do not set the inheritable capabilities (!7) · Merge requests · Debian Go Packaging Team / packages / podman

Vignesh Raman requested to merge vignesh/libpod:wip/vignesh/backport-cve-fixes into debian/bullseye-updates Sep 27, 2022

The below vulnerabilities are fixed by backporting upstream patches.

CVE-2022-27649: | A flaw was found in Podman, where containers were started incorrectly | with non-empty default permissions. A vulnerability was found in | Moby (Docker Engine), where containers were started incorrectly with | non-empty inheritable Linux process capabilities. This flaw allows an | attacker with access to programs with inheritable file capabilities to | elevate those capabilities to the permitted set when execve(2) runs.

The kernel never sets the inheritable capabilities for a process, they are only set by userspace. Emulate the same behavior.

Closes: CVE-2022-27649

(backported from upstream commit 7b368768)

Signed-off-by: Vignesh Raman vignesh.raman@collabora.com

Edited Sep 28, 2022 by Vignesh Raman

do not set the inheritable capabilities

Merge request reports