From adf6132bcb0829bb032b7a5cf16bd0b282920f1c Mon Sep 17 00:00:00 2001 From: fu-shanqing Date: Mon, 23 May 2022 13:58:13 +0800 Subject: [PATCH] fix CVE-2022-27650 (cherry picked from commit a7b8932e6248af9d1e8fd106f1a065093b49d042) --- crun.spec | 6 +++++- fix-CVE-2022-27650.patch | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 fix-CVE-2022-27650.patch diff --git a/crun.spec b/crun.spec index 060d833..067dd77 100644 --- a/crun.spec +++ b/crun.spec @@ -1,9 +1,10 @@ Name: crun Version: 1.4.3 -Release: 1 +Release: 2 Summary: A fast and low-memory footprint OCI Container Runtime fully written in C. URL: https://github.com/containers/%{name} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.xz +Patch0: fix-CVE-2022-27650.patch License: GPLv2+ and LGPLv2.1+ BuildRequires: autoconf automake gcc python BuildRequires: libcap-devel systemd-devel yajl-devel libseccomp-devel libselinux-devel @@ -42,6 +43,9 @@ rm -rf %{buildroot}%{_prefix}/lib* %{_mandir}/man1/* %changelog +* Mon May 23 2022 fushanqing - 1.4.3-2 +- fix CVE-2022-27650. + * Tue Mar 1 2022 fu-shanqing - 1.4.3-1 - Update to 1.4.3 diff --git a/fix-CVE-2022-27650.patch b/fix-CVE-2022-27650.patch new file mode 100644 index 0000000..975dc9e --- /dev/null +++ b/fix-CVE-2022-27650.patch @@ -0,0 +1,14 @@ +diff -Naru crun-1.4.3/src/exec.c crun-1.4.3-new/src/exec.c +--- crun-1.4.3/src/exec.c 2021-11-05 14:53:28.000000000 +0800 ++++ crun-1.4.3-new/src/exec.c 2022-05-23 13:51:13.000000000 +0800 +@@ -304,8 +304,8 @@ + capabilities->effective = exec_options.cap; + capabilities->effective_len = exec_options.cap_size; + +- capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size); +- capabilities->inheritable_len = exec_options.cap_size; ++ capabilities->inheritable = NULL; ++ capabilities->inheritable_len = 0; + + capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size); + capabilities->bounding_len = exec_options.cap_size; -- Gitee