From 671682e6e281a5ab9018621dbe3b47399975416f Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Wed, 20 Mar 2024 10:07:04 +0800
Subject: [PATCH] fix CVE-2022-27652

---
 0001-fix-CVE-2022-27652.patch | 66 +++++++++++++++++++++++++++++++++++
 cri-o.spec                    | 11 +++++-
 2 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 0001-fix-CVE-2022-27652.patch

diff --git a/0001-fix-CVE-2022-27652.patch b/0001-fix-CVE-2022-27652.patch
new file mode 100644
index 0000000..0dff13a
--- /dev/null
+++ b/0001-fix-CVE-2022-27652.patch
@@ -0,0 +1,66 @@
+From b5ba4b04cef13cbe2d9a0ee9d4781a359fc20f5e Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Mon, 11 Mar 2024 16:12:02 +0800
+Subject: [PATCH] fix CVE-2022-27652
+
+---
+ server/container_create.go | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/server/container_create.go b/server/container_create.go
+index 520efc7..7de2676 100644
+--- a/server/container_create.go
++++ b/server/container_create.go
+@@ -292,6 +292,9 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
+ 	// and pods expect that switching to a non-root user results in the capabilities being
+ 	// dropped. This should be revisited in the future.
+ 	specgen.Config.Process.Capabilities.Ambient = []string{}
++	// Also remove all inheritable capabilities in accordance with CVE-2022-27652,
++	// as it's not idiomatic for a manager of processes to set them.
++	specgen.Config.Process.Capabilities.Inheritable = []string{}
+ 
+ 	if caps == nil {
+ 		return nil
+@@ -329,9 +332,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
+ 			if err := specgen.AddProcessCapabilityEffective(c); err != nil {
+ 				return err
+ 			}
+-			if err := specgen.AddProcessCapabilityInheritable(c); err != nil {
+-				return err
+-			}
+ 			if err := specgen.AddProcessCapabilityPermitted(c); err != nil {
+ 				return err
+ 			}
+@@ -345,9 +345,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
+ 			if err := specgen.DropProcessCapabilityEffective(c); err != nil {
+ 				return err
+ 			}
+-			if err := specgen.DropProcessCapabilityInheritable(c); err != nil {
+-				return err
+-			}
+ 			if err := specgen.DropProcessCapabilityPermitted(c); err != nil {
+ 				return err
+ 			}
+@@ -369,9 +366,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
+ 		if err := specgen.AddProcessCapabilityEffective(capPrefixed); err != nil {
+ 			return err
+ 		}
+-		if err := specgen.AddProcessCapabilityInheritable(capPrefixed); err != nil {
+-			return err
+-		}
+ 		if err := specgen.AddProcessCapabilityPermitted(capPrefixed); err != nil {
+ 			return err
+ 		}
+@@ -388,9 +382,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
+ 		if err := specgen.DropProcessCapabilityEffective(capPrefixed); err != nil {
+ 			return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
+ 		}
+-		if err := specgen.DropProcessCapabilityInheritable(capPrefixed); err != nil {
+-			return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
+-		}
+ 		if err := specgen.DropProcessCapabilityPermitted(capPrefixed); err != nil {
+ 			return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
+ 		}
+-- 
+2.20.1
+
diff --git a/cri-o.spec b/cri-o.spec
index 3841bd1..59f75e2 100644
--- a/cri-o.spec
+++ b/cri-o.spec
@@ -21,12 +21,15 @@
 Name:           cri-o
 Version:        1.23.2
 Epoch:          0
-Release:        1
+Release:        2
 Summary:        Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
 License:        ASL 2.0
 URL:            https://github.com/cri-o/cri-o
 Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:         https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
+
+Patch0001:      0001-fix-CVE-2022-27652.patch 
+
 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}}
 BuildRequires:  golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config
 BuildRequires:  gpgme-devel, libassuan-devel, libseccomp-devel, systemd-devel, make 
@@ -156,6 +159,12 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
 %{_datadir}/zsh/site-functions/_%{service_name}*
 
 %changelog
+* Wed Mar 20 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.23.2-2
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-27652
+
 * Tue Jun 07 2022 fushanqing <fushanqing@kylinos.cn> - 0:1.23.2-1
 - Update cri-o to 1.23.2
 
-- 
Gitee