Several security issues in libpod 3.4.x

Bug #1971034 reported by Reinhard Tartler
298
This bug affects 9 people
Affects Status Importance Assigned to Milestone
libpod (Ubuntu)
Confirmed
Undecided
Unassigned
Impish
Confirmed
Undecided
Unassigned
Jammy
Confirmed
Undecided
Unassigned
Kinetic
Confirmed
Undecided
Unassigned

Bug Description

Ubuntu 20.04 ships currently with podman 3.4.4. Current upstream is at version 3.4.7 and ships with a number of security updates:

3.4.7
* This release addresses CVE-2022-1227, where running podman top on a container made from a maliciously-crafted image and using a user namespace could allow for code execution in the host context.

3.4.6
* This release addresses CVE-2022-27191, where an attacker could potentially cause crashes in remote Podman by using incorrect SSH ciphers.

3.4.5
* This release addresses CVE-2022-27649, where Podman would set excess inheritable capabilities for processes in containers.
Bugfixes

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
Revision history for this message
Reinhard Tartler (siretart) wrote :

@mdeslaur the issue is not addressed with a simple debdiff, several packages need to be updated in the right order. I've done all this work in debian testing, and all those packages could be synced over.

I'm asking for help with coordinating these uploads.

Revision history for this message
Steve Dodd (anarchetic) wrote :

I wonder if it really makes sense to keep podman in the Ubuntu repositories, at least if it's going to stay in universe? It's the sort of software that people who use it are going rely on being secure and up-to-date, and so far at least it has been quite a fast-moving target.

I'm not normally a big fan of static binaries, but in this instance an 'installer' package which just grabs the latest binaries from github and keeps them up-to-date might make more sense.

Alternatively, I wonder whether a snap could be generated? I'm not a fan of the format myself, but I manage to use podman nested with a systemd-nspawn container here, so it seems conceivable that it might also be made to work in a privileged snap (with the assumption that podman itself will protect the host system from the containers it runs.)

Revision history for this message
Anders F Björklund (afbjorklund) wrote :

Which "latest binaries from github" ? Upstream only releases source code.

Revision history for this message
Romain Geissler (rgeissler-1a) wrote :

Hi,

This is not the scope of this bug, but will podman be upgraded and follow upstream releases regularly in Ubuntu 22.04, or it will stay at version 3.4.x during the whole lifetime of jammy ? Indeed this kind of package is still in fast pace mode, and even Red Hat is upgrading it its stable RHEL distos (RHEL 8/9 just moved to 4.0.2 in the last few weeks, and 4.1.x exists already upstream).

Cheers,
Romain

Revision history for this message
Carlos Camacho (ccamacho) wrote :

Is it possible to know if we will have a 4.x version available anytime soon??

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libpod (Ubuntu Impish):
status: New → Confirmed
Changed in libpod (Ubuntu Jammy):
status: New → Confirmed
Changed in libpod (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

The usual approach in Ubuntu is to fix specific bugs in packages rather than perform wholesale version updates: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions

You can see that a 4.x version is currently in Debian experimental: https://packages.qa.debian.org/libp/libpod.html

When the maintainers are happy with it, it'll be moved to Debian unstable, at which point it will be ingested to Ubuntu's development release. I can't give you a precise date.

Thanks

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.