Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch cri-o for CVE-2023-6476 & CVE-2023-0778 #12047

Draft
wants to merge 1 commit into
base: fasttrack/2.0
Choose a base branch
from
Draft

Patch cri-o for CVE-2023-6476 & CVE-2023-0778 #12047

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions SPECS/cri-o/CVE-2023-0778.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
Modified Patch to apply only for container export. The utils.go file
does not have the volume export code in the vendored podman version.
Modified by: Sumedh Sharma <[email protected]>

From 6ca857feb07a5fdc96fd947afef03916291673d8 Mon Sep 17 00:00:00 2001
From: Aditya R <[email protected]>
Date: Fri, 10 Feb 2023 15:16:27 +0530
Subject: [PATCH] volume,container: chroot to source before exporting content

* Utils must support higher level API to create Tar with chrooted into
directory
* Volume export: use TarwithChroot instead of Tar so we can make sure no
symlink can be exported by tar if it exists outside of the source
directory.
* container export: use chroot and Tar instead of Tar so we can make sure no
symlink can be exported by tar if it exists outside of the mointPoint.

[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Race needs combination of external/in-container mechanism which is hard to repro in CI.

Closes: BZ:#2168256
CVE: https://access.redhat.com/security/cve/CVE-2023-0778

Signed-off-by: Aditya R <[email protected]>
---
.../containers/podman/v3/libpod/container_internal.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/vendor/github.com/containers/podman/v3/libpod/container_internal.go b/vendor/github.com/containers/podman/v3/libpod/container_internal.go
index 8ffcccf..42cb682 100644
--- a/vendor/github.com/containers/podman/v3/libpod/container_internal.go
+++ b/vendor/github.com/containers/podman/v3/libpod/container_internal.go
@@ -26,7 +26,7 @@ import (
"github.com/containers/podman/v3/pkg/selinux"
"github.com/containers/podman/v3/pkg/util"
"github.com/containers/storage"
- "github.com/containers/storage/pkg/archive"
+ "github.com/containers/storage/pkg/chrootarchive"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/mount"
"github.com/coreos/go-systemd/v22/daemon"
@@ -757,7 +757,7 @@ func (c *Container) export(path string) error {
}()
}

- input, err := archive.Tar(mountPoint, archive.Uncompressed)
+ input, err := chrootarchive.Tar(mountPoint, nil, mountPoint)
if err != nil {
return errors.Wrapf(err, "error reading container directory %q", c.ID())
}
--
2.25.1

32 changes: 32 additions & 0 deletions SPECS/cri-o/CVE-2023-6476.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
From 5faee5d82556a6bf4dd1144d2a86e70d097ab200 Mon Sep 17 00:00:00 2001
From: Peter Hunt <[email protected]>
Date: Thu, 7 Dec 2023 16:07:12 -0500
Subject: [PATCH] allowed annotations: correctly filter prefixed annotations

without this fix, a pod is able to gain access to experimental annotations that are prefixes of container names.
The most problematic of these is io.kubernetes.cri-o.UnifiedCgroup, which allows a user to arbitrarily
change the resources of the pod, potentially leading to OOM.

Fixes CVE-2023-6476

Signed-off-by: Peter Hunt <[email protected]>
---
internal/oci/oci.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/oci/oci.go b/internal/oci/oci.go
index 89ecfb2..b56b6d9 100644
--- a/internal/oci/oci.go
+++ b/internal/oci/oci.go
@@ -216,7 +216,7 @@ func (r *Runtime) FilterDisallowedAnnotations(handler string, annotations map[st
for ann := range annotations {
for _, disallowed := range rh.DisallowedAnnotations {
if strings.HasPrefix(ann, disallowed) {
- delete(annotations, disallowed)
+ delete(annotations, ann)
}
}
}
--
2.25.1

7 changes: 6 additions & 1 deletion SPECS/cri-o/cri-o.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa
# Define macros for further referenced sources
Name: cri-o
Version: 1.22.3
Release: 9%{?dist}
Release: 10%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -71,6 +71,8 @@ Patch15: CVE-2022-32149.patch
Patch16: CVE-2022-4318.patch
Patch17: CVE-2024-9341.patch
Patch18: CVE-2024-45338.patch
Patch19: CVE-2023-0778.patch
Patch20: CVE-2023-6476.patch
BuildRequires: btrfs-progs-devel
BuildRequires: device-mapper-devel
BuildRequires: fdupes
Expand Down Expand Up @@ -223,6 +225,9 @@ mkdir -p /opt/cni/bin
%{_fillupdir}/sysconfig.kubelet

%changelog
* Thu Jan 23 2025 Sumedh Sharma <[email protected]> - 1.22.3-10
- Add patch for CVE-2023-0778 & CVE-2023-6476.

* Mon Jan 06 2025 Sumedh Sharma <[email protected]> - 1.22.3-9
- Apply patch after extracting the vendor sources.
- Fix patches with compilation errors.
Expand Down
Loading