From 704dfccbbf403b7463f3899187b7c17df398cce9 Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Fri, 24 May 2024 09:48:28 +0800 Subject: [PATCH] runc:fix CVE-2024-3154 Signed-off-by: zhongjiawei --- git-commit | 2 +- patch/0053-runc-fix-CVE-2024-3154.patch | 50 +++++++++++++++++++++++++ runc.spec | 8 +++- series.conf | 1 + 4 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 patch/0053-runc-fix-CVE-2024-3154.patch diff --git a/git-commit b/git-commit index 523b687..c65756b 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -df767bfac9eec2ce7b635757f676ecb5b11ec195 +e27527223df4f2a031d5f63e59baacb6106164d7 diff --git a/patch/0053-runc-fix-CVE-2024-3154.patch b/patch/0053-runc-fix-CVE-2024-3154.patch new file mode 100644 index 0000000..5ece867 --- /dev/null +++ b/patch/0053-runc-fix-CVE-2024-3154.patch @@ -0,0 +1,50 @@ +From eefc6ae2544a6819da9f92c5aa8e65d356da4c96 Mon Sep 17 00:00:00 2001 +From: Akihiro Suda +Date: Sat, 9 Mar 2024 21:30:56 +0900 +Subject: [PATCH] features: implement returning + potentiallyUnsafeConfigAnnotations list + +See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson + +Signed-off-by: Akihiro Suda +--- + features.go | 5 +++++ + types/features/features.go | 6 ++++++ + 2 files changed, 11 insertions(+) + +diff --git a/features.go b/features.go +index c9cd15c..7f76e7a 100644 +--- a/features.go ++++ b/features.go +@@ -55,6 +55,11 @@ var featuresCommand = cli.Command{ + Enabled: &tru, + }, + }, ++ PotentiallyUnsafeConfigAnnotations: []string{ ++ "bundle", ++ "org.systemd.property.", // prefix form ++ "org.criu.config", ++ }, + } + + if seccomp.Enabled { +diff --git a/types/features/features.go b/types/features/features.go +index c6269ca..8b467f7 100644 +--- a/types/features/features.go ++++ b/types/features/features.go +@@ -25,6 +25,12 @@ type Features struct { + // Annotations contains implementation-specific annotation strings, + // such as the implementation version, and third-party extensions. + Annotations map[string]string `json:"annotations,omitempty"` ++ ++ // PotentiallyUnsafeConfigAnnotations the list of the potential unsafe annotations ++ // that may appear in `config.json`. ++ // ++ // A value that ends with "." is interpreted as a prefix of annotations. ++ PotentiallyUnsafeConfigAnnotations []string `json:"potentiallyUnsafeConfigAnnotations,omitempty"` + } + + // Linux is specific to Linux. +-- +2.33.0 + diff --git a/runc.spec b/runc.spec index 6c8cf16..10a780b 100644 --- a/runc.spec +++ b/runc.spec @@ -3,7 +3,7 @@ Name: runc Version: 1.1.3 -Release: 24 +Release: 26 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Fri May 24 2024 zhongjiawei - 1.1.3-26 +- Type:CVE +- CVE:CVE-2024-3154 +- SUG:NA +- DESC:fix CVE-2024-3154 + * Tue Feb 06 2024 zhongjiawei - 1.1.3-25 - Type:bugfix - CVE:NA diff --git a/series.conf b/series.conf index 95f4db6..c118a09 100644 --- a/series.conf +++ b/series.conf @@ -50,3 +50,4 @@ patch/0049-runc-nsexec-Check-for-errors-in-write_log.patch patch/0050-runc-increase-the-number-of-cgroup-deletion-retries.patch patch/0051-runc-fix-CVE-2024-21626.patch patch/0052-runc-check-cmd-exist.patch +patch/0053-runc-fix-CVE-2024-3154.patch -- Gitee