packages/cri-o
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!5 Fix CVE-2022-2995

Browse Source 
From: @biannm 
Reviewed-by: @jianli-97 
Signed-off-by: @jianli-97
This commit is contained in:
openeuler-ci-bot 2024-03-01 02:08:33 +00:00 committed by Gitee
commit ab45007270
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
backport-CVE-2022-2995.patch Normal file
View File

@ -0,0 +1,52 @@
From db3b399a8d7dabf7f073db73894bee98311d7909 Mon Sep 17 00:00:00 2001
From: Peter Hunt~ <pehunt@redhat.com>
Date: Mon, 22 Aug 2022 15:10:05 -0400
Subject: [PATCH] server: add container GID to additional groups
Signed-off-by: Peter Hunt~ <pehunt@redhat.com>
---
server/container_create.go | 5 +++--
test/ctr.bats | 12 ++++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/server/container_create.go b/server/container_create.go
index 1acfa182133..80867de29fc 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -249,10 +249,11 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs
}
specgen.SetProcessUID(uid)
- specgen.SetProcessGID(gid)
if sc.RunAsGroup != nil {
- specgen.SetProcessGID(uint32(sc.RunAsGroup.Value))
+ gid = uint32(sc.RunAsGroup.Value)
}
+ specgen.SetProcessGID(gid)
+ specgen.AddProcessAdditionalGid(gid)
for _, group := range addGroups {
specgen.AddProcessAdditionalGid(group)
diff --git a/test/ctr.bats b/test/ctr.bats
index 82fed4f883f..801f26c55db 100644
--- a/test/ctr.bats
+++ b/test/ctr.bats
@@ -885,6 +885,18 @@ function check_oci_annotation() {
crictl exec --sync "$ctr_id" grep "CapEff:\s0000000000000000" /proc/1/status
}
+@test "ctr has gid in supplimental groups" {
+ start_crio
+
+ jq ' .linux.security_context.run_as_user.value = 1000
+ | .linux.security_context.run_as_group.value = 1000' \
+ "$TESTDATA"/container_redis.json > "$newconfig"
+
+ ctr_id=$(crictl run "$newconfig" "$TESTDATA"/sandbox_config.json)
+
+ crictl exec --sync "$ctr_id" grep Groups:.1000 /proc/1/status
+}
+
@test "ctr with low memory configured should not be created" {
start_crio
pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)

8
cri-o.spec
View File

@ -21,12 +21,15 @@
Name: cri-o Name: cri-o
Version: 1.23.2 Version: 1.23.2
Epoch: 0 Epoch: 0
Release: 1 Release: 2
Summary: Open Container Initiative-based implementation of Kubernetes Container Runtime Interface Summary: Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
License: ASL 2.0 License: ASL 2.0
URL: https://github.com/cri-o/cri-o URL: https://github.com/cri-o/cri-o
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Patch0: backport-CVE-2022-2995.patch
ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}} ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}}
BuildRequires: golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config BuildRequires: golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config
BuildRequires: gpgme-devel, libassuan-devel, libseccomp-devel, systemd-devel, make BuildRequires: gpgme-devel, libassuan-devel, libseccomp-devel, systemd-devel, make
@ -156,6 +159,9 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
%{_datadir}/zsh/site-functions/_%{service_name}* %{_datadir}/zsh/site-functions/_%{service_name}*
%changelog %changelog
* Wed Feb 01 2023 biannm <bian_naimeng@hoperun.com> - 0:1.23.2-2
- Fix CVE-2022-2995
* Tue Jun 07 2022 fushanqing <fushanqing@kylinos.cn> - 0:1.23.2-1 * Tue Jun 07 2022 fushanqing <fushanqing@kylinos.cn> - 0:1.23.2-1
- Update cri-o to 1.23.2 - Update cri-o to 1.23.2