import crun-0.18-3.module+el8.7.0+16212+65e1b35f
This commit is contained in:
parent
6a3899d716
commit
e3e5b7798c
30
SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
Normal file
30
SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From ed485db1465d67f0215c27529c57a76a1daf5135 Mon Sep 17 00:00:00 2001
|
||||
From: Giuseppe Scrivano <gscrivan@redhat.com>
|
||||
Date: Mon, 28 Feb 2022 11:05:18 +0100
|
||||
Subject: [PATCH 1/2] spec: do not set inheritable capabilities
|
||||
|
||||
Closes: CVE-2022-27650
|
||||
|
||||
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
||||
(cherry picked from commit b847d146d496c9d7beba166fd595488e85488562)
|
||||
---
|
||||
src/libcrun/container.c | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
|
||||
index d3fb017..1e3f3e6 100644
|
||||
--- a/src/libcrun/container.c
|
||||
+++ b/src/libcrun/container.c
|
||||
@@ -128,9 +128,6 @@ static char spec_file[] = "\
|
||||
\"CAP_NET_BIND_SERVICE\"\n\
|
||||
],\n\
|
||||
\"inheritable\": [\n\
|
||||
- \"CAP_AUDIT_WRITE\",\n\
|
||||
- \"CAP_KILL\",\n\
|
||||
- \"CAP_NET_BIND_SERVICE\"\n\
|
||||
],\n\
|
||||
\"permitted\": [\n\
|
||||
\"CAP_AUDIT_WRITE\",\n\
|
||||
--
|
||||
2.35.1
|
||||
|
@ -0,0 +1,31 @@
|
||||
From 21cb5a8c7bcc90c42743ffd15cd11a55bf66993d Mon Sep 17 00:00:00 2001
|
||||
From: Giuseppe Scrivano <gscrivan@redhat.com>
|
||||
Date: Mon, 28 Feb 2022 11:06:50 +0100
|
||||
Subject: [PATCH 2/2] exec: --cap do not set inheritable capabilities
|
||||
|
||||
Closes: CVE-2022-27650
|
||||
|
||||
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
||||
(cherry picked from commit 1aeeed2e4fdeffb4875c0d0b439915894594c8c6)
|
||||
---
|
||||
src/exec.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/exec.c b/src/exec.c
|
||||
index bf6c05f..8c9862d 100644
|
||||
--- a/src/exec.c
|
||||
+++ b/src/exec.c
|
||||
@@ -250,8 +250,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a
|
||||
capabilities->effective = exec_options.cap;
|
||||
capabilities->effective_len = exec_options.cap_size;
|
||||
|
||||
- capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size);
|
||||
- capabilities->inheritable_len = exec_options.cap_size;
|
||||
+ capabilities->inheritable = NULL;
|
||||
+ capabilities->inheritable_len = 0;
|
||||
|
||||
capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size);
|
||||
capabilities->bounding_len = exec_options.cap_size;
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,9 +1,11 @@
|
||||
Summary: OCI runtime written in C
|
||||
Name: crun
|
||||
Version: 0.18
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||
Patch0: 0001-revert-tests-build-init-always-statically.patch
|
||||
Patch1: 0001-spec-do-not-set-inheritable-capabilities.patch
|
||||
Patch2: 0002-exec-cap-do-not-set-inheritable-capabilities.patch
|
||||
License: GPLv2+
|
||||
URL: https://github.com/containers/crun
|
||||
# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
|
||||
@ -47,6 +49,10 @@ rm -rf $RPM_BUILD_ROOT/usr/lib*
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Tue Apr 05 2022 Jindrich Novy <jnovy@redhat.com> - 0.18-3
|
||||
- fix CVE-2022-27650
|
||||
- Related: #2061390
|
||||
|
||||
* Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-2
|
||||
- allow to build without glibc-static (thanks to Giuseppe Scrivano)
|
||||
- Related: #1883490
|
||||
|
Loading…
Reference in New Issue
Block a user