* [meta-virtualization][dunfell][PATCH 2/3] runc: FIx CVE-2022-29162
@ 2023-02-22 10:42 Hugo SIMELIERE
0 siblings, 0 replies; only message in thread
From: Hugo SIMELIERE @ 2023-02-22 10:42 UTC (permalink / raw)
To: meta-virtualization
[-- Attachment #1: Type: text/plain, Size: 10015 bytes --]
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
---
.../runc/files/CVE-2022-29162.patch | 123 ++++++++++++++++++
recipes-containers/runc/runc-docker_git.bb | 1 +
.../runc/runc-opencontainers_git.bb | 1 +
3 files changed, 125 insertions(+)
create mode 100644 recipes-containers/runc/files/CVE-2022-29162.patch
diff --git a/recipes-containers/runc/files/CVE-2022-29162.patch b/recipes-containers/runc/files/CVE-2022-29162.patch
new file mode 100644
index 0000000..797c923
--- /dev/null
+++ b/recipes-containers/runc/files/CVE-2022-29162.patch
@@ -0,0 +1,123 @@
+From 2e46aecb3c3212eef2c4fb26e78aac5918fc058b Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Thu, 12 May 2022 08:15:42 +1000
+Subject: [PATCH] Merge pull request from GHSA-f3fp-gc8g-vw66
+
+[ Upstream commit d04de3a9b72d7a2455c1885fc75eb36d02cd17b5 ]
+
+runc: do not set inheritable capabilities
+
+CVE: CVE-2022-29162
+---
+ exec.go | 1 -
+ libcontainer/README.md | 16 ----------------
+ libcontainer/integration/exec_test.go | 2 --
+ libcontainer/integration/template_test.go | 16 ----------------
+ libcontainer/specconv/example.go | 5 -----
+ 5 files changed, 40 deletions(-)
+
+diff --git a/src/import/exec.go b/src/import/exec.go
+index 6053ea97..fc078d4e 100644
+--- a/src/import/exec.go
++++ b/src/import/exec.go
+@@ -193,7 +193,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
+ if caps := context.StringSlice("cap"); len(caps) > 0 {
+ for _, c := range caps {
+ p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
+- p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
+ p.Capabilities.Effective = append(p.Capabilities.Effective, c)
+ p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
+ p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
+diff --git a/src/import/libcontainer/README.md b/src/import/libcontainer/README.md
+index 13eee49d..aedde773 100644
+--- a/src/import/libcontainer/README.md
++++ b/src/import/libcontainer/README.md
+@@ -96,22 +96,6 @@ config := &configs.Config{
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
+ },
+- Inheritable: []string{
+- "CAP_CHOWN",
+- "CAP_DAC_OVERRIDE",
+- "CAP_FSETID",
+- "CAP_FOWNER",
+- "CAP_MKNOD",
+- "CAP_NET_RAW",
+- "CAP_SETGID",
+- "CAP_SETUID",
+- "CAP_SETFCAP",
+- "CAP_SETPCAP",
+- "CAP_NET_BIND_SERVICE",
+- "CAP_SYS_CHROOT",
+- "CAP_KILL",
+- "CAP_AUDIT_WRITE",
+- },
+ Permitted: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+diff --git a/src/import/libcontainer/integration/exec_test.go b/src/import/libcontainer/integration/exec_test.go
+index 1e8e185f..bb8ec9f6 100644
+--- a/src/import/libcontainer/integration/exec_test.go
++++ b/src/import/libcontainer/integration/exec_test.go
+@@ -412,7 +412,6 @@ func TestProcessCaps(t *testing.T) {
+ pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN")
+ pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN")
+ pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN")
+- pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN")
+ err = container.Run(&pconfig)
+ ok(t, err)
+
+@@ -1539,7 +1538,6 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
+ pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN")
+ pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN")
+ pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN")
+- pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN")
+
+ err = container.Run(pconfig2)
+ _ = stdinR2.Close()
+diff --git a/src/import/libcontainer/integration/template_test.go b/src/import/libcontainer/integration/template_test.go
+index 039cd737..60ca0f43 100644
+--- a/src/import/libcontainer/integration/template_test.go
++++ b/src/import/libcontainer/integration/template_test.go
+@@ -71,22 +71,6 @@ func newTemplateConfig(t *testing.T, p *tParam) *configs.Config {
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
+ },
+- Inheritable: []string{
+- "CAP_CHOWN",
+- "CAP_DAC_OVERRIDE",
+- "CAP_FSETID",
+- "CAP_FOWNER",
+- "CAP_MKNOD",
+- "CAP_NET_RAW",
+- "CAP_SETGID",
+- "CAP_SETUID",
+- "CAP_SETFCAP",
+- "CAP_SETPCAP",
+- "CAP_NET_BIND_SERVICE",
+- "CAP_SYS_CHROOT",
+- "CAP_KILL",
+- "CAP_AUDIT_WRITE",
+- },
+ Ambient: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+diff --git a/src/import/libcontainer/specconv/example.go b/src/import/libcontainer/specconv/example.go
+index 56bab3bf..152d938a 100644
+--- a/src/import/libcontainer/specconv/example.go
++++ b/src/import/libcontainer/specconv/example.go
+@@ -41,11 +41,6 @@ func Example() *specs.Spec {
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE",
+ },
+- Inheritable: []string{
+- "CAP_AUDIT_WRITE",
+- "CAP_KILL",
+- "CAP_NET_BIND_SERVICE",
+- },
+ Ambient: []string{
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+--
+2.39.1
+
diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb
index 2019ad3..5499333 100644
--- a/recipes-containers/runc/runc-docker_git.bb
+++ b/recipes-containers/runc/runc-docker_git.bb
@@ -7,6 +7,7 @@ SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.0;name=runc-doc
file://0001-runc-Add-console-socket-dev-null.patch \
file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
file://0001-runc-docker-SIGUSR1-daemonize.patch \
+ file://CVE-2022-29162.patch \
"
RUNC_VERSION = "1.0.3"
diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb
index 4b1d0a0..0f625af 100644
--- a/recipes-containers/runc/runc-opencontainers_git.bb
+++ b/recipes-containers/runc/runc-opencontainers_git.bb
@@ -4,6 +4,7 @@ SRCREV = "e0124d569cb2dfe93bd9fb8d7f4ade461e006464"
SRC_URI = " \
git://github.com/opencontainers/runc;branch=release-1.0;protocol=https \
file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
+ file://CVE-2022-29162.patch \
"
RUNC_VERSION = "1.0.3"
--
2.39.2
[-- Attachment #2: Type: text/html, Size: 17061 bytes --]
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2023-02-22 10:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-22 10:42 [meta-virtualization][dunfell][PATCH 2/3] runc: FIx CVE-2022-29162 Hugo SIMELIERE
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.