packages/cri-o
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-27652

Browse Source
This commit is contained in:
bwzhang 2024-04-01 09:44:49 +08:00
parent ab45007270
commit 53da247c81
2 changed files with 74 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
0001-fix-CVE-2022-27652.patch Normal file
View File

@ -0,0 +1,66 @@
From b5ba4b04cef13cbe2d9a0ee9d4781a359fc20f5e Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Mon, 11 Mar 2024 16:12:02 +0800
Subject: [PATCH] fix CVE-2022-27652
---
server/container_create.go | 15 +++------------
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/server/container_create.go b/server/container_create.go
index 520efc7..7de2676 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -292,6 +292,9 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
// and pods expect that switching to a non-root user results in the capabilities being
// dropped. This should be revisited in the future.
specgen.Config.Process.Capabilities.Ambient = []string{}
+ // Also remove all inheritable capabilities in accordance with CVE-2022-27652,
+ // as it's not idiomatic for a manager of processes to set them.
+ specgen.Config.Process.Capabilities.Inheritable = []string{}
if caps == nil {
return nil
@@ -329,9 +332,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
if err := specgen.AddProcessCapabilityEffective(c); err != nil {
return err
}
- if err := specgen.AddProcessCapabilityInheritable(c); err != nil {
- return err
- }
if err := specgen.AddProcessCapabilityPermitted(c); err != nil {
return err
}
@@ -345,9 +345,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
if err := specgen.DropProcessCapabilityEffective(c); err != nil {
return err
}
- if err := specgen.DropProcessCapabilityInheritable(c); err != nil {
- return err
- }
if err := specgen.DropProcessCapabilityPermitted(c); err != nil {
return err
}
@@ -369,9 +366,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
if err := specgen.AddProcessCapabilityEffective(capPrefixed); err != nil {
return err
}
- if err := specgen.AddProcessCapabilityInheritable(capPrefixed); err != nil {
- return err
- }
if err := specgen.AddProcessCapabilityPermitted(capPrefixed); err != nil {
return err
}
@@ -388,9 +382,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
if err := specgen.DropProcessCapabilityEffective(capPrefixed); err != nil {
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
}
- if err := specgen.DropProcessCapabilityInheritable(capPrefixed); err != nil {
- return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
- }
if err := specgen.DropProcessCapabilityPermitted(capPrefixed); err != nil {
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
}
--
2.20.1

9
cri-o.spec
View File

@ -21,7 +21,7 @@
Name: cri-o
Version: 1.23.2
Epoch: 0
Release: 2
Release: 3
Summary: Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
License: ASL 2.0
URL: https://github.com/cri-o/cri-o
@ -29,6 +29,7 @@ Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Patch0: backport-CVE-2022-2995.patch
Patch0001: 0001-fix-CVE-2022-27652.patch
ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}}
BuildRequires: golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config
@ -159,6 +160,12 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
%{_datadir}/zsh/site-functions/_%{service_name}*
%changelog
* Mon Apr 1 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.23.2-3
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix CVE-2022-27652
* Wed Feb 01 2023 biannm <bian_naimeng@hoperun.com> - 0:1.23.2-2
- Fix CVE-2022-2995