import crun-0.18-3.module+el8.7.0+16212+65e1b35f
This commit is contained in:
parent
6a3899d716
commit
e3e5b7798c
30
SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
Normal file
30
SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From ed485db1465d67f0215c27529c57a76a1daf5135 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Giuseppe Scrivano <gscrivan@redhat.com>
|
||||||
|
Date: Mon, 28 Feb 2022 11:05:18 +0100
|
||||||
|
Subject: [PATCH 1/2] spec: do not set inheritable capabilities
|
||||||
|
|
||||||
|
Closes: CVE-2022-27650
|
||||||
|
|
||||||
|
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
||||||
|
(cherry picked from commit b847d146d496c9d7beba166fd595488e85488562)
|
||||||
|
---
|
||||||
|
src/libcrun/container.c | 3 ---
|
||||||
|
1 file changed, 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
|
||||||
|
index d3fb017..1e3f3e6 100644
|
||||||
|
--- a/src/libcrun/container.c
|
||||||
|
+++ b/src/libcrun/container.c
|
||||||
|
@@ -128,9 +128,6 @@ static char spec_file[] = "\
|
||||||
|
\"CAP_NET_BIND_SERVICE\"\n\
|
||||||
|
],\n\
|
||||||
|
\"inheritable\": [\n\
|
||||||
|
- \"CAP_AUDIT_WRITE\",\n\
|
||||||
|
- \"CAP_KILL\",\n\
|
||||||
|
- \"CAP_NET_BIND_SERVICE\"\n\
|
||||||
|
],\n\
|
||||||
|
\"permitted\": [\n\
|
||||||
|
\"CAP_AUDIT_WRITE\",\n\
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -0,0 +1,31 @@
|
|||||||
|
From 21cb5a8c7bcc90c42743ffd15cd11a55bf66993d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Giuseppe Scrivano <gscrivan@redhat.com>
|
||||||
|
Date: Mon, 28 Feb 2022 11:06:50 +0100
|
||||||
|
Subject: [PATCH 2/2] exec: --cap do not set inheritable capabilities
|
||||||
|
|
||||||
|
Closes: CVE-2022-27650
|
||||||
|
|
||||||
|
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
||||||
|
(cherry picked from commit 1aeeed2e4fdeffb4875c0d0b439915894594c8c6)
|
||||||
|
---
|
||||||
|
src/exec.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/exec.c b/src/exec.c
|
||||||
|
index bf6c05f..8c9862d 100644
|
||||||
|
--- a/src/exec.c
|
||||||
|
+++ b/src/exec.c
|
||||||
|
@@ -250,8 +250,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a
|
||||||
|
capabilities->effective = exec_options.cap;
|
||||||
|
capabilities->effective_len = exec_options.cap_size;
|
||||||
|
|
||||||
|
- capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size);
|
||||||
|
- capabilities->inheritable_len = exec_options.cap_size;
|
||||||
|
+ capabilities->inheritable = NULL;
|
||||||
|
+ capabilities->inheritable_len = 0;
|
||||||
|
|
||||||
|
capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size);
|
||||||
|
capabilities->bounding_len = exec_options.cap_size;
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -1,9 +1,11 @@
|
|||||||
Summary: OCI runtime written in C
|
Summary: OCI runtime written in C
|
||||||
Name: crun
|
Name: crun
|
||||||
Version: 0.18
|
Version: 0.18
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||||
Patch0: 0001-revert-tests-build-init-always-statically.patch
|
Patch0: 0001-revert-tests-build-init-always-statically.patch
|
||||||
|
Patch1: 0001-spec-do-not-set-inheritable-capabilities.patch
|
||||||
|
Patch2: 0002-exec-cap-do-not-set-inheritable-capabilities.patch
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
URL: https://github.com/containers/crun
|
URL: https://github.com/containers/crun
|
||||||
# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
|
# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
|
||||||
@ -47,6 +49,10 @@ rm -rf $RPM_BUILD_ROOT/usr/lib*
|
|||||||
%{_mandir}/man1/*
|
%{_mandir}/man1/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Apr 05 2022 Jindrich Novy <jnovy@redhat.com> - 0.18-3
|
||||||
|
- fix CVE-2022-27650
|
||||||
|
- Related: #2061390
|
||||||
|
|
||||||
* Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-2
|
* Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-2
|
||||||
- allow to build without glibc-static (thanks to Giuseppe Scrivano)
|
- allow to build without glibc-static (thanks to Giuseppe Scrivano)
|
||||||
- Related: #1883490
|
- Related: #1883490
|
||||||
|
Loading…
Reference in New Issue
Block a user