diff --git a/containerd.spec b/containerd.spec index 487ac7b1eecf8d821fb7fbc20f76907eb5ec6f76..afd5548b1fc76377aa379e101cf62cab9607564a 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 308 +Release: 309 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -55,6 +55,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr %{_bindir}/ctr %changelog +* Mon Feb 27 2023 zhongjiawei - 1.2.0-309 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2023-25153 and CVE-2023-25173 + * Thu Dec 16 2022 zhongjiawei - 1.2.0-308 - Type:bugfix - ID:NA diff --git a/git-commit b/git-commit index 19b8a2e7dbfafe328f78d151c239c2dd6c7473fb..ea167eb886b6709c3b8b27a8a3b7ce11a6f25ec7 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -2fe372726b7fdec5320b179aadab1e8ad5c0b6eb +d2dfb1444fe48c86b6bbb291358d5b3f581d3b82 diff --git a/patch/0095-oci-fix-additional-GIDs.patch b/patch/0095-oci-fix-additional-GIDs.patch new file mode 100644 index 0000000000000000000000000000000000000000..5aa148dc5e5be33382fb521298776f92185c4b3f --- /dev/null +++ b/patch/0095-oci-fix-additional-GIDs.patch @@ -0,0 +1,198 @@ +From f73de44a5b70c85458af955d74f45492ff07926a Mon Sep 17 00:00:00 2001 +From: Akihiro Suda +Date: Sat, 24 Dec 2022 20:09:04 +0900 +Subject: [PATCH] oci: fix additional GIDs + +Test suite: +```yaml + +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-no-option + annotations: + description: "Equivalent of `docker run` (no option)" +spec: + restartPolicy: Never + containers: + - name: main + image: ghcr.io/containerd/busybox:1.28 + args: ['sh', '-euxc', + '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),10(wheel)" ]'] +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-group-add-1-group-add-1234 + annotations: + description: "Equivalent of `docker run --group-add 1 --group-add 1234`" +spec: + restartPolicy: Never + containers: + - name: main + image: ghcr.io/containerd/busybox:1.28 + args: ['sh', '-euxc', + '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),1(daemon),10(wheel),1234" ]'] + securityContext: + supplementalGroups: [1, 1234] +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-user-1234 + annotations: + description: "Equivalent of `docker run --user 1234`" +spec: + restartPolicy: Never + containers: + - name: main + image: ghcr.io/containerd/busybox:1.28 + args: ['sh', '-euxc', + '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root)" ]'] + securityContext: + runAsUser: 1234 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-user-1234-1234 + annotations: + description: "Equivalent of `docker run --user 1234:1234`" +spec: + restartPolicy: Never + containers: + - name: main + image: ghcr.io/containerd/busybox:1.28 + args: ['sh', '-euxc', + '[ "$(id)" = "uid=1234 gid=1234 groups=1234" ]'] + securityContext: + runAsUser: 1234 + runAsGroup: 1234 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-user-1234-group-add-1234 + annotations: + description: "Equivalent of `docker run --user 1234 --group-add 1234`" +spec: + restartPolicy: Never + containers: + - name: main + image: ghcr.io/containerd/busybox:1.28 + args: ['sh', '-euxc', + '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root),1234" ]'] + securityContext: + runAsUser: 1234 + supplementalGroups: [1234] +``` + +Signed-off-by: Akihiro Suda +Signed-off-by: zhongjiawei +--- + oci/spec_opts.go | 33 +++++++++++++++++++ + .../cri/pkg/server/container_create.go | 3 +- + 2 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/oci/spec_opts.go b/oci/spec_opts.go +index 8b599f805..718c48246 100644 +--- a/oci/spec_opts.go ++++ b/oci/spec_opts.go +@@ -84,6 +84,17 @@ func setCapabilities(s *Spec) { + } + } + ++// ensureAdditionalGids ensures that the primary GID is also included in the additional GID list. ++func ensureAdditionalGids(s *Spec) { ++ setProcess(s) ++ for _, f := range s.Process.User.AdditionalGids { ++ if f == s.Process.User.GID { ++ return ++ } ++ } ++ s.Process.User.AdditionalGids = append([]uint32{s.Process.User.GID}, s.Process.User.AdditionalGids...) ++} ++ + // WithDefaultSpec returns a SpecOpts that will populate the spec with default + // values. + // +@@ -459,7 +470,21 @@ func WithNamespacedCgroup() SpecOpts { + // user, uid, user:group, uid:gid, uid:group, user:gid + func WithUser(userstr string) SpecOpts { + return func(ctx context.Context, client Client, c *containers.Container, s *Spec) error { ++ defer ensureAdditionalGids(s) + setProcess(s) ++ s.Process.User.AdditionalGids = nil ++ ++ // For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't ++ // mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the ++ // guest itself. To accommodate this, a spot to place the user string provided by a client as-is is needed. ++ // The `Username` field on the runtime spec is marked by Platform as only for Windows, and in this case it ++ // *is* being set on a Windows host