diff --git a/0005-Fix-CVE-2023-0778.patch b/0005-Fix-CVE-2023-0778.patch new file mode 100644 index 0000000000000000000000000000000000000000..091dfeb08206d4bf3df1bd09589cf6f1b88a9724 --- /dev/null +++ b/0005-Fix-CVE-2023-0778.patch @@ -0,0 +1,86 @@ +From 0abe1acdd56bfe8b871337c7ceb8151b9c205f66 Mon Sep 17 00:00:00 2001 +From: duyiwei +Date: Thu, 16 Jan 2025 16:20:52 +0800 +Subject: [PATCH] Fix CVE-2023-0778 + +Signed-off-by: duyiwei +--- + libpod/container_internal.go | 4 ++-- + utils/utils.go | 25 ++++++++++++++++++++++++- + 2 files changed, 26 insertions(+), 3 deletions(-) + +diff --git a/libpod/container_internal.go b/libpod/container_internal.go +index c6809ad..bac0af0 100644 +--- a/libpod/container_internal.go ++++ b/libpod/container_internal.go +@@ -26,7 +26,7 @@ import ( + "github.com/containers/podman/v3/pkg/selinux" + "github.com/containers/podman/v3/pkg/util" + "github.com/containers/storage" +- "github.com/containers/storage/pkg/archive" ++ "github.com/containers/storage/pkg/chrootarchive" + "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/pkg/mount" + "github.com/coreos/go-systemd/v22/daemon" +@@ -792,7 +792,7 @@ func (c *Container) export(path string) error { + }() + } + +- input, err := archive.Tar(mountPoint, archive.Uncompressed) ++ input, err := chrootarchive.Tar(mountPoint, nil, mountPoint) + if err != nil { + return errors.Wrapf(err, "error reading container directory %q", c.ID()) + } +diff --git a/utils/utils.go b/utils/utils.go +index f2e7bee..147f97a 100644 +--- a/utils/utils.go ++++ b/utils/utils.go +@@ -15,6 +15,7 @@ import ( + "github.com/containers/podman/v3/libpod/define" + "github.com/containers/podman/v3/pkg/cgroups" + "github.com/containers/storage/pkg/archive" ++ "github.com/containers/storage/pkg/chrootarchive" + "github.com/godbus/dbus/v5" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" +@@ -119,7 +120,7 @@ func CreateTarFromSrc(source string, dest string) error { + return errors.Wrapf(err, "Could not create tarball file '%s'", dest) + } + defer file.Close() +- return TarToFilesystem(source, file) ++ return TarChrootToFilesystem(source, file) + } + + // TarToFilesystem creates a tarball from source and writes to an os.file +@@ -143,6 +144,28 @@ func Tar(source string) (io.ReadCloser, error) { + return archive.Tar(source, archive.Uncompressed) + } + ++// TarChrootToFilesystem creates a tarball from source and writes to an os.file ++// provided while chrooted to the source. ++func TarChrootToFilesystem(source string, tarball *os.File) error { ++ tb, err := TarWithChroot(source) ++ if err != nil { ++ return err ++ } ++ _, err = io.Copy(tarball, tb) ++ if err != nil { ++ return err ++ } ++ logrus.Debugf("wrote tarball file %s", tarball.Name()) ++ return nil ++} ++ ++// TarWithChroot creates a tarball from source and returns a readcloser of it ++// while chrooted to the source. ++func TarWithChroot(source string) (io.ReadCloser, error) { ++ logrus.Debugf("creating tarball of %s", source) ++ return chrootarchive.Tar(source, nil, source) ++} ++ + // RemoveScientificNotationFromFloat returns a float without any + // scientific notation if the number has any. + // golang does not handle conversion of float64s that have scientific +-- +2.33.0 + diff --git a/podman.spec b/podman.spec index 8f6c63777ef45f369ce3a95cb00160c79d9a3252..ae811de29b4c7d0954c87c061157213529c30828 100644 --- a/podman.spec +++ b/podman.spec @@ -2,7 +2,7 @@ Name: podman Version: 3.4.4 -Release: 5 +Release: 6 Summary: A daemonless container engine for managing Containers Epoch: 1 License: ASL 2.0 @@ -25,6 +25,7 @@ Patch1: 0001-Fix-the-invalid-memory-address-reference.patch Patch2: 0002-add-openEuler-hardened-ld.patch Patch3: 0003-CVE-2022-32149.patch Patch4: 0004-fix-CVE-2024-37298.patch +Patch5: 0005-Fix-CVE-2023-0778.patch %description Podman manages the entire container ecosystem which includes pods, @@ -115,6 +116,7 @@ tar -xf %{SOURCE4} %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %build GO_MD2MAN_PATH="$(pwd)%{_bindir}" @@ -285,6 +287,9 @@ done %{_libexecdir}/%{name}/gvproxy %changelog +* Thu Jan 16 2025 duyiwei - 1:3.4.4-6 +- Fix CVE-2023-0778 + * Mon Jan 13 2025 duyiwei - 1:3.4.4-5 - Fix CVE-2024-37298