fix cve 2022-27649

(cherry picked from commit 4e6e04b214542f793218c78a8328d7731de1eb50)
2025-01-17 01:43:01 +08:00 · 2025-01-17 01:43:01 +08:00 · 351785158b
commit 351785158b
parent f4d2d0b65a
2 changed files with 102 additions and 1 deletions
--- a/0007-fix-cve-2022-27649.patch
+++ b/0007-fix-cve-2022-27649.patch
@ -0,0 +1,96 @@
+From 0cd2fb0a45d863075658f3c7bbdeaa8338390fdf Mon Sep 17 00:00:00 2001
+From: duyiwei <duyiwei@kylinos.cn>
+Date: Fri, 17 Jan 2025 01:32:57 +0800
+Subject: [PATCH] fix cve 2022-27649
+
+Signed-off-by: duyiwei <duyiwei@kylinos.cn>
+---
+ libpod/oci_conmon_exec_linux.go  | 7 +++++--
+ pkg/specgen/generate/security.go | 8 ++++++--
+ test/e2e/run_test.go             | 4 ++--
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go
+index 553c918..5be8144 100644
+--- a/libpod/oci_conmon_exec_linux.go
+++ b/libpod/oci_conmon_exec_linux.go
+@@ -757,11 +757,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
+ 	} else {
+ 		pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
+ 	}
+
+	// Always unset the inheritable capabilities similarly to what the Linux kernel does
+	// They are used only when using capabilities with uid != 0.
+	pspec.Capabilities.Inheritable = []string{}
+
+ 	if execUser.Uid == 0 {
+ 		pspec.Capabilities.Effective = pspec.Capabilities.Bounding
+-		pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
+ 		pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
+-		pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
+ 	} else {
+ 		if user == c.config.User {
+ 			pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective
+diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
+index a12cc09..1c43fb7 100644
+--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
+@@ -146,6 +146,11 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+ 
+ 	configSpec := g.Config
+ 	configSpec.Process.Capabilities.Ambient = []string{}
+
+	// Always unset the inheritable capabilities similarly to what the Linux kernel does
+	// They are used only when using capabilities with uid != 0.
+	configSpec.Process.Capabilities.Inheritable = []string{}
+
+ 	configSpec.Process.Capabilities.Bounding = caplist
+ 
+ 	user := strings.Split(s.User, ":")[0]
+@@ -153,7 +158,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+ 	if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
+ 		configSpec.Process.Capabilities.Effective = caplist
+ 		configSpec.Process.Capabilities.Permitted = caplist
+-		configSpec.Process.Capabilities.Inheritable = caplist
+ 	} else {
+ 		mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
+ 		if err != nil {
+@@ -175,12 +179,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+ 		}
+ 		configSpec.Process.Capabilities.Effective = userCaps
+ 		configSpec.Process.Capabilities.Permitted = userCaps
+-		configSpec.Process.Capabilities.Inheritable = userCaps
+ 
+ 		// Ambient capabilities were added to Linux 4.3.  Set ambient
+ 		// capabilities only when the kernel supports them.
+ 		if supportAmbientCapabilities() {
+ 			configSpec.Process.Capabilities.Ambient = userCaps
+			configSpec.Process.Capabilities.Inheritable = userCaps
+ 		}
+ 	}
+ 
+diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
+index 3385f9d..e675025 100644
+--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
+@@ -454,7 +454,7 @@ var _ = Describe("Podman run", func() {
+ 		session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session).Should(Exit(0))
+-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+		Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+ 
+ 		session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"})
+ 		session.WaitWithDefaultTimeout()
+@@ -489,7 +489,7 @@ var _ = Describe("Podman run", func() {
+ 		session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session).Should(Exit(0))
+-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+		Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+ 
+ 		if os.Geteuid() > 0 {
+ 			if os.Getenv("SKIP_USERNS") != "" {
+-- 
+2.33.0
+
--- a/podman.spec
+++ b/podman.spec
@ -2,7 +2,7 @@

 Name:          podman
 Version:       3.4.4
-Release:       7
+Release:       8
 Summary:       A daemonless container engine for managing Containers
 Epoch:         1
 License:       ASL 2.0
@ -27,6 +27,7 @@ Patch3:   0003-CVE-2022-32149.patch
 Patch4:   0004-fix-CVE-2024-37298.patch
 Patch5:   0005-Fix-CVE-2023-0778.patch
 Patch6:   0006-fix-cve-2022-2989.patch
+Patch7:   0007-fix-cve-2022-27649.patch

 %description
 Podman manages the entire container ecosystem which includes pods,
@ -119,6 +120,7 @@ tar -xf %{SOURCE4}
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1

 %build
 GO_MD2MAN_PATH="$(pwd)%{_bindir}"
@ -289,6 +291,9 @@ done
 %{_libexecdir}/%{name}/gvproxy

 %changelog
+* Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-8
+- fix cve 2022-27649
+
 * Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-7
 - fix cve-2022-2989