at least, but will be used as a temporary holding spot until the guest ++ // can use the string to perform these same operations to grab the uid:gid inside. ++ if s.Windows != nil && s.Linux != nil { ++ s.Process.User.Username = userstr ++ return nil ++ } ++ + parts := strings.Split(userstr, ":") + switch len(parts) { + case 1: +@@ -538,7 +563,9 @@ func WithUser(userstr string) SpecOpts { + // WithUIDGID allows the UID and GID for the Process to be set + func WithUIDGID(uid, gid uint32) SpecOpts { + return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error { ++ defer ensureAdditionalGids(s) + setProcess(s) ++ s.Process.User.AdditionalGids = nil + s.Process.User.UID = uid + s.Process.User.GID = gid + return nil +@@ -551,7 +578,9 @@ func WithUIDGID(uid, gid uint32) SpecOpts { + // additionally sets the gid to 0, and does not return an error. + func WithUserID(uid uint32) SpecOpts { + return func(ctx context.Context, client Client, c *containers.Container, s *Spec) (err error) { ++ defer ensureAdditionalGids(s) + setProcess(s) ++ s.Process.User.AdditionalGids = nil + if c.Snapshotter == "" && c.SnapshotKey == "" { + if !isRootfsAbs(s.Root.Path) { + return errors.Errorf("rootfs absolute path is required") +@@ -604,7 +633,9 @@ func WithUserID(uid uint32) SpecOpts { + // it returns error. + func WithUsername(username string) SpecOpts { + return func(ctx context.Context, client Client, c *containers.Container, s *Spec) (err error) { ++ defer ensureAdditionalGids(s) + setProcess(s) ++ s.Process.User.AdditionalGids = nil + if s.Linux != nil { + if c.Snapshotter == "" && c.SnapshotKey == "" { + if !isRootfsAbs(s.Root.Path) { +@@ -659,7 +690,9 @@ func WithAdditionalGIDs(userstr string) SpecOpts { + return nil + } + setProcess(s) ++ s.Process.User.AdditionalGids = nil + setAdditionalGids := func(root string) error { ++ defer ensureAdditionalGids(s) + var username string + uid, err := strconv.Atoi(userstr) + if err == nil { +diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go +index e29cb40f8..ffa6cd614 100644 +--- a/vendor/github.com/containerd/cri/pkg/server/container_create.go ++++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go +@@ -230,7 +230,8 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta + // Because it is still useful to get additional gids for uid 0. + userstr = strconv.FormatInt(securityContext.GetRunAsUser().GetValue(), 10) + } +- specOpts = append(specOpts, customopts.WithAdditionalGIDs(userstr)) ++ specOpts = append(specOpts, customopts.WithDevices(c.os, config, c.config.DeviceOwnershipFromSecurityContext), ++ customopts.WithCapabilities(securityContext, c.allCaps)) + + apparmorSpecOpts, err := generateApparmorSpecOpts( + securityContext.GetApparmorProfile(), +-- +2.33.0 + diff --git a/patch/0096-importer-stream-oci-layout-and-manifest.json.patch b/patch/0096-importer-stream-oci-layout-and-manifest.json.patch new file mode 100644 index 0000000000000000000000000000000000000000..6d915bc913b99da6e58a4a48ab33700c40cea843 --- /dev/null +++ b/patch/0096-importer-stream-oci-layout-and-manifest.json.patch @@ -0,0 +1,48 @@ +From d86db0de932912591e4a3884305547162b87f885 Mon Sep 17 00:00:00 2001 +From: Samuel Karp +Date: Mon, 27 Feb 2023 15:02:01 +0800 +Subject: [PATCH] importer: stream oci-layout and manifest.json + +Signed-off-by: Samuel Karp +--- + images/archive/importer.go | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/images/archive/importer.go b/images/archive/importer.go +index da83275..443b886 100644 +--- a/images/archive/importer.go ++++ b/images/archive/importer.go +@@ -23,7 +23,6 @@ import ( + "context" + "encoding/json" + "io" +- "io/ioutil" + "path" + + "github.com/containerd/containerd/archive/compression" +@@ -192,15 +191,14 @@ func ImportIndex(ctx context.Context, store content.Store, reader io.Reader) (oc + return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex) + } + ++const ( ++ kib = 1024 ++ mib = 1024 * kib ++ jsonLimit = 20 * mib ++) ++ + func onUntarJSON(r io.Reader, j interface{}) error { +- b, err := ioutil.ReadAll(r) +- if err != nil { +- return err +- } +- if err := json.Unmarshal(b, j); err != nil { +- return err +- } +- return nil ++ return json.NewDecoder(io.LimitReader(r, jsonLimit)).Decode(j) + } + + func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) { +-- +2.33.0 + diff --git a/series.conf b/series.conf index 48dc8138a00a43126adb94c179536b78e442d8c9..b0352eaadfa9482ccc8bbf1668c29c92be4403fd 100644 --- a/series.conf +++ b/series.conf @@ -99,4 +99,6 @@ patch/0091-schema1-reject-ambiguous-documents.patch patch/0092-containerd-add-CGO-sercurity-build-options.patch patch/0093-containerd-fix-version-number-wrong.patch patch/0094-containerd-Fix-goroutine-leak-in-Exec.patch +patch/0095-oci-fix-additional-GIDs.patch +patch/0096-importer-stream-oci-layout-and-manifest.json.patch # end