!265 [sync] PR-262: fix CVE-2024-3154

From: @openeuler-sync-bot Reviewed-by: @zhangsong234 Signed-off-by: @zhangsong234
2024-05-27 01:32:29 +00:00 · 2024-05-27 01:32:29 +00:00 · 36e16fe160
commit 36e16fe160
parent 6000252afb 7468edaaff
4 changed files with 59 additions and 2 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-3af9b6470b9bdac1d1e6e881e8f89963b6965519
+984c9ee928178d7acf6356005aeed57fca9c4c52
--- a/patch/0053-runc-fix-CVE-2024-3154.patch
+++ b/patch/0053-runc-fix-CVE-2024-3154.patch
@ -0,0 +1,50 @@
+From eefc6ae2544a6819da9f92c5aa8e65d356da4c96 Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Sat, 9 Mar 2024 21:30:56 +0900
+Subject: [PATCH] features: implement returning
+ potentiallyUnsafeConfigAnnotations list
+
+See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ features.go                | 5 +++++
+ types/features/features.go | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/features.go b/features.go
+index c9cd15c..7f76e7a 100644
+--- a/features.go
+++ b/features.go
+@@ -55,6 +55,11 @@ var featuresCommand = cli.Command{
+ 					Enabled: &tru,
+ 				},
+ 			},
+			PotentiallyUnsafeConfigAnnotations: []string{
+				"bundle",
+				"org.systemd.property.", // prefix form
+				"org.criu.config",
+			},
+ 		}
+ 
+ 		if seccomp.Enabled {
+diff --git a/types/features/features.go b/types/features/features.go
+index c6269ca..8b467f7 100644
+--- a/types/features/features.go
+++ b/types/features/features.go
+@@ -25,6 +25,12 @@ type Features struct {
+ 	// Annotations contains implementation-specific annotation strings,
+ 	// such as the implementation version, and third-party extensions.
+ 	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// PotentiallyUnsafeConfigAnnotations the list of the potential unsafe annotations
+	// that may appear in `config.json`.
+	//
+	// A value that ends with "." is interpreted as a prefix of annotations.
+	PotentiallyUnsafeConfigAnnotations []string `json:"potentiallyUnsafeConfigAnnotations,omitempty"`
+ }
+ 
+ // Linux is specific to Linux.
+-- 
+2.33.0
+
--- a/runc.spec
+++ b/runc.spec
@ -3,7 +3,7 @@

 Name: docker-runc
 Version: 1.1.3
-Release: 23
+Release: 25
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.

 License: ASL 2.0
@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc

 %changelog
+* Fri May 24 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-25
+- Type:CVE
+- CVE:CVE-2024-3154
+- SUG:NA
+- DESC:fix CVE-2024-3154
+
 * Tue Feb 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-24
 - Type:bugfix
 - CVE:NA
--- a/series.conf
+++ b/series.conf
@ -50,3 +50,4 @@ patch/0049-runc-nsexec-Check-for-errors-in-write_log.patch
 patch/0050-runc-increase-the-number-of-cgroup-deletion-retries.patch
 patch/0051-runc-fix-CVE-2024-21626.patch
 patch/0052-runc-check-cmd-exist.patch
+patch/0053-runc-fix-CVE-2024-3154.patch