diff --git a/0001-Reset-create_pid-after-waitpid-to-prevent-signaling-.patch b/0001-Reset-create_pid-after-waitpid-to-prevent-signaling-.patch new file mode 100644 index 0000000..1c7668c --- /dev/null +++ b/0001-Reset-create_pid-after-waitpid-to-prevent-signaling-.patch @@ -0,0 +1,32 @@ +From 8596fc6462efa2bd0db47485931cfcd704ca0637 Mon Sep 17 00:00:00 2001 +From: Jindrich Novy +Date: Thu, 21 May 2026 09:38:48 +0200 +Subject: [PATCH] Reset create_pid after waitpid to prevent signaling unrelated + processes + +After the synchronous waitpid(create_pid) succeeds, create_pid was +never reset to -1. If the PID was later reused by another process, +on_sig_exit() would send SIGTERM to that unrelated process. + +Resolves: RHEL-178025 + +Signed-off-by: Jindrich Novy +--- + src/conmon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/conmon.c b/src/conmon.c +index 0abbd17d..24a7da18 100644 +--- a/src/conmon.c ++++ b/src/conmon.c +@@ -360,6 +360,7 @@ int main(int argc, char *argv[]) + } + pexitf("Failed to wait for `runtime %s`", opt_exec ? "exec" : "create"); + } ++ create_pid = -1; + } + + /* For exec operations, a non-zero runtime exit status reflects the exit status of the exec'd command, +-- +2.49.0 + diff --git a/conmon.spec b/conmon.spec index fce5a32..f323ff3 100644 --- a/conmon.spec +++ b/conmon.spec @@ -17,11 +17,13 @@ Name: conmon Epoch: 3 Version: 2.2.1 License: Apache-2.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OCI container runtime monitor URL: https://github.com/containers/%{name} # Tarball fetched from upstream Source0: %{url}/archive/v%{version}.tar.gz +# https://github.com/containers/conmon/pull/659 +Patch0001: 0001-Reset-create_pid-after-waitpid-to-prevent-signaling-.patch %if %{with docs} BuildRequires: go-md2man %endif @@ -70,6 +72,10 @@ sed -i 's/install.bin: bin\/conmon/install.bin:/' Makefile %endif %changelog +* Mon Jun 22 2026 Jindrich Novy - 3:2.2.1-2 +- reset create_pid after waitpid to prevent signaling unrelated processes +- Resolves: RHEL-178025 + * Thu Feb 12 2026 Jindrich Novy - 3:2.2.1-1 - update to https://github.com/containers/conmon/releases/tag/v2.2.1 - enable RELRO