Fix CVE-2023-25153
This commit is contained in:
bwzhang
parent
66e0ef6f9f
commit
8fabe95385
36
0001-Fix-CVE-2023-25153.patch
Normal file
36
0001-Fix-CVE-2023-25153.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From e1ec32e24f11bb3f003ef876e404777c1041349b Mon Sep 17 00:00:00 2001
|
||||
From: bwzhang <zhangbowei@kylinos.cn>
|
||||
Date: Wed, 13 Mar 2024 15:03:38 +0800
|
||||
Subject: [PATCH] Fix CVE-2023-25153
|
||||
|
||||
---
|
||||
images/archive/importer.go | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/images/archive/importer.go b/images/archive/importer.go
|
||||
index c531049..8ba3206 100644
|
||||
--- a/images/archive/importer.go
|
||||
+++ b/images/archive/importer.go
|
||||
@@ -232,12 +232,14 @@ func ImportIndex(ctx context.Context, store content.Store, reader io.Reader, opt
|
||||
return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex)
|
||||
}
|
||||
|
||||
+const (
|
||||
+ kib = 1024
|
||||
+ mib = 1024 * kib
|
||||
+ jsonLimit = 20 * mib
|
||||
+)
|
||||
+
|
||||
func onUntarJSON(r io.Reader, j interface{}) error {
|
||||
- b, err := io.ReadAll(r)
|
||||
- if err != nil {
|
||||
- return err
|
||||
- }
|
||||
- return json.Unmarshal(b, j)
|
||||
+ return json.NewDecoder(io.LimitReader(r, jsonLimit)).Decode(j)
|
||||
}
|
||||
|
||||
func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) {
|
||||
--
|
||||
2.20.1
|
||||
|
||||
@ -3,12 +3,14 @@
|
||||
%global version_suffix k3s1
|
||||
Version: 1.6.6
|
||||
Name: k3s-containerd
|
||||
Release: 4
|
||||
Release: 5
|
||||
Summary: An industry-standard container runtime
|
||||
License: Apache-2.0
|
||||
URL: https://github.com/k3s-io/containerd
|
||||
Source0: https://github.com/k3s-io/containerd/archive/refs/tags/v%{version}-%{version_suffix}.tar.gz
|
||||
|
||||
Patch0001: 0001-Fix-CVE-2023-25153.patch
|
||||
|
||||
BuildRequires: golang glibc-static make btrfs-progs-devel
|
||||
|
||||
%description
|
||||
@ -19,7 +21,7 @@ system: image transfer and storage, container execution and supervision,
|
||||
low-level storage and network attachments, etc.
|
||||
|
||||
%prep
|
||||
%autosetup -n containerd-%{version}-%{version_suffix}
|
||||
%autosetup -p1 -n containerd-%{version}-%{version_suffix}
|
||||
|
||||
%build
|
||||
mkdir -p k3s-containerd/bin
|
||||
@ -68,6 +70,12 @@ cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_lib
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Mar 13 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-5
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2023-25153
|
||||
|
||||
* Fri Mar 03 2023 wangkai <wangkai385@h-partners.com> - 1.6.6-k3s1-4
|
||||
- Add PIE,BIND_NOW,RELRO secure compilation options
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user