Fix CVE-2023-0778
(cherry picked from commit 63a1ebe042e43ea44b195948a3bdc182b485ad01)
This commit is contained in:
duyiwei
openeuler-sync-bot
parent
bbfa6b3897
commit
227c41f83f
86
0005-Fix-CVE-2023-0778.patch
Normal file
86
0005-Fix-CVE-2023-0778.patch
Normal file
@ -0,0 +1,86 @@
|
||||
From 0abe1acdd56bfe8b871337c7ceb8151b9c205f66 Mon Sep 17 00:00:00 2001
|
||||
From: duyiwei <duyiwei@kylinos.cn>
|
||||
Date: Thu, 16 Jan 2025 16:20:52 +0800
|
||||
Subject: [PATCH] Fix CVE-2023-0778
|
||||
|
||||
Signed-off-by: duyiwei <duyiwei@kylinos.cn>
|
||||
---
|
||||
libpod/container_internal.go | 4 ++--
|
||||
utils/utils.go | 25 ++++++++++++++++++++++++-
|
||||
2 files changed, 26 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
|
||||
index c6809ad..bac0af0 100644
|
||||
--- a/libpod/container_internal.go
|
||||
+++ b/libpod/container_internal.go
|
||||
@@ -26,7 +26,7 @@ import (
|
||||
"github.com/containers/podman/v3/pkg/selinux"
|
||||
"github.com/containers/podman/v3/pkg/util"
|
||||
"github.com/containers/storage"
|
||||
- "github.com/containers/storage/pkg/archive"
|
||||
+ "github.com/containers/storage/pkg/chrootarchive"
|
||||
"github.com/containers/storage/pkg/idtools"
|
||||
"github.com/containers/storage/pkg/mount"
|
||||
"github.com/coreos/go-systemd/v22/daemon"
|
||||
@@ -792,7 +792,7 @@ func (c *Container) export(path string) error {
|
||||
}()
|
||||
}
|
||||
|
||||
- input, err := archive.Tar(mountPoint, archive.Uncompressed)
|
||||
+ input, err := chrootarchive.Tar(mountPoint, nil, mountPoint)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "error reading container directory %q", c.ID())
|
||||
}
|
||||
diff --git a/utils/utils.go b/utils/utils.go
|
||||
index f2e7bee..147f97a 100644
|
||||
--- a/utils/utils.go
|
||||
+++ b/utils/utils.go
|
||||
@@ -15,6 +15,7 @@ import (
|
||||
"github.com/containers/podman/v3/libpod/define"
|
||||
"github.com/containers/podman/v3/pkg/cgroups"
|
||||
"github.com/containers/storage/pkg/archive"
|
||||
+ "github.com/containers/storage/pkg/chrootarchive"
|
||||
"github.com/godbus/dbus/v5"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
@@ -119,7 +120,7 @@ func CreateTarFromSrc(source string, dest string) error {
|
||||
return errors.Wrapf(err, "Could not create tarball file '%s'", dest)
|
||||
}
|
||||
defer file.Close()
|
||||
- return TarToFilesystem(source, file)
|
||||
+ return TarChrootToFilesystem(source, file)
|
||||
}
|
||||
|
||||
// TarToFilesystem creates a tarball from source and writes to an os.file
|
||||
@@ -143,6 +144,28 @@ func Tar(source string) (io.ReadCloser, error) {
|
||||
return archive.Tar(source, archive.Uncompressed)
|
||||
}
|
||||
|
||||
+// TarChrootToFilesystem creates a tarball from source and writes to an os.file
|
||||
+// provided while chrooted to the source.
|
||||
+func TarChrootToFilesystem(source string, tarball *os.File) error {
|
||||
+ tb, err := TarWithChroot(source)
|
||||
+ if err != nil {
|
||||
+ return err
|
||||
+ }
|
||||
+ _, err = io.Copy(tarball, tb)
|
||||
+ if err != nil {
|
||||
+ return err
|
||||
+ }
|
||||
+ logrus.Debugf("wrote tarball file %s", tarball.Name())
|
||||
+ return nil
|
||||
+}
|
||||
+
|
||||
+// TarWithChroot creates a tarball from source and returns a readcloser of it
|
||||
+// while chrooted to the source.
|
||||
+func TarWithChroot(source string) (io.ReadCloser, error) {
|
||||
+ logrus.Debugf("creating tarball of %s", source)
|
||||
+ return chrootarchive.Tar(source, nil, source)
|
||||
+}
|
||||
+
|
||||
// RemoveScientificNotationFromFloat returns a float without any
|
||||
// scientific notation if the number has any.
|
||||
// golang does not handle conversion of float64s that have scientific
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Name: podman
|
||||
Version: 3.4.4
|
||||
Release: 5
|
||||
Release: 6
|
||||
Summary: A daemonless container engine for managing Containers
|
||||
Epoch: 1
|
||||
License: ASL 2.0
|
||||
@ -25,6 +25,7 @@ Patch1: 0001-Fix-the-invalid-memory-address-reference.patch
|
||||
Patch2: 0002-add-openEuler-hardened-ld.patch
|
||||
Patch3: 0003-CVE-2022-32149.patch
|
||||
Patch4: 0004-fix-CVE-2024-37298.patch
|
||||
Patch5: 0005-Fix-CVE-2023-0778.patch
|
||||
|
||||
%description
|
||||
Podman manages the entire container ecosystem which includes pods,
|
||||
@ -115,6 +116,7 @@ tar -xf %{SOURCE4}
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%build
|
||||
GO_MD2MAN_PATH="$(pwd)%{_bindir}"
|
||||
@ -285,6 +287,9 @@ done
|
||||
%{_libexecdir}/%{name}/gvproxy
|
||||
|
||||
%changelog
|
||||
* Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-6
|
||||
- Fix CVE-2023-0778
|
||||
|
||||
* Mon Jan 13 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-5
|
||||
- Fix CVE-2024-37298
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user