From 2f60e8bdf7a13b8d313e6f67cddb1e56e2dde5d1 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Wed, 19 Mar 2025 10:38:20 +0800 Subject: [PATCH] fix-CVE-2024-40635 --- containerd.spec | 8 +- .../0113-containerd-fix-CVE-2024-40635.patch | 73 +++++++++++++++++++ series.conf | 1 + 3 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 patch/0113-containerd-fix-CVE-2024-40635.patch diff --git a/containerd.spec b/containerd.spec index 32a976c..2919a8d 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 218 +Release: 219 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -44,6 +44,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr %{_bindir}/ctr %changelog +* Wed Mar 19 2025 dongyuzhen - 1.2.0-219 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2024-40635 + * Mon Mar 4 2024 Lu Jingxiao - 1.2.0-218 - Type:bugfix - ID:NA diff --git a/patch/0113-containerd-fix-CVE-2024-40635.patch b/patch/0113-containerd-fix-CVE-2024-40635.patch new file mode 100644 index 0000000..8b1eb89 --- /dev/null +++ b/patch/0113-containerd-fix-CVE-2024-40635.patch @@ -0,0 +1,73 @@ +From 9639b9625554183d0c4d8d072dccb84fedd2320f Mon Sep 17 00:00:00 2001 +From: Craig Ingram +Date: Fri, 7 Mar 2025 13:27:58 +0000 +Subject: [PATCH] validate uid/gid + +Signed-off-by: Craig Ingram +--- + oci/spec_opts.go | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/oci/spec_opts.go b/oci/spec_opts.go +index 718c482..2101642 100644 +--- a/oci/spec_opts.go ++++ b/oci/spec_opts.go +@@ -20,6 +20,7 @@ import ( + "context" + "encoding/json" + "fmt" ++ "math" + "io/ioutil" + "os" + "path/filepath" +@@ -473,6 +474,20 @@ func WithUser(userstr string) SpecOpts { + defer ensureAdditionalGids(s) + setProcess(s) + s.Process.User.AdditionalGids = nil ++ // While the Linux kernel allows the max UID to be MaxUint32 - 2, ++ // and the OCI Runtime Spec has no definition about the max UID, ++ // the runc implementation is known to require the UID to be <= MaxInt32. ++ // ++ // containerd follows runc's limitation here. ++ // ++ // In future we may relax this limitation to allow MaxUint32 - 2, ++ // or, amend the OCI Runtime Spec to codify the implementation limitation. ++ const ( ++ minUserID = 0 ++ maxUserID = math.MaxInt32 ++ minGroupID = 0 ++ maxGroupID = math.MaxInt32 ++ ) + + // For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't + // mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the +@@ -489,8 +504,8 @@ func WithUser(userstr string) SpecOpts { + switch len(parts) { + case 1: + v, err := strconv.Atoi(parts[0]) +- if err != nil { +- // if we cannot parse as a uint they try to see if it is a username ++ if err != nil || v < minUserID || v > maxUserID { ++ // if we cannot parse as an int32 then try to see if it is a username + return WithUsername(userstr)(ctx, client, c, s) + } + return WithUserID(uint32(v))(ctx, client, c, s) +@@ -501,12 +516,13 @@ func WithUser(userstr string) SpecOpts { + ) + var uid, gid uint32 + v, err := strconv.Atoi(parts[0]) +- if err != nil { ++ if err != nil || v < minUserID || v > maxUserID { + username = parts[0] + } else { + uid = uint32(v) + } +- if v, err = strconv.Atoi(parts[1]); err != nil { ++ v, err = strconv.Atoi(parts[1]) ++ if err != nil || v < minGroupID || v > maxGroupID { + groupname = parts[1] + } else { + gid = uint32(v) +-- +2.43.0 + diff --git a/series.conf b/series.conf index c06335f..8962098 100644 --- a/series.conf +++ b/series.conf @@ -114,3 +114,4 @@ patch/0109-containerd-Backport-net-http-regenerate-h2_bundle.go.patch patch/0110-containerd-update-vendored-golang.org-x-net.patch patch/0111-containerd-disable-Transparent-HugePage-for-shim-pro.patch patch/0112-containerd-cio-FIFOSet.Close-check-if-FIFOSet-is-nill-to-preven.patch +patch/0113-containerd-fix-CVE-2024-40635.patch -- Gitee