runc:fix CVE-2024-3154

Signed-off-by: zhongjiawei <zhongjiawei1@huawei.com>
2024-05-24 09:48:28 +08:00 · 2024-05-24 09:48:28 +08:00 · 704dfccbbf
commit 704dfccbbf
parent bbb0d4fc66
4 changed files with 59 additions and 2 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-df767bfac9eec2ce7b635757f676ecb5b11ec195
+e27527223df4f2a031d5f63e59baacb6106164d7
--- a/patch/0053-runc-fix-CVE-2024-3154.patch
+++ b/patch/0053-runc-fix-CVE-2024-3154.patch
@ -0,0 +1,50 @@
+From eefc6ae2544a6819da9f92c5aa8e65d356da4c96 Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Sat, 9 Mar 2024 21:30:56 +0900
+Subject: [PATCH] features: implement returning
+ potentiallyUnsafeConfigAnnotations list
+
+See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ features.go                | 5 +++++
+ types/features/features.go | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/features.go b/features.go
+index c9cd15c..7f76e7a 100644
+--- a/features.go
+++ b/features.go
+@@ -55,6 +55,11 @@ var featuresCommand = cli.Command{
+ 					Enabled: &tru,
+ 				},
+ 			},
+			PotentiallyUnsafeConfigAnnotations: []string{
+				"bundle",
+				"org.systemd.property.", // prefix form
+				"org.criu.config",
+			},
+ 		}
+ 
+ 		if seccomp.Enabled {
+diff --git a/types/features/features.go b/types/features/features.go
+index c6269ca..8b467f7 100644
+--- a/types/features/features.go
+++ b/types/features/features.go
+@@ -25,6 +25,12 @@ type Features struct {
+ 	// Annotations contains implementation-specific annotation strings,
+ 	// such as the implementation version, and third-party extensions.
+ 	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// PotentiallyUnsafeConfigAnnotations the list of the potential unsafe annotations
+	// that may appear in `config.json`.
+	//
+	// A value that ends with "." is interpreted as a prefix of annotations.
+	PotentiallyUnsafeConfigAnnotations []string `json:"potentiallyUnsafeConfigAnnotations,omitempty"`
+ }
+ 
+ // Linux is specific to Linux.
+-- 
+2.33.0
+
--- a/runc.spec
+++ b/runc.spec
@ -3,7 +3,7 @@

 Name: runc
 Version: 1.1.3
-Release: 24
+Release: 26
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.

 License: ASL 2.0
@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc

 %changelog
+* Fri May 24 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-26
+- Type:CVE
+- CVE:CVE-2024-3154
+- SUG:NA
+- DESC:fix CVE-2024-3154
+
 * Tue Feb 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-25
 - Type:bugfix
 - CVE:NA
--- a/series.conf
+++ b/series.conf
@ -50,3 +50,4 @@ patch/0049-runc-nsexec-Check-for-errors-in-write_log.patch
 patch/0050-runc-increase-the-number-of-cgroup-deletion-retries.patch
 patch/0051-runc-fix-CVE-2024-21626.patch
 patch/0052-runc-check-cmd-exist.patch
+patch/0053-runc-fix-CVE-2024-3154.patch