From 0af747cd90e0a6d08f98795099e9be2848940f88 Mon Sep 17 00:00:00 2001 From: Vanient Date: Tue, 10 May 2022 20:38:48 +0800 Subject: [PATCH] containerd:Use fs.RootPath when mounting volumes Use fs.RootPath when mounting volumes for bundle dir to fix CVE-2022-23648 Signed-off-by: Vanient --- containerd.spec | 8 +++- git-commit | 2 +- ...erd-Use-fs.RootPath-when-mounting-vo.patch | 40 +++++++++++++++++++ series.conf | 1 + 4 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch diff --git a/containerd.spec b/containerd.spec index 6f7e08a..b2087d1 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 300 +Release: 301 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -52,6 +52,12 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim %{_bindir}/containerd-shim %changelog +* Tue May 10 2022 Vanient - 1.2.0-301 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Use fs.RootPath when mounting volumes for bundle dir to fix CVE-2022-23648 + * Sat Jan 22 2022 songyanting - 1.2.0-300 - Type:bugfix - ID:NA diff --git a/git-commit b/git-commit index cbf866b..7a61d60 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -f9c6fe2f3c5ccd74691119b99dbf59096aa14249 +188e768fc5b6e679728ee1e7033e481b238b4665 diff --git a/patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch b/patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch new file mode 100644 index 0000000..130d407 --- /dev/null +++ b/patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch @@ -0,0 +1,40 @@ +From 53c45a7abaea09e60e0175f192742c74d1be60e2 Mon Sep 17 00:00:00 2001 +From: Vanient +Date: Thu, 31 Mar 2022 21:30:15 +0800 +Subject: [PATCH] containerd:Use fs.RootPath when mounting volumes + +fix CVE-2022-23648 +upstream:https://github.com/containerd/containerd/commit/3406af86394c2426ce7f55d5f52be2b79f456211 + +Signed-off-by: Vanient +--- + .../containerd/cri/pkg/containerd/opts/container.go | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go +index 7647c373c..2ea49b594 100644 +--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go ++++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go +@@ -20,7 +20,6 @@ import ( + "context" + "io/ioutil" + "os" +- "path/filepath" + + "github.com/containerd/containerd" + "github.com/containerd/containerd/containers" +@@ -88,7 +87,10 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts { + }() + + for host, volume := range volumeMounts { +- src := filepath.Join(root, volume) ++ src, err := fs.RootPath(root, volume) ++ if err != nil { ++ return errors.Wrapf(err, "rootpath on root %s, volume %s", root, volume) ++ } + if _, err := os.Stat(src); err != nil { + if os.IsNotExist(err) { + // Skip copying directory if it does not exist. +-- +2.27.0 + diff --git a/series.conf b/series.conf index 2822212..5645ef4 100644 --- a/series.conf +++ b/series.conf @@ -88,4 +88,5 @@ patch/0080-containerd-improve-log-for-debugging.patch patch/0081-containerd-reduce-permissions-for-bundle-di.patch patch/0082-containerd-fix-publish-command-wait-block-for.patch patch/0083-containerd-optimize-cgo-compile-options.patch +patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch # end -- Gitee