From 6de3c05eb6cbb0e98c64bb92bc848a99436c363c Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Wed, 13 Mar 2024 09:39:27 +0800
Subject: [PATCH] fix CVE-2022-4318

---
 server/container_create.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/container_create.go b/server/container_create.go
index 520efc7..30f9ba5 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -196,6 +196,9 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs
 	for _, env := range specgen.Config.Process.Env {
 		if strings.HasPrefix(env, "HOME=") {
 			homedir = strings.TrimPrefix(env, "HOME=")
+			if idx := strings.Index(homedir, `\n`); idx > -1 {
+				return fmt.Errorf("invalid HOME environment; newline not allowed")
+			}
 			break
 		}
 	}
-- 
2.20.1