packages/runc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

runc:fix CVE-2024-3154

Browse Source 
(cherry picked from commit 4066efdeea131fd2ceb9830f5bf1a4320a4be161)
This commit is contained in:
zhongjiawei 2024-05-24 09:43:08 +08:00 committed by openeuler-sync-bot
parent 6000252afb
commit 7468edaaff
4 changed files with 59 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
git-commit
View File

@ -1 +1 @@
3af9b6470b9bdac1d1e6e881e8f89963b6965519 984c9ee928178d7acf6356005aeed57fca9c4c52

50
patch/0053-runc-fix-CVE-2024-3154.patch Normal file
View File

@ -0,0 +1,50 @@
From eefc6ae2544a6819da9f92c5aa8e65d356da4c96 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Sat, 9 Mar 2024 21:30:56 +0900
Subject: [PATCH] features: implement returning
potentiallyUnsafeConfigAnnotations list
See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
features.go | 5 +++++
types/features/features.go | 6 ++++++
2 files changed, 11 insertions(+)
diff --git a/features.go b/features.go
index c9cd15c..7f76e7a 100644
--- a/features.go
+++ b/features.go
@@ -55,6 +55,11 @@ var featuresCommand = cli.Command{
Enabled: &tru,
},
},
+ PotentiallyUnsafeConfigAnnotations: []string{
+ "bundle",
+ "org.systemd.property.", // prefix form
+ "org.criu.config",
+ },
}
if seccomp.Enabled {
diff --git a/types/features/features.go b/types/features/features.go
index c6269ca..8b467f7 100644
--- a/types/features/features.go
+++ b/types/features/features.go
@@ -25,6 +25,12 @@ type Features struct {
// Annotations contains implementation-specific annotation strings,
// such as the implementation version, and third-party extensions.
Annotations map[string]string `json:"annotations,omitempty"`
+
+ // PotentiallyUnsafeConfigAnnotations the list of the potential unsafe annotations
+ // that may appear in `config.json`.
+ //
+ // A value that ends with "." is interpreted as a prefix of annotations.
+ PotentiallyUnsafeConfigAnnotations []string `json:"potentiallyUnsafeConfigAnnotations,omitempty"`
}
// Linux is specific to Linux.
--
2.33.0

8
runc.spec
View File

@ -3,7 +3,7 @@
Name: docker-runc Name: docker-runc
Version: 1.1.3 Version: 1.1.3
Release: 23 Release: 25
Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
License: ASL 2.0 License: ASL 2.0
@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
%{_bindir}/runc %{_bindir}/runc
%changelog %changelog
* Fri May 24 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-25
- Type:CVE
- CVE:CVE-2024-3154
- SUG:NA
- DESC:fix CVE-2024-3154
* Tue Feb 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-24 * Tue Feb 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-24
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA

1
series.conf
View File

@ -50,3 +50,4 @@ patch/0049-runc-nsexec-Check-for-errors-in-write_log.patch
patch/0050-runc-increase-the-number-of-cgroup-deletion-retries.patch patch/0050-runc-increase-the-number-of-cgroup-deletion-retries.patch
patch/0051-runc-fix-CVE-2024-21626.patch patch/0051-runc-fix-CVE-2024-21626.patch
patch/0052-runc-check-cmd-exist.patch patch/0052-runc-check-cmd-exist.patch
patch/0053-runc-fix-CVE-2024-3154.patch