fix cve-2022-2989
(cherry picked from commit 16eb8f107b75feaa37d8c7c04145e5402d7512c8)
This commit is contained in:
duyiwei
openeuler-sync-bot
parent
a2ef3e41f9
commit
45af180ab2
84
0006-fix-cve-2022-2989.patch
Normal file
84
0006-fix-cve-2022-2989.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From e7a00c6c91e4bbf6770eb3773b50f3d080083116 Mon Sep 17 00:00:00 2001
|
||||
From: duyiwei <duyiwei@kylinos.cn>
|
||||
Date: Thu, 16 Jan 2025 23:44:57 +0800
|
||||
Subject: [PATCH] fix cve-2022-2989
|
||||
|
||||
Signed-off-by: duyiwei <duyiwei@kylinos.cn>
|
||||
---
|
||||
libpod/container_internal_linux.go | 1 +
|
||||
pkg/specgen/namespaces.go | 1 +
|
||||
test/e2e/run_test.go | 14 +++++++++++---
|
||||
3 files changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
|
||||
index eb05ca4..5c82972 100644
|
||||
--- a/libpod/container_internal_linux.go
|
||||
+++ b/libpod/container_internal_linux.go
|
||||
@@ -500,6 +500,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
|
||||
// User and Group must go together
|
||||
g.SetProcessUID(uint32(execUser.Uid))
|
||||
g.SetProcessGID(uint32(execUser.Gid))
|
||||
+ g.AddProcessAdditionalGid(uint32(execUser.Gid))
|
||||
}
|
||||
|
||||
if c.config.Umask != "" {
|
||||
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
|
||||
index 2f4c488..ad7fb90 100644
|
||||
--- a/pkg/specgen/namespaces.go
|
||||
+++ b/pkg/specgen/namespaces.go
|
||||
@@ -363,6 +363,7 @@ func SetupUserNS(idmappings *storage.IDMappingOptions, userns Namespace, g *gene
|
||||
idmappings = mappings
|
||||
g.SetProcessUID(uint32(uid))
|
||||
g.SetProcessGID(uint32(gid))
|
||||
+ g.AddProcessAdditionalGid(uint32(gid))
|
||||
user = fmt.Sprintf("%d:%d", uid, gid)
|
||||
fallthrough
|
||||
case Private:
|
||||
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
|
||||
index e21b1dc..3385f9d 100644
|
||||
--- a/test/e2e/run_test.go
|
||||
+++ b/test/e2e/run_test.go
|
||||
@@ -848,7 +848,7 @@ USER bin`, BB)
|
||||
session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "id"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(0))
|
||||
- Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root)"))
|
||||
+ Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root) groups=0(root)"))
|
||||
})
|
||||
|
||||
It("podman run with user (integer, in /etc/passwd)", func() {
|
||||
@@ -869,14 +869,14 @@ USER bin`, BB)
|
||||
session := podmanTest.Podman([]string{"run", "--rm", "--user=mail:21", ALPINE, "id"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(0))
|
||||
- Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
|
||||
+ Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
|
||||
})
|
||||
|
||||
It("podman run with user:group (integer:groupname)", func() {
|
||||
session := podmanTest.Podman([]string{"run", "--rm", "--user=8:ftp", ALPINE, "id"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(0))
|
||||
- Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
|
||||
+ Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
|
||||
})
|
||||
|
||||
It("podman run with user, verify caps dropped", func() {
|
||||
@@ -887,6 +887,14 @@ USER bin`, BB)
|
||||
Expect("0000000000000000").To(Equal(capEff[1]))
|
||||
})
|
||||
|
||||
+ It("podman run with user, verify group added", func() {
|
||||
+ session := podmanTest.Podman([]string{"run", "--rm", "--user=1000:1000", ALPINE, "grep", "Groups:", "/proc/self/status"})
|
||||
+ session.WaitWithDefaultTimeout()
|
||||
+ Expect(session).Should(Exit(0))
|
||||
+ groups := strings.Split(session.OutputToString(), " ")[1]
|
||||
+ Expect("1000").To(Equal(groups))
|
||||
+ })
|
||||
+
|
||||
It("podman run with attach stdin outputs container ID", func() {
|
||||
session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Name: podman
|
||||
Version: 3.4.4
|
||||
Release: 6
|
||||
Release: 7
|
||||
Summary: A daemonless container engine for managing Containers
|
||||
Epoch: 1
|
||||
License: ASL 2.0
|
||||
@ -26,6 +26,7 @@ Patch2: 0002-add-openEuler-hardened-ld.patch
|
||||
Patch3: 0003-CVE-2022-32149.patch
|
||||
Patch4: 0004-fix-CVE-2024-37298.patch
|
||||
Patch5: 0005-Fix-CVE-2023-0778.patch
|
||||
Patch6: 0006-fix-cve-2022-2989.patch
|
||||
|
||||
%description
|
||||
Podman manages the entire container ecosystem which includes pods,
|
||||
@ -117,6 +118,7 @@ tar -xf %{SOURCE4}
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
|
||||
%build
|
||||
GO_MD2MAN_PATH="$(pwd)%{_bindir}"
|
||||
@ -287,6 +289,9 @@ done
|
||||
%{_libexecdir}/%{name}/gvproxy
|
||||
|
||||
%changelog
|
||||
* Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-7
|
||||
- fix cve-2022-2989
|
||||
|
||||
* Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-6
|
||||
- Fix CVE-2023-0778
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user