diff --git a/0001-fix-CVE-2022-27652.patch b/0001-fix-CVE-2022-27652.patch new file mode 100644 index 0000000..0dff13a --- /dev/null +++ b/0001-fix-CVE-2022-27652.patch @@ -0,0 +1,66 @@ +From b5ba4b04cef13cbe2d9a0ee9d4781a359fc20f5e Mon Sep 17 00:00:00 2001 +From: bwzhang +Date: Mon, 11 Mar 2024 16:12:02 +0800 +Subject: [PATCH] fix CVE-2022-27652 + +--- + server/container_create.go | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/server/container_create.go b/server/container_create.go +index 520efc7..7de2676 100644 +--- a/server/container_create.go ++++ b/server/container_create.go +@@ -292,6 +292,9 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa + // and pods expect that switching to a non-root user results in the capabilities being + // dropped. This should be revisited in the future. + specgen.Config.Process.Capabilities.Ambient = []string{} ++ // Also remove all inheritable capabilities in accordance with CVE-2022-27652, ++ // as it's not idiomatic for a manager of processes to set them. ++ specgen.Config.Process.Capabilities.Inheritable = []string{} + + if caps == nil { + return nil +@@ -329,9 +332,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa + if err := specgen.AddProcessCapabilityEffective(c); err != nil { + return err + } +- if err := specgen.AddProcessCapabilityInheritable(c); err != nil { +- return err +- } + if err := specgen.AddProcessCapabilityPermitted(c); err != nil { + return err + } +@@ -345,9 +345,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa + if err := specgen.DropProcessCapabilityEffective(c); err != nil { + return err + } +- if err := specgen.DropProcessCapabilityInheritable(c); err != nil { +- return err +- } + if err := specgen.DropProcessCapabilityPermitted(c); err != nil { + return err + } +@@ -369,9 +366,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa + if err := specgen.AddProcessCapabilityEffective(capPrefixed); err != nil { + return err + } +- if err := specgen.AddProcessCapabilityInheritable(capPrefixed); err != nil { +- return err +- } + if err := specgen.AddProcessCapabilityPermitted(capPrefixed); err != nil { + return err + } +@@ -388,9 +382,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa + if err := specgen.DropProcessCapabilityEffective(capPrefixed); err != nil { + return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err) + } +- if err := specgen.DropProcessCapabilityInheritable(capPrefixed); err != nil { +- return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err) +- } + if err := specgen.DropProcessCapabilityPermitted(capPrefixed); err != nil { + return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err) + } +-- +2.20.1 + diff --git a/cri-o.spec b/cri-o.spec index 26e1495..bf207a2 100644 --- a/cri-o.spec +++ b/cri-o.spec @@ -21,7 +21,7 @@ Name: cri-o Version: 1.23.2 Epoch: 0 -Release: 2 +Release: 3 Summary: Open Container Initiative-based implementation of Kubernetes Container Runtime Interface License: ASL 2.0 URL: https://github.com/cri-o/cri-o @@ -29,6 +29,7 @@ Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz Patch0: backport-CVE-2022-2995.patch +Patch0001: 0001-fix-CVE-2022-27652.patch ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}} BuildRequires: golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config @@ -159,6 +160,12 @@ install -dp %{buildroot}%{_sharedstatedir}/containers %{_datadir}/zsh/site-functions/_%{service_name}* %changelog +* Mon Apr 1 2024 zhangbowei - 0:1.23.2-3 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix CVE-2022-27652 + * Wed Feb 01 2023 biannm - 0:1.23.2-2 - Fix CVE-2022-2995