containerd:Use fs.RootPath when mounting volumes

containerd.spec

@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        109
+Release:        301
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -52,14 +52,20 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
 %{_bindir}/containerd-shim
 
 %changelog
-* Sat Jan 22 2022 songyanting<songyanting@huawei.com> - 1.2.0-109
+* Tue May 10 2022 Vanient<xiadanni1@huawei.com> - 1.2.0-301
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Use fs.RootPath when mounting volumes for bundle dir to fix CVE-2022-23648
+
+* Sat Jan 22 2022 songyanting<songyanting@huawei.com> - 1.2.0-300
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:sync bugfix, include
        1. add check in spec
        2. kill container init process if runc start returns error
-       3. fix containerd-shim residual when kill containerd during starting container
+       3. fix containerd-shim residual when kill containerd durin
        4. fix deadlock on commit error
        5. backport upstream & ttrpc patches
        6. fix exec event missing due to pid reuse
@@ -72,6 +78,12 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
       13. reduce permission for bundle dir
       14. fix publish command wait block forever
 
+* Mon Jan 10 2022 xiadanni<xiadanni1@huawei.com> - 1.2.0-109
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:disable go module build
+
 * Thu Mar 18 2021 xiadanni<xiadanni1@huawei.com> - 1.2.0-108
 - Type:bugfix
 - ID:NA

git-commit

@@ -1 +1 @@
-58b29274635c89604fa2e8b347e6370cbbaad569
+188e768fc5b6e679728ee1e7033e481b238b4665

patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch

@@ -0,0 +1,40 @@
+From 53c45a7abaea09e60e0175f192742c74d1be60e2 Mon Sep 17 00:00:00 2001
+From: Vanient <xiadanni1@huawei.com>
+Date: Thu, 31 Mar 2022 21:30:15 +0800
+Subject: [PATCH] containerd:Use fs.RootPath when mounting volumes
+
+fix CVE-2022-23648
+upstream:https://github.com/containerd/containerd/commit/3406af86394c2426ce7f55d5f52be2b79f456211
+
+Signed-off-by: Vanient <xiadanni1@huawei.com>
+---
+ .../containerd/cri/pkg/containerd/opts/container.go         | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
+index 7647c373c..2ea49b594 100644
+--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
++++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
+@@ -20,7 +20,6 @@ import (
+ 	"context"
+ 	"io/ioutil"
+ 	"os"
+-	"path/filepath"
+ 
+ 	"github.com/containerd/containerd"
+ 	"github.com/containerd/containerd/containers"
+@@ -88,7 +87,10 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
+ 		}()
+ 
+ 		for host, volume := range volumeMounts {
+-			src := filepath.Join(root, volume)
++			src, err := fs.RootPath(root, volume)
++			if err != nil {
++				return errors.Wrapf(err, "rootpath on root %s, volume %s", root, volume)
++			}
+ 			if _, err := os.Stat(src); err != nil {
+ 				if os.IsNotExist(err) {
+ 					// Skip copying directory if it does not exist.
+-- 
+2.27.0
+

series.conf

@@ -88,4 +88,5 @@ patch/0080-containerd-improve-log-for-debugging.patch
 patch/0081-containerd-reduce-permissions-for-bundle-di.patch
 patch/0082-containerd-fix-publish-command-wait-block-for.patch
 patch/0083-containerd-optimize-cgo-compile-options.patch
+patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch
 # end