crun-0.15-3

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

0001-exec-check-read-bytes-from-sync.patch

@@ -0,0 +1,35 @@
+From 20c56beb3307b0ac07af0edbbbe49ec65819f559 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Tue, 29 Sep 2020 16:52:02 +0200
+Subject: [PATCH] exec: check read bytes from sync
+
+when reading from the exec sync pipe, make sure it reads exactly one
+byte otherwise return an error.
+
+Closes: https://github.com/containers/crun/issues/511
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ src/libcrun/container.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrun/container.c b/src/libcrun/container.c
+index 927986a..0308992 100644
+--- a/src/libcrun/container.c
++++ b/src/libcrun/container.c
+@@ -2595,10 +2595,10 @@ libcrun_container_exec (libcrun_context_t *context, const char *id, runtime_spec
+         }
+     }
+ 
+-  TEMP_FAILURE_RETRY (read (pipefd0, &b, sizeof (b)));
++  ret = TEMP_FAILURE_RETRY (read (pipefd0, &b, sizeof (b)));
+   TEMP_FAILURE_RETRY (close (pipefd0));
+   pipefd0 = -1;
+-  if (b != '0')
++  if (ret != 1 || b != '0')
+     ret = -1;
+   else
+     {
+-- 
+2.26.2
+

crun.spec

@@ -1,7 +1,7 @@
 Summary: OCI runtime written in C
 Name: crun
 Version: 0.15
-Release: 2%{?dist}
+Release: 3%{?dist}
 Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz
 License: GPLv3+
 URL: https://github.com/containers/crun
@@ -22,6 +22,8 @@ BuildRequires: libtool
 BuildRequires: go-md2man
 Provides: oci-runtime = 2
 
+Patch0: 0001-exec-check-read-bytes-from-sync.patch
+
 %description
 crun is a runtime for running OCI containers
 
@@ -44,6 +46,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib*
 %{_mandir}/man1/*
 
 %changelog
+* Wed Sep 30 2020 Giuseppe Scrivano <gscrivan@redhat.com> - 0.15-3
+- backport "exec: check read bytes from sync"
+
 * Wed Sep 23 2020 Giuseppe Scrivano <gscrivan@redhat.com> - 0.15-2
 - rebuild