2023-02-21 12:49:22 |
bugproxy |
bug |
|
|
added bug |
2023-02-21 12:49:24 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-201616 severity-high targetmilestone-inin--- |
|
2023-02-21 12:49:26 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2023-02-21 12:49:30 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
2023-02-21 12:59:54 |
bugproxy |
bug watch added |
|
https://github.com/containers/podman/issues/12254 |
|
2023-02-21 13:01:00 |
Frank Heimes |
information type |
Public |
Private Security |
|
2023-02-21 13:08:17 |
Frank Heimes |
affects |
linux (Ubuntu) |
libpod (Ubuntu) |
|
2023-02-21 13:08:43 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2023-02-21 13:08:59 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2023-02-21 13:09:39 |
Frank Heimes |
libpod (Ubuntu): assignee |
Skipper Bug Screeners (skipper-screen-team) |
Ubuntu Security Team (ubuntu-security) |
|
2023-02-21 13:09:46 |
Frank Heimes |
libpod (Ubuntu): importance |
Undecided |
High |
|
2023-02-21 13:09:48 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2023-02-22 06:24:25 |
Frank Heimes |
information type |
Private Security |
Public Security |
|
2023-02-22 12:41:31 |
Frank Heimes |
attachment added |
|
debdiff_libpod_jammy_from_3.4.4+ds1-1ubuntu1_to_3.4.4+ds1-1ubuntu1.1.diff https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2007972/+attachment/5649134/+files/debdiff_libpod_jammy_from_3.4.4+ds1-1ubuntu1_to_3.4.4+ds1-1ubuntu1.1.diff |
|
2023-02-22 13:04:29 |
Frank Heimes |
description |
There is a security problem (podman would try to pull an untrusted image, the pause image) that needs to be fixed in Ubuntu 22.04.
The required fix is described & provided here:
https://github.com/containers/podman/issues/12254 |
SRU Justification:
------------------
[ Impact ]
* Pods no longer need k8s/pause,
but podman play kube still fetches it.
* That can be seen as a security problem,
since podman tries to pull this untrusted image.
* https://github.com/containers/podman/issues/12254
[ Test Plan ]
* Like described on upstream issue:
* $ bin/podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
$ printf "apiVersion: v1\nkind: Pod\nmetadata:\n name: foo\n" | env \
CONTAINER_HELPER_PAUSE_PAUSE=bin/pause bin/podman play kube -
Pod:
738622313f1f37b32814664a8dc86d2df36dd5036e661e1d15623686e26c2616
* $ bin/podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/podman-pause 4.0.0-dev-1636547894 99f3b83b4245 5 seconds ago 1.65 MB
k8s.gcr.io/pause 3.5 ed210e3e4a5b 7 months ago 690 kB
* It's expected to see localhost/podman-pause, but not the k8s one.
[ Where problems could occur ]
* Problems could occur if someone makes accidentally use of the image.
which should't be the case.
* Or if there is no local podman-pause or it doesn't built properly.
* In case of issues with the modification in func pullImage(*),
the general pull of images could be harmed.
[ Other Info ]
* The PR 12280 fixes this with commits f517510bc8c11f6ba3145facc10ce351084a4ce4.
This commit is upstream since 4.0.0.
* Since there is a libpod 4.3.1+ds1-5 in lunar-proposed,
lunar is (soon) not affected.
__________
There is a security problem (podman would try to pull an untrusted image, the pause image) that needs to be fixed in Ubuntu 22.04.
The required fix is described & provided here:
https://github.com/containers/podman/issues/12254 |
|
2023-02-22 16:22:21 |
Ubuntu Foundations Team Bug Bot |
tags |
architecture-s39064 bugnameltc-201616 severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-201616 patch severity-high targetmilestone-inin--- |
|
2023-03-17 12:35:46 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2023-05-08 14:19:45 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Kinetic |
|
2023-05-08 14:19:45 |
Marc Deslauriers |
bug task added |
|
libpod (Ubuntu Kinetic) |
|
2023-05-08 14:19:45 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Jammy |
|
2023-05-08 14:19:45 |
Marc Deslauriers |
bug task added |
|
libpod (Ubuntu Jammy) |
|
2023-05-08 14:19:51 |
Marc Deslauriers |
libpod (Ubuntu): status |
New |
Fix Released |
|
2023-05-08 14:19:55 |
Marc Deslauriers |
libpod (Ubuntu Jammy): importance |
Undecided |
High |
|
2023-05-08 14:19:58 |
Marc Deslauriers |
libpod (Ubuntu Kinetic): importance |
Undecided |
High |
|
2023-05-23 08:36:36 |
Frank Heimes |
attachment added |
|
debdiff_libpod_kinetic_from_3.4.4+ds1-1ubuntu1_to_3.4.4+ds1-1ubuntu1.22.10.1.diff https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2007972/+attachment/5674854/+files/debdiff_libpod_kinetic_from_3.4.4+ds1-1ubuntu1_to_3.4.4+ds1-1ubuntu1.22.10.1.diff |
|
2023-05-23 08:37:07 |
Frank Heimes |
attachment added |
|
debdiff_libpod_jammy_from_3.4.4+ds1-1ubuntu1_to_3.4.4+ds1-1ubuntu1.22.04.1.diff https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2007972/+attachment/5674856/+files/debdiff_libpod_jammy_from_3.4.4+ds1-1ubuntu1_to_3.4.4+ds1-1ubuntu1.22.04.1.diff |
|
2023-05-23 08:37:19 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
2023-06-13 19:09:49 |
Frank Heimes |
libpod (Ubuntu Kinetic): status |
New |
Won't Fix |
|
2023-06-19 10:22:51 |
Launchpad Janitor |
libpod (Ubuntu Jammy): status |
New |
Fix Released |
|
2023-06-19 11:36:58 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Released |
|
2023-06-19 11:59:37 |
bugproxy |
tags |
architecture-s39064 bugnameltc-201616 patch severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-201616 patch severity-high targetmilestone-inin22041 |
|