diff --git a/backport-CVE-2022-2995.patch b/backport-CVE-2022-2995.patch new file mode 100644 index 0000000000000000000000000000000000000000..03fab371cb04193ffaca84bcb973bc99d4802ee1 --- /dev/null +++ b/backport-CVE-2022-2995.patch @@ -0,0 +1,52 @@ +From db3b399a8d7dabf7f073db73894bee98311d7909 Mon Sep 17 00:00:00 2001 +From: Peter Hunt~ +Date: Mon, 22 Aug 2022 15:10:05 -0400 +Subject: [PATCH] server: add container GID to additional groups + +Signed-off-by: Peter Hunt~ +--- + server/container_create.go | 5 +++-- + test/ctr.bats | 12 ++++++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/server/container_create.go b/server/container_create.go +index 1acfa182133..80867de29fc 100644 +--- a/server/container_create.go ++++ b/server/container_create.go +@@ -249,10 +249,11 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs + } + + specgen.SetProcessUID(uid) +- specgen.SetProcessGID(gid) + if sc.RunAsGroup != nil { +- specgen.SetProcessGID(uint32(sc.RunAsGroup.Value)) ++ gid = uint32(sc.RunAsGroup.Value) + } ++ specgen.SetProcessGID(gid) ++ specgen.AddProcessAdditionalGid(gid) + + for _, group := range addGroups { + specgen.AddProcessAdditionalGid(group) +diff --git a/test/ctr.bats b/test/ctr.bats +index 82fed4f883f..801f26c55db 100644 +--- a/test/ctr.bats ++++ b/test/ctr.bats +@@ -885,6 +885,18 @@ function check_oci_annotation() { + crictl exec --sync "$ctr_id" grep "CapEff:\s0000000000000000" /proc/1/status + } + ++@test "ctr has gid in supplimental groups" { ++ start_crio ++ ++ jq ' .linux.security_context.run_as_user.value = 1000 ++ | .linux.security_context.run_as_group.value = 1000' \ ++ "$TESTDATA"/container_redis.json > "$newconfig" ++ ++ ctr_id=$(crictl run "$newconfig" "$TESTDATA"/sandbox_config.json) ++ ++ crictl exec --sync "$ctr_id" grep Groups:.1000 /proc/1/status ++} ++ + @test "ctr with low memory configured should not be created" { + start_crio + pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json) diff --git a/cri-o.spec b/cri-o.spec index 3841bd1113f9c4321d249d9d626724381beaebe7..26e14952919ba62e0dfb2f0c44e2aa3ae4776f5e 100644 --- a/cri-o.spec +++ b/cri-o.spec @@ -21,12 +21,15 @@ Name: cri-o Version: 1.23.2 Epoch: 0 -Release: 1 +Release: 2 Summary: Open Container Initiative-based implementation of Kubernetes Container Runtime Interface License: ASL 2.0 URL: https://github.com/cri-o/cri-o Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz + +Patch0: backport-CVE-2022-2995.patch + ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}} BuildRequires: golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config BuildRequires: gpgme-devel, libassuan-devel, libseccomp-devel, systemd-devel, make @@ -156,6 +159,9 @@ install -dp %{buildroot}%{_sharedstatedir}/containers %{_datadir}/zsh/site-functions/_%{service_name}* %changelog +* Wed Feb 01 2023 biannm - 0:1.23.2-2 +- Fix CVE-2022-2995 + * Tue Jun 07 2022 fushanqing - 0:1.23.2-1 - Update cri-o to 1.23.2