fix CVE-2022-4318

0002-fix-CVE-2022-4318.patch

@@ -0,0 +1,26 @@
+From 6de3c05eb6cbb0e98c64bb92bc848a99436c363c Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Wed, 13 Mar 2024 09:39:27 +0800
+Subject: [PATCH] fix CVE-2022-4318
+
+---
+ server/container_create.go | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/server/container_create.go b/server/container_create.go
+index 520efc7..30f9ba5 100644
+--- a/server/container_create.go
++++ b/server/container_create.go
+@@ -196,6 +196,9 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs
+ 	for _, env := range specgen.Config.Process.Env {
+ 		if strings.HasPrefix(env, "HOME=") {
+ 			homedir = strings.TrimPrefix(env, "HOME=")
++			if idx := strings.Index(homedir, `\n`); idx > -1 {
++				return fmt.Errorf("invalid HOME environment; newline not allowed")
++			}
+ 			break
+ 		}
+ 	}
+-- 
+2.20.1
+

cri-o.spec

@@ -21,7 +21,7 @@
 Name:           cri-o
 Version:        1.23.2
 Epoch:          0
-Release:        3
+Release:        4
 Summary:        Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
 License:        ASL 2.0
 URL:            https://github.com/cri-o/cri-o
@@ -30,6 +30,7 @@ Source1:         https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
 
 Patch0:         backport-CVE-2022-2995.patch
 Patch0001:      0001-fix-CVE-2022-27652.patch
+Patch0002:      0002-fix-CVE-2022-4318.patch
 
 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}}
 BuildRequires:  golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config
@@ -160,6 +161,12 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
 %{_datadir}/zsh/site-functions/_%{service_name}*
 
 %changelog
+* Wed Mar 13 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.23.2-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-4318
+
 * Mon Apr 1 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.23.2-3
 - Type:bugfix
 - CVE:NA