-
Notifications
You must be signed in to change notification settings - Fork 567
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
92 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| Modified Patch to apply only for container export. The utils.go file | ||
| does not have the volume export code in the vendored podman version. | ||
| Modified by: Sumedh Sharma <sumsharma@microsoft.com> | ||
|
|
||
| From 6ca857feb07a5fdc96fd947afef03916291673d8 Mon Sep 17 00:00:00 2001 | ||
| From: Aditya R <arajan@redhat.com> | ||
| Date: Fri, 10 Feb 2023 15:16:27 +0530 | ||
| Subject: [PATCH] volume,container: chroot to source before exporting content | ||
|
|
||
| * Utils must support higher level API to create Tar with chrooted into | ||
| directory | ||
| * Volume export: use TarwithChroot instead of Tar so we can make sure no | ||
| symlink can be exported by tar if it exists outside of the source | ||
| directory. | ||
| * container export: use chroot and Tar instead of Tar so we can make sure no | ||
| symlink can be exported by tar if it exists outside of the mointPoint. | ||
|
|
||
| [NO NEW TESTS NEEDED] | ||
| [NO TESTS NEEDED] | ||
| Race needs combination of external/in-container mechanism which is hard to repro in CI. | ||
|
|
||
| Closes: BZ:#2168256 | ||
| CVE: https://access.redhat.com/security/cve/CVE-2023-0778 | ||
|
|
||
| Signed-off-by: Aditya R <arajan@redhat.com> | ||
| --- | ||
| .../containers/podman/v3/libpod/container_internal.go | 4 ++-- | ||
| 1 file changed, 2 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/vendor/github.com/containers/podman/v3/libpod/container_internal.go b/vendor/github.com/containers/podman/v3/libpod/container_internal.go | ||
| index 8ffcccf..42cb682 100644 | ||
| --- a/vendor/github.com/containers/podman/v3/libpod/container_internal.go | ||
| +++ b/vendor/github.com/containers/podman/v3/libpod/container_internal.go | ||
| @@ -26,7 +26,7 @@ import ( | ||
| "github.com/containers/podman/v3/pkg/selinux" | ||
| "github.com/containers/podman/v3/pkg/util" | ||
| "github.com/containers/storage" | ||
| - "github.com/containers/storage/pkg/archive" | ||
| + "github.com/containers/storage/pkg/chrootarchive" | ||
| "github.com/containers/storage/pkg/idtools" | ||
| "github.com/containers/storage/pkg/mount" | ||
| "github.com/coreos/go-systemd/v22/daemon" | ||
| @@ -757,7 +757,7 @@ func (c *Container) export(path string) error { | ||
| }() | ||
| } | ||
|
|
||
| - input, err := archive.Tar(mountPoint, archive.Uncompressed) | ||
| + input, err := chrootarchive.Tar(mountPoint, nil, mountPoint) | ||
| if err != nil { | ||
| return errors.Wrapf(err, "error reading container directory %q", c.ID()) | ||
| } | ||
| -- | ||
| 2.25.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| From 5faee5d82556a6bf4dd1144d2a86e70d097ab200 Mon Sep 17 00:00:00 2001 | ||
| From: Peter Hunt <pehunt@redhat.com> | ||
| Date: Thu, 7 Dec 2023 16:07:12 -0500 | ||
| Subject: [PATCH] allowed annotations: correctly filter prefixed annotations | ||
|
|
||
| without this fix, a pod is able to gain access to experimental annotations that are prefixes of container names. | ||
| The most problematic of these is io.kubernetes.cri-o.UnifiedCgroup, which allows a user to arbitrarily | ||
| change the resources of the pod, potentially leading to OOM. | ||
|
|
||
| Fixes CVE-2023-6476 | ||
|
|
||
| Signed-off-by: Peter Hunt <pehunt@redhat.com> | ||
| --- | ||
| internal/oci/oci.go | 2 +- | ||
| 1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
|
||
| diff --git a/internal/oci/oci.go b/internal/oci/oci.go | ||
| index 89ecfb2..b56b6d9 100644 | ||
| --- a/internal/oci/oci.go | ||
| +++ b/internal/oci/oci.go | ||
| @@ -216,7 +216,7 @@ func (r *Runtime) FilterDisallowedAnnotations(handler string, annotations map[st | ||
| for ann := range annotations { | ||
| for _, disallowed := range rh.DisallowedAnnotations { | ||
| if strings.HasPrefix(ann, disallowed) { | ||
| - delete(annotations, disallowed) | ||
| + delete(annotations, ann) | ||
| } | ||
| } | ||
| } | ||
| -- | ||
| 2.25.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters