containerd:fix CVE-2023-25153 and CVE-2023-25173

containerd.spec

@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        308
+Release:        309
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -55,6 +55,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr
 %{_bindir}/ctr
 
 %changelog
+* Mon Feb 27 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-309
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2023-25153 and CVE-2023-25173
+
 * Thu Dec 16 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-308
 - Type:bugfix
 - ID:NA

git-commit

@@ -1 +1 @@
-2fe372726b7fdec5320b179aadab1e8ad5c0b6eb
+d2dfb1444fe48c86b6bbb291358d5b3f581d3b82

patch/0095-oci-fix-additional-GIDs.patch

@@ -0,0 +1,198 @@
+From f73de44a5b70c85458af955d74f45492ff07926a Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Sat, 24 Dec 2022 20:09:04 +0900
+Subject: [PATCH] oci: fix additional GIDs
+
+Test suite:
+```yaml
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-no-option
+  annotations:
+    description: "Equivalent of `docker run` (no option)"
+spec:
+  restartPolicy: Never
+  containers:
+    - name: main
+      image: ghcr.io/containerd/busybox:1.28
+      args: ['sh', '-euxc',
+             '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),10(wheel)" ]']
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-group-add-1-group-add-1234
+  annotations:
+    description: "Equivalent of `docker run --group-add 1 --group-add 1234`"
+spec:
+  restartPolicy: Never
+  containers:
+    - name: main
+      image: ghcr.io/containerd/busybox:1.28
+      args: ['sh', '-euxc',
+             '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),1(daemon),10(wheel),1234" ]']
+  securityContext:
+    supplementalGroups: [1, 1234]
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-user-1234
+  annotations:
+    description: "Equivalent of `docker run --user 1234`"
+spec:
+  restartPolicy: Never
+  containers:
+    - name: main
+      image: ghcr.io/containerd/busybox:1.28
+      args: ['sh', '-euxc',
+             '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root)" ]']
+  securityContext:
+    runAsUser: 1234
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-user-1234-1234
+  annotations:
+    description: "Equivalent of `docker run --user 1234:1234`"
+spec:
+  restartPolicy: Never
+  containers:
+    - name: main
+      image: ghcr.io/containerd/busybox:1.28
+      args: ['sh', '-euxc',
+             '[ "$(id)" = "uid=1234 gid=1234 groups=1234" ]']
+  securityContext:
+    runAsUser: 1234
+    runAsGroup: 1234
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-user-1234-group-add-1234
+  annotations:
+    description: "Equivalent of `docker run --user 1234 --group-add 1234`"
+spec:
+  restartPolicy: Never
+  containers:
+    - name: main
+      image: ghcr.io/containerd/busybox:1.28
+      args: ['sh', '-euxc',
+             '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root),1234" ]']
+  securityContext:
+    runAsUser: 1234
+    supplementalGroups: [1234]
+```
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Signed-off-by: zhongjiawei <zhongjiawei1@huawei.com>
+---
+ oci/spec_opts.go                              | 33 +++++++++++++++++++
+ .../cri/pkg/server/container_create.go        |  3 +-
+ 2 files changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/oci/spec_opts.go b/oci/spec_opts.go
+index 8b599f805..718c48246 100644
+--- a/oci/spec_opts.go
++++ b/oci/spec_opts.go
+@@ -84,6 +84,17 @@ func setCapabilities(s *Spec) {
+ 	}
+ }
+ 
++// ensureAdditionalGids ensures that the primary GID is also included in the additional GID list.
++func ensureAdditionalGids(s *Spec) {
++	setProcess(s)
++	for _, f := range s.Process.User.AdditionalGids {
++		if f == s.Process.User.GID {
++			return
++		}
++	}
++	s.Process.User.AdditionalGids = append([]uint32{s.Process.User.GID}, s.Process.User.AdditionalGids...)
++}
++
+ // WithDefaultSpec returns a SpecOpts that will populate the spec with default
+ // values.
+ //
+@@ -459,7 +470,21 @@ func WithNamespacedCgroup() SpecOpts {
+ //   user, uid, user:group, uid:gid, uid:group, user:gid
+ func WithUser(userstr string) SpecOpts {
+ 	return func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
++		defer ensureAdditionalGids(s)
+ 		setProcess(s)
++		s.Process.User.AdditionalGids = nil
++
++		// For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't
++		// mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the
++		// guest itself. To accommodate this, a spot to place the user string provided by a client as-is is needed.
++		// The `Username` field on the runtime spec is marked by Platform as only for Windows, and in this case it
++		// *is* being set on a Windows host at least, but will be used as a temporary holding spot until the guest
++		// can use the string to perform these same operations to grab the uid:gid inside.
++		if s.Windows != nil && s.Linux != nil {
++			s.Process.User.Username = userstr
++			return nil
++		}
++
+ 		parts := strings.Split(userstr, ":")
+ 		switch len(parts) {
+ 		case 1:
+@@ -538,7 +563,9 @@ func WithUser(userstr string) SpecOpts {
+ // WithUIDGID allows the UID and GID for the Process to be set
+ func WithUIDGID(uid, gid uint32) SpecOpts {
+ 	return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
++		defer ensureAdditionalGids(s)
+ 		setProcess(s)
++		s.Process.User.AdditionalGids = nil
+ 		s.Process.User.UID = uid
+ 		s.Process.User.GID = gid
+ 		return nil
+@@ -551,7 +578,9 @@ func WithUIDGID(uid, gid uint32) SpecOpts {
+ // additionally sets the gid to 0, and does not return an error.
+ func WithUserID(uid uint32) SpecOpts {
+ 	return func(ctx context.Context, client Client, c *containers.Container, s *Spec) (err error) {
++		defer ensureAdditionalGids(s)
+ 		setProcess(s)
++		s.Process.User.AdditionalGids = nil
+ 		if c.Snapshotter == "" && c.SnapshotKey == "" {
+ 			if !isRootfsAbs(s.Root.Path) {
+ 				return errors.Errorf("rootfs absolute path is required")
+@@ -604,7 +633,9 @@ func WithUserID(uid uint32) SpecOpts {