87 lines
2.9 KiB
Diff
87 lines
2.9 KiB
Diff
From 0abe1acdd56bfe8b871337c7ceb8151b9c205f66 Mon Sep 17 00:00:00 2001
|
|
From: duyiwei <duyiwei@kylinos.cn>
|
|
Date: Thu, 16 Jan 2025 16:20:52 +0800
|
|
Subject: [PATCH] Fix CVE-2023-0778
|
|
|
|
Signed-off-by: duyiwei <duyiwei@kylinos.cn>
|
|
---
|
|
libpod/container_internal.go | 4 ++--
|
|
utils/utils.go | 25 ++++++++++++++++++++++++-
|
|
2 files changed, 26 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
|
|
index c6809ad..bac0af0 100644
|
|
--- a/libpod/container_internal.go
|
|
+++ b/libpod/container_internal.go
|
|
@@ -26,7 +26,7 @@ import (
|
|
"github.com/containers/podman/v3/pkg/selinux"
|
|
"github.com/containers/podman/v3/pkg/util"
|
|
"github.com/containers/storage"
|
|
- "github.com/containers/storage/pkg/archive"
|
|
+ "github.com/containers/storage/pkg/chrootarchive"
|
|
"github.com/containers/storage/pkg/idtools"
|
|
"github.com/containers/storage/pkg/mount"
|
|
"github.com/coreos/go-systemd/v22/daemon"
|
|
@@ -792,7 +792,7 @@ func (c *Container) export(path string) error {
|
|
}()
|
|
}
|
|
|
|
- input, err := archive.Tar(mountPoint, archive.Uncompressed)
|
|
+ input, err := chrootarchive.Tar(mountPoint, nil, mountPoint)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "error reading container directory %q", c.ID())
|
|
}
|
|
diff --git a/utils/utils.go b/utils/utils.go
|
|
index f2e7bee..147f97a 100644
|
|
--- a/utils/utils.go
|
|
+++ b/utils/utils.go
|
|
@@ -15,6 +15,7 @@ import (
|
|
"github.com/containers/podman/v3/libpod/define"
|
|
"github.com/containers/podman/v3/pkg/cgroups"
|
|
"github.com/containers/storage/pkg/archive"
|
|
+ "github.com/containers/storage/pkg/chrootarchive"
|
|
"github.com/godbus/dbus/v5"
|
|
"github.com/pkg/errors"
|
|
"github.com/sirupsen/logrus"
|
|
@@ -119,7 +120,7 @@ func CreateTarFromSrc(source string, dest string) error {
|
|
return errors.Wrapf(err, "Could not create tarball file '%s'", dest)
|
|
}
|
|
defer file.Close()
|
|
- return TarToFilesystem(source, file)
|
|
+ return TarChrootToFilesystem(source, file)
|
|
}
|
|
|
|
// TarToFilesystem creates a tarball from source and writes to an os.file
|
|
@@ -143,6 +144,28 @@ func Tar(source string) (io.ReadCloser, error) {
|
|
return archive.Tar(source, archive.Uncompressed)
|
|
}
|
|
|
|
+// TarChrootToFilesystem creates a tarball from source and writes to an os.file
|
|
+// provided while chrooted to the source.
|
|
+func TarChrootToFilesystem(source string, tarball *os.File) error {
|
|
+ tb, err := TarWithChroot(source)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+ _, err = io.Copy(tarball, tb)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+ logrus.Debugf("wrote tarball file %s", tarball.Name())
|
|
+ return nil
|
|
+}
|
|
+
|
|
+// TarWithChroot creates a tarball from source and returns a readcloser of it
|
|
+// while chrooted to the source.
|
|
+func TarWithChroot(source string) (io.ReadCloser, error) {
|
|
+ logrus.Debugf("creating tarball of %s", source)
|
|
+ return chrootarchive.Tar(source, nil, source)
|
|
+}
|
|
+
|
|
// RemoveScientificNotationFromFloat returns a float without any
|
|
// scientific notation if the number has any.
|
|
// golang does not handle conversion of float64s that have scientific
|
|
--
|
|
2.33.0
|
|
|