import crun-0.18-3.module+el8.7.0+16212+65e1b35f

This commit is contained in:
CentOS Sources 2022-09-20 23:00:24 +00:00 committed by Stepan Oksanichenko
parent 6a3899d716
commit e3e5b7798c
3 changed files with 68 additions and 1 deletions

View File

@ -0,0 +1,30 @@
From ed485db1465d67f0215c27529c57a76a1daf5135 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Mon, 28 Feb 2022 11:05:18 +0100
Subject: [PATCH 1/2] spec: do not set inheritable capabilities
Closes: CVE-2022-27650
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit b847d146d496c9d7beba166fd595488e85488562)
---
src/libcrun/container.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
index d3fb017..1e3f3e6 100644
--- a/src/libcrun/container.c
+++ b/src/libcrun/container.c
@@ -128,9 +128,6 @@ static char spec_file[] = "\
\"CAP_NET_BIND_SERVICE\"\n\
],\n\
\"inheritable\": [\n\
- \"CAP_AUDIT_WRITE\",\n\
- \"CAP_KILL\",\n\
- \"CAP_NET_BIND_SERVICE\"\n\
],\n\
\"permitted\": [\n\
\"CAP_AUDIT_WRITE\",\n\
--
2.35.1

View File

@ -0,0 +1,31 @@
From 21cb5a8c7bcc90c42743ffd15cd11a55bf66993d Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Mon, 28 Feb 2022 11:06:50 +0100
Subject: [PATCH 2/2] exec: --cap do not set inheritable capabilities
Closes: CVE-2022-27650
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit 1aeeed2e4fdeffb4875c0d0b439915894594c8c6)
---
src/exec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/exec.c b/src/exec.c
index bf6c05f..8c9862d 100644
--- a/src/exec.c
+++ b/src/exec.c
@@ -250,8 +250,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a
capabilities->effective = exec_options.cap;
capabilities->effective_len = exec_options.cap_size;
- capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size);
- capabilities->inheritable_len = exec_options.cap_size;
+ capabilities->inheritable = NULL;
+ capabilities->inheritable_len = 0;
capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size);
capabilities->bounding_len = exec_options.cap_size;
--
2.35.1

View File

@ -1,9 +1,11 @@
Summary: OCI runtime written in C
Name: crun
Version: 0.18
Release: 2%{?dist}
Release: 3%{?dist}
Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch0: 0001-revert-tests-build-init-always-statically.patch
Patch1: 0001-spec-do-not-set-inheritable-capabilities.patch
Patch2: 0002-exec-cap-do-not-set-inheritable-capabilities.patch
License: GPLv2+
URL: https://github.com/containers/crun
# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
@ -47,6 +49,10 @@ rm -rf $RPM_BUILD_ROOT/usr/lib*
%{_mandir}/man1/*
%changelog
* Tue Apr 05 2022 Jindrich Novy <jnovy@redhat.com> - 0.18-3
- fix CVE-2022-27650
- Related: #2061390
* Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-2
- allow to build without glibc-static (thanks to Giuseppe Scrivano)
- Related: #1883490