!5 Fix CVE-2022-2995

From: @biannm Reviewed-by: @jianli-97 Signed-off-by: @jianli-97
2024-03-01 02:08:33 +00:00 · 2024-03-01 02:08:33 +00:00 · ab45007270
commit ab45007270
parent 26a8e95f89 93ca5c80f1
2 changed files with 59 additions and 1 deletions
--- a/backport-CVE-2022-2995.patch
+++ b/backport-CVE-2022-2995.patch
@ -0,0 +1,52 @@
+From db3b399a8d7dabf7f073db73894bee98311d7909 Mon Sep 17 00:00:00 2001
+From: Peter Hunt~ <pehunt@redhat.com>
+Date: Mon, 22 Aug 2022 15:10:05 -0400
+Subject: [PATCH] server: add container GID to additional groups
+
+Signed-off-by: Peter Hunt~ <pehunt@redhat.com>
+---
+ server/container_create.go |  5 +++--
+ test/ctr.bats              | 12 ++++++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/server/container_create.go b/server/container_create.go
+index 1acfa182133..80867de29fc 100644
+--- a/server/container_create.go
+++ b/server/container_create.go
+@@ -249,10 +249,11 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs
+ 	}
+ 
+ 	specgen.SetProcessUID(uid)
+-	specgen.SetProcessGID(gid)
+ 	if sc.RunAsGroup != nil {
+-		specgen.SetProcessGID(uint32(sc.RunAsGroup.Value))
+		gid = uint32(sc.RunAsGroup.Value)
+ 	}
+	specgen.SetProcessGID(gid)
+	specgen.AddProcessAdditionalGid(gid)
+ 
+ 	for _, group := range addGroups {
+ 		specgen.AddProcessAdditionalGid(group)
+diff --git a/test/ctr.bats b/test/ctr.bats
+index 82fed4f883f..801f26c55db 100644
+--- a/test/ctr.bats
+++ b/test/ctr.bats
+@@ -885,6 +885,18 @@ function check_oci_annotation() {
+ 	crictl exec --sync "$ctr_id" grep "CapEff:\s0000000000000000" /proc/1/status
+ }
+ 
+@test "ctr has gid in supplimental groups" {
+	start_crio
+
+	jq '	  .linux.security_context.run_as_user.value = 1000
+		|     .linux.security_context.run_as_group.value = 1000' \
+		"$TESTDATA"/container_redis.json > "$newconfig"
+
+	ctr_id=$(crictl run "$newconfig" "$TESTDATA"/sandbox_config.json)
+
+	crictl exec --sync "$ctr_id" grep Groups:.1000 /proc/1/status
+}
+
+ @test "ctr with low memory configured should not be created" {
+ 	start_crio
+ 	pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)
--- a/cri-o.spec
+++ b/cri-o.spec
@ -21,12 +21,15 @@
 Name:           cri-o
 Version:        1.23.2
 Epoch:          0
-Release:        1
+Release:        2
 Summary:        Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
 License:        ASL 2.0
 URL:            https://github.com/cri-o/cri-o
 Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:         https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
+
+Patch0:         backport-CVE-2022-2995.patch
+
 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}}
 BuildRequires:  golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config
 BuildRequires:  gpgme-devel, libassuan-devel, libseccomp-devel, systemd-devel, make 
@ -156,6 +159,9 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
 %{_datadir}/zsh/site-functions/_%{service_name}*

 %changelog
+* Wed Feb 01 2023 biannm <bian_naimeng@hoperun.com> - 0:1.23.2-2
+- Fix CVE-2022-2995
+
 * Tue Jun 07 2022 fushanqing <fushanqing@kylinos.cn> - 0:1.23.2-1
 - Update cri-o to 1.23.2