diff --git a/0001-tighten-check-in-check_fd_under_path.patch b/0001-tighten-check-in-check_fd_under_path.patch new file mode 100644 index 0000000000000000000000000000000000000000..a4685494c7458c2e64df3e724f4e4d89bcb99eb3 --- /dev/null +++ b/0001-tighten-check-in-check_fd_under_path.patch @@ -0,0 +1,27 @@ +From f6f92b872352e7ee29d7e91552150712437bf808 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Erik=20Sj=C3=B6lund?= +Date: Sat, 26 Aug 2023 11:18:00 +0200 +Subject: [PATCH] utils: tighten check in check_fd_under_path() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-authored-by: Giuseppe Scrivano +Signed-off-by: Erik Sjölund +--- + src/libcrun/utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c +index ce0844481..1b7104a4b 100644 +--- a/src/libcrun/utils.c ++++ b/src/libcrun/utils.c +@@ -333,7 +333,7 @@ check_fd_under_path (const char *rootfs, size_t rootfslen, int fd, const char *f + if (UNLIKELY (ret < 0)) + return crun_make_error (err, errno, "readlink `%s`", fdname); + +- if (((size_t) ret) <= rootfslen || memcmp (link, rootfs, rootfslen) != 0) ++ if (((size_t) ret) <= rootfslen || memcmp (link, rootfs, rootfslen) != 0 || link[rootfslen] != '/') + return crun_make_error (err, 0, "target `%s` not under the directory `%s`", fdname, rootfs); + + return 0; diff --git a/crun.spec b/crun.spec index 44678598b1484e7206f191ecf64b5e4fe26d5b25..ac33ae041b67cc2c590956775c85b49359275872 100644 --- a/crun.spec +++ b/crun.spec @@ -1,8 +1,11 @@ Name: crun Version: 1.8.7 -Release: 2 +Release: 3 Summary: A fast and low-memory footprint OCI Container Runtime fully written in C. URL: https://github.com/containers/%{name} + +Patch1: 0001-tighten-check-in-check_fd_under_path.patch + Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.xz License: GPL-2.0-only BuildRequires: autoconf @@ -54,6 +57,9 @@ rm -rf %{buildroot}%{_prefix}/lib* %{_mandir}/man1/* %changelog +* Fri Jul 19 2024 zhangxingrong- - 1.8.7-3 +- utils: tighten check in check_fd_under_path() + * Sun Apr 28 2024 yinsist - 1.8.7-2 - Disable criu dependency for RISC-V as criu does not currently support RISC-V