From 16eb8f107b75feaa37d8c7c04145e5402d7512c8 Mon Sep 17 00:00:00 2001
From: duyiwei <duyiwei@kylinos.cn>
Date: Thu, 16 Jan 2025 23:53:25 +0800
Subject: [PATCH] fix cve-2022-2989

---
 0006-fix-cve-2022-2989.patch | 84 ++++++++++++++++++++++++++++++++++++
 podman.spec                  |  7 ++-
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 0006-fix-cve-2022-2989.patch

diff --git a/0006-fix-cve-2022-2989.patch b/0006-fix-cve-2022-2989.patch
new file mode 100644
index 0000000..16d404a
--- /dev/null
+++ b/0006-fix-cve-2022-2989.patch
@@ -0,0 +1,84 @@
+From e7a00c6c91e4bbf6770eb3773b50f3d080083116 Mon Sep 17 00:00:00 2001
+From: duyiwei <duyiwei@kylinos.cn>
+Date: Thu, 16 Jan 2025 23:44:57 +0800
+Subject: [PATCH] fix cve-2022-2989
+
+Signed-off-by: duyiwei <duyiwei@kylinos.cn>
+---
+ libpod/container_internal_linux.go |  1 +
+ pkg/specgen/namespaces.go          |  1 +
+ test/e2e/run_test.go               | 14 +++++++++++---
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
+index eb05ca4..5c82972 100644
+--- a/libpod/container_internal_linux.go
++++ b/libpod/container_internal_linux.go
+@@ -500,6 +500,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
+ 		// User and Group must go together
+ 		g.SetProcessUID(uint32(execUser.Uid))
+ 		g.SetProcessGID(uint32(execUser.Gid))
++		g.AddProcessAdditionalGid(uint32(execUser.Gid))
+ 	}
+ 
+ 	if c.config.Umask != "" {
+diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
+index 2f4c488..ad7fb90 100644
+--- a/pkg/specgen/namespaces.go
++++ b/pkg/specgen/namespaces.go
+@@ -363,6 +363,7 @@ func SetupUserNS(idmappings *storage.IDMappingOptions, userns Namespace, g *gene
+ 		idmappings = mappings
+ 		g.SetProcessUID(uint32(uid))
+ 		g.SetProcessGID(uint32(gid))
++		g.AddProcessAdditionalGid(uint32(gid))
+ 		user = fmt.Sprintf("%d:%d", uid, gid)
+ 		fallthrough
+ 	case Private:
+diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
+index e21b1dc..3385f9d 100644
+--- a/test/e2e/run_test.go
++++ b/test/e2e/run_test.go
+@@ -848,7 +848,7 @@ USER bin`, BB)
+ 		session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "id"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session).Should(Exit(0))
+-		Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root)"))
++		Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root) groups=0(root)"))
+ 	})
+ 
+ 	It("podman run with user (integer, in /etc/passwd)", func() {
+@@ -869,14 +869,14 @@ USER bin`, BB)
+ 		session := podmanTest.Podman([]string{"run", "--rm", "--user=mail:21", ALPINE, "id"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session).Should(Exit(0))
+-		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
++		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
+ 	})
+ 
+ 	It("podman run with user:group (integer:groupname)", func() {
+ 		session := podmanTest.Podman([]string{"run", "--rm", "--user=8:ftp", ALPINE, "id"})
+ 		session.WaitWithDefaultTimeout()
+ 		Expect(session).Should(Exit(0))
+-		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
++		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
+ 	})
+ 
+ 	It("podman run with user, verify caps dropped", func() {
+@@ -887,6 +887,14 @@ USER bin`, BB)
+ 		Expect("0000000000000000").To(Equal(capEff[1]))
+ 	})
+ 
++	It("podman run with user, verify group added", func() {
++		session := podmanTest.Podman([]string{"run", "--rm", "--user=1000:1000", ALPINE, "grep", "Groups:", "/proc/self/status"})
++		session.WaitWithDefaultTimeout()
++		Expect(session).Should(Exit(0))
++		groups := strings.Split(session.OutputToString(), " ")[1]
++		Expect("1000").To(Equal(groups))
++	})
++
+ 	It("podman run with attach stdin outputs container ID", func() {
+ 		session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"})
+ 		session.WaitWithDefaultTimeout()
+-- 
+2.33.0
+
diff --git a/podman.spec b/podman.spec
index ae811de..66f3c4c 100644
--- a/podman.spec
+++ b/podman.spec
@@ -2,7 +2,7 @@
 
 Name:          podman
 Version:       3.4.4
-Release:       6
+Release:       7
 Summary:       A daemonless container engine for managing Containers
 Epoch:         1
 License:       ASL 2.0
@@ -26,6 +26,7 @@ Patch2:   0002-add-openEuler-hardened-ld.patch
 Patch3:   0003-CVE-2022-32149.patch
 Patch4:   0004-fix-CVE-2024-37298.patch
 Patch5:   0005-Fix-CVE-2023-0778.patch
+Patch6:   0006-fix-cve-2022-2989.patch
 
 %description
 Podman manages the entire container ecosystem which includes pods,
@@ -117,6 +118,7 @@ tar -xf %{SOURCE4}
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 %build
 GO_MD2MAN_PATH="$(pwd)%{_bindir}"
@@ -287,6 +289,9 @@ done
 %{_libexecdir}/%{name}/gvproxy
 
 %changelog
+* Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-7
+- fix cve-2022-2989
+
 * Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-6
 - Fix CVE-2023-0778
 
-- 
Gitee