009-CVE-2022-31030.patch	2022-06-06 19:07:20.000000000 +0000
@@ -0,0 +1,71 @@
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Tue, 7 Jun 2022 02:26:54 +0800
+Subject: CVE-2022-31030
+
+Origin: backport, https://github.com/containerd/containerd/commit/c1bcabb4
+---
+ .../cri/pkg/server/container_execsync.go           | 45 +++++++++++++++++++++-
+ 1 file changed, 43 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
+index 1c019f6..81a803c 100644
+--- a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
++++ b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
+@@ -38,14 +38,55 @@ import (
+ 	"github.com/containerd/cri/pkg/util"
+ )
+ 
++type cappedWriter struct {
++	w      io.WriteCloser
++	remain int
++}
++
++func (cw *cappedWriter) Write(p []byte) (int, error) {
++	if cw.remain <= 0 {
++		return len(p), nil
++	}
++
++	end := cw.remain
++	if end > len(p) {
++		end = len(p)
++	}
++	written, err := cw.w.Write(p[0:end])
++	cw.remain -= written
++
++	if err != nil {
++		return written, err
++	}
++	return len(p), nil
++}
++
++func (cw *cappedWriter) Close() error {
++	return cw.w.Close()
++}
++
++func (cw *cappedWriter) isFull() bool {
++	return cw.remain <= 0
++}
++
+ // ExecSync executes a command in the container, and returns the stdout output.
+ // If command exits with a non-zero exit code, an error is returned.
+ func (c *criService) ExecSync(ctx context.Context, r *runtime.ExecSyncRequest) (*runtime.ExecSyncResponse, error) {
++	const maxStreamSize = 1024 * 1024 * 16
++
+ 	var stdout, stderr bytes.Buffer
++
++	// cappedWriter truncates the output. In that case, the size of
++	// the ExecSyncResponse will hit the CRI plugin's gRPC response limit.
++	// Thus the callers outside of the containerd process (e.g. Kubelet) never see
++	// the truncated output.
++	cout := &cappedWriter{w: cioutil.NewNopWriteCloser(&stdout), remain: maxStreamSize}
++	cerr := &cappedWriter{w: cioutil.NewNopWriteCloser(&stderr), remain: maxStreamSize}
++
+ 	exitCode, err := c.execInContainer(ctx, r.GetContainerId(), execOptions{
+ 		cmd:     r.GetCmd(),
+-		stdout:  cioutil.NewNopWriteCloser(&stdout),
+-		stderr:  cioutil.NewNopWriteCloser(&stderr),
++		stdout:  cout,
++		stderr:  cerr,
+ 		timeout: time.Duration(r.GetTimeout()) * time.Second,
+ 	})
+ 	if err != nil {
diff -Nru containerd-1.4.13~ds1/debian/patches/0010-CVE-2022-24769.patch containerd-1.4.13~ds1/debian/patches/0010-CVE-2022-24769.patch
--- containerd-1.4.13~ds1/debian/patches/0010-CVE-2022-24769.patch	1970-01-01 00:00:00.000000000 +0000
+++ containerd-1.4.13~ds1/debian/patches/0010-CVE-2022-24769.patch	2022-06-06 19:07:20.000000000 +0000
@@ -0,0 +1,126 @@
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Tue, 7 Jun 2022 03:04:57 +0800
+Subject: CVE-2022-24769
+
+Origin: backport, https://github.com/containerd/containerd/commit/921cf570
+---
+ oci/spec.go           | 7 +++----
+ oci/spec_opts.go      | 5 +----
+ oci/spec_opts_test.go | 4 ----
+ oci/spec_test.go      | 5 ++---
+ 4 files changed, 6 insertions(+), 15 deletions(-)
+
+diff --git a/oci/spec.go b/oci/spec.go
+index 035bb7e..ff25ddf 100644
+--- a/oci/spec.go
++++ b/oci/spec.go
+@@ -148,10 +148,9 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error {
+ 				GID: 0,
+ 			},
+ 			Capabilities: &specs.LinuxCapabilities{
+-				Bounding:    defaultUnixCaps(),
+-				Permitted:   defaultUnixCaps(),
+-				Inheritable: defaultUnixCaps(),
+-				Effective:   defaultUnixCaps(),
++				Bounding:  defaultUnixCaps(),
++				Permitted: defaultUnixCaps(),
++				Effective: defaultUnixCaps(),
+ 			},
+ 			Rlimits: []specs.POSIXRlimit{
+ 				{
+diff --git a/oci/spec_opts.go b/oci/spec_opts.go
+index 89346fe..1372584 100644
+--- a/oci/spec_opts.go
++++ b/oci/spec_opts.go
+@@ -770,7 +770,6 @@ func WithCapabilities(caps []string) SpecOpts {
+ 		s.Process.Capabilities.Bounding = caps
+ 		s.Process.Capabilities.Effective = caps
+ 		s.Process.Capabilities.Permitted = caps
+-		s.Process.Capabilities.Inheritable = caps
+ 
+ 		return nil
+ 	}
+@@ -828,7 +827,6 @@ func WithAddedCapabilities(caps []string) SpecOpts {
+ 				&s.Process.Capabilities.Bounding,
+ 				&s.Process.Capabilities.Effective,
+ 				&s.Process.Capabilities.Permitted,
+-				&s.Process.Capabilities.Inheritable,
+ 			} {
+ 				if !capsContain(*cl, c) {
+ 					*cl = append(*cl, c)
+@@ -848,7 +846,6 @@ func WithDroppedCapabilities(caps []string) SpecOpts {
+ 				&s.Process.Capabilities.Bounding,
+ 				&s.Process.Capabilities.Effective,
+ 				&s.Process.Capabilities.Permitted,
+-				&s.Process.Capabilities.Inheritable,
+ 			} {
+ 				removeCap(cl, c)
+ 			}
+@@ -863,7 +860,7 @@ func WithDroppedCapabilities(caps []string) SpecOpts {
+ func WithAmbientCapabilities(caps []string) SpecOpts {
+ 	return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
+ 		setCapabilities(s)
+-
++		s.Process.Capabilities.Inheritable = caps
+ 		s.Process.Capabilities.Ambient = caps
+ 		return nil
+ 	}
+diff --git a/oci/spec_opts_test.go b/oci/spec_opts_test.go
+index 12726fe..e4bec5a 100644
+--- a/oci/spec_opts_test.go
++++ b/oci/spec_opts_test.go
+@@ -561,7 +561,6 @@ func TestAddCaps(t *testing.T) {
+ 		s.Process.Capabilities.Bounding,
+ 		s.Process.Capabilities.Effective,
+ 		s.Process.Capabilities.Permitted,
+-		s.Process.Capabilities.Inheritable,
+ 	} {
+ 		if !capsContain(cl, "CAP_CHOWN") {
+ 			t.Errorf("cap list %d does not contain added cap", i)
+@@ -585,7 +584,6 @@ func TestDropCaps(t *testing.T) {
+ 		s.Process.Capabilities.Bounding,
+ 		s.Process.Capabilities.Effective,
+ 		s.Process.Capabilities.Permitted,
+-		s.Process.Capabilities.Inheritable,
+ 	} {
+ 		if capsContain(cl, "CAP_CHOWN") {
+ 			t.Errorf("cap list %d contains dropped cap", i)
+@@ -604,7 +602,6 @@ func TestDropCaps(t *testing.T) {
+ 		s.Process.Capabilities.Bounding,
+ 		s.Process.Capabilities.Effective,
+ 		s.Process.Capabilities.Permitted,
+-		s.Process.Capabilities.Inheritable,
+ 	} {
+ 		if capsContain(cl, "CAP_FOWNER") {
+ 			t.Errorf("cap list %d contains dropped cap", i)
+@@ -625,7 +622,6 @@ func TestDropCaps(t *testing.T) {
+ 		s.Process.Capabilities.Bounding,
+ 		s.Process.Capabilities.Effective,
+ 		s.Process.Capabilities.Permitted,
+-		s.Process.Capabilities.Inheritable,
+ 	} {
+ 		if len(cl) != 0 {
+ 			t.Errorf("cap list %d is not empty", i)
+diff --git a/oci/spec_test.go b/oci/spec_test.go
+index e36eac7..ef4bd44 100644
+--- a/oci/spec_test.go
++++ b/oci/spec_test.go
+@@ -44,7 +44,6 @@ func TestGenerateSpec(t *testing.T) {
+ 		for _, cl := range [][]string{
+ 			s.Process.Capabilities.Bounding,
+ 			s.Process.Capabilities.Permitted,
+-			s.Process.Capabilities.Inheritable,
+ 			s.Process.Capabilities.Effective,
+ 		} {
+ 			for i := 0; i < len(defaults); i++ {
+@@ -192,8 +191,8 @@ func TestWithCapabilities(t *testing.T) {
+ 	if len(s.Process.Capabilities.Permitted) != 1 || s.Process.Capabilities.Permitted[0] != "CAP_SYS_ADMIN" {
+ 		t.Error("Unexpected capabilities set")
+ 	}
+-	if len(s.Process.Capabilities.Inheritable) != 1 || s.Process.Capabilities.Inheritable[0] != "CAP_SYS_ADMIN" {
+-		t.Error("Unexpected capabilities set")
++	if len(s.Process.Capabilities.Inheritable) != 0 {
++		t.Errorf("Unexpected capabilities set: length is non zero (%d)", len(s.Process.Capabilities.Inheritable))
+ 	}
+ }
+ 
diff -Nru containerd-1.4.13~ds1/debian/patches/series containerd-1.4.13~ds1/debian/patches/series
--- containerd-1.4.13~ds1/debian/patches/series	2022-03-02 18:21:10.000000000 +0000
+++ containerd-1.4.13~ds1/debian/patches/series	2022-06-06 19:07:20.000000000 +0000
@@ -6,3 +6,5 @@
 0006-backport-apparmor-handle-signal-mediation.patch
 0007-backport-runtime-ignore-file-already-closed-error.patch
 0008-Add-RPi1-RPi0-workaround.patch
+0009-CVE-2022-31030.patch
+0010-CVE-2022-24769.patch