diff --git a/SOURCES/CVE-2022-1708.patch b/SOURCES/CVE-2022-1708.patch new file mode 100644 index 0000000..c8757e3 --- /dev/null +++ b/SOURCES/CVE-2022-1708.patch @@ -0,0 +1,93 @@ +diff --git a/src/cli.c b/src/cli.c +index 8e788f9..5761dde 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -38,6 +38,7 @@ gchar **opt_log_path = NULL; + char *opt_exit_dir = NULL; + int opt_timeout = 0; + int64_t opt_log_size_max = -1; ++int64_t opt_log_global_size_max = -1; + char *opt_socket_path = DEFAULT_SOCKET_PATH; + gboolean opt_no_new_keyring = FALSE; + char *opt_exit_command = NULL; +@@ -70,6 +71,7 @@ GOptionEntry opt_entries[] = { + {"log-level", 0, 0, G_OPTION_ARG_STRING, &opt_log_level, "Print debug logs based on log level", NULL}, + {"log-path", 'l', 0, G_OPTION_ARG_STRING_ARRAY, &opt_log_path, "Log file path", NULL}, + {"log-size-max", 0, 0, G_OPTION_ARG_INT64, &opt_log_size_max, "Maximum size of log file", NULL}, ++ {"log-global-size-max", 0, 0, G_OPTION_ARG_INT64, &opt_log_global_size_max, "Maximum size of all log files", NULL}, + {"log-tag", 0, 0, G_OPTION_ARG_STRING, &opt_log_tag, "Additional tag to use for logging", NULL}, + {"name", 'n', 0, G_OPTION_ARG_STRING, &opt_name, "Container name", NULL}, + {"no-new-keyring", 0, 0, G_OPTION_ARG_NONE, &opt_no_new_keyring, "Do not create a new session keyring for the container", NULL}, +@@ -180,5 +182,5 @@ void process_cli() + if (opt_container_pid_file == NULL) + opt_container_pid_file = g_strdup_printf("%s/pidfile-%s", cwd, opt_cid); + +- configure_log_drivers(opt_log_path, opt_log_size_max, opt_cid, opt_name, opt_log_tag); ++ configure_log_drivers(opt_log_path, opt_log_size_max, opt_log_global_size_max, opt_cid, opt_name, opt_log_tag); + } +diff --git a/src/ctr_logging.c b/src/ctr_logging.c +index c3fd5d2..8581783 100644 +--- a/src/ctr_logging.c ++++ b/src/ctr_logging.c +@@ -32,6 +32,9 @@ static const char *const JOURNALD_FILE_STRING = "journald"; + /* Max log size for any log file types */ + static int64_t log_size_max = -1; + ++/* Max total log size for any log file types */ ++static int64_t log_global_size_max = -1; ++ + /* k8s log file parameters */ + static int k8s_log_fd = -1; + static char *k8s_log_path = NULL; +@@ -77,9 +80,10 @@ static void reopen_k8s_file(void); + * (currently just k8s log file), it will also open the log_fd for that specific + * log file. + */ +-void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, char *cuuid_, char *name_, char *tag) ++void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, int64_t log_global_size_max_, char *cuuid_, char *name_, char *tag) + { + log_size_max = log_size_max_; ++ log_global_size_max = log_global_size_max_; + if (log_drivers == NULL) + nexit("Log driver not provided. Use --log-path"); + for (int driver = 0; log_drivers[driver]; ++driver) { +@@ -284,6 +288,7 @@ static int write_k8s_log(stdpipe_t pipe, const char *buf, ssize_t buflen) + writev_buffer_t bufv = {0}; + static int64_t bytes_written = 0; + int64_t bytes_to_be_written = 0; ++ static int64_t total_bytes_written = 0; + + /* + * Use the same timestamp for every line of the log in this buffer. +@@ -307,6 +312,10 @@ static int write_k8s_log(stdpipe_t pipe, const char *buf, ssize_t buflen) + bytes_to_be_written += 1; + } + ++ /* If the caller specified a global max, enforce it before writing */ ++ if (log_global_size_max > 0 && total_bytes_written >= log_global_size_max) ++ break; ++ + /* + * We re-open the log file if writing out the bytes will exceed the max + * log size. We also reset the state so that the new file is started with +@@ -360,6 +369,7 @@ static int write_k8s_log(stdpipe_t pipe, const char *buf, ssize_t buflen) + } + + bytes_written += bytes_to_be_written; ++ total_bytes_written += bytes_to_be_written; + next: + /* Update the head of the buffer remaining to output. */ + buf += line_len; +diff --git a/src/ctr_logging.h b/src/ctr_logging.h +index 1b63cd7..9b1f693 100644 +--- a/src/ctr_logging.h ++++ b/src/ctr_logging.h +@@ -7,7 +7,7 @@ + + void reopen_log_files(void); + bool write_to_logs(stdpipe_t pipe, char *buf, ssize_t num_read); +-void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, char *cuuid_, char *name_, char *tag); ++void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, int64_t log_global_size_max_, char *cuuid_, char *name_, char *tag); + void sync_logs(void); + + #endif /* !defined(CTR_LOGGING_H) */ diff --git a/SPECS/conmon.spec b/SPECS/conmon.spec index f92f3fb..b3417b8 100644 --- a/SPECS/conmon.spec +++ b/SPECS/conmon.spec @@ -10,11 +10,12 @@ Name: conmon Epoch: 2 Version: 2.0.26 -Release: 1%{?dist} +Release: 3%{?dist} Summary: OCI container runtime monitor License: ASL 2.0 URL: %{git0} Source0: %{git0}/archive/v%{version}.tar.gz +Patch0: CVE-2022-1708.patch # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures #ExclusiveArch: %%{go_arches} # still use arch exclude as the macro above still refers %%{ix86} in RHEL8.4: @@ -51,6 +52,14 @@ export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %{_mandir}/man8/* %changelog +* Thu Jul 14 2022 Jindrich Novy - 2:2.0.26-3 +- amend CVE-2022-1708 +- Related: #2093390 + +* Mon Jun 06 2022 Jindrich Novy - 2:2.0.26-2 +- fix CVE-2022-1708 - thanks to Peter Hunt +- Related: #2061390 + * Thu Feb 04 2021 Jindrich Novy - 2:2.0.26-1 - update to https://github.com/containers/conmon/releases/tag/v2.0.26 - Related: #1883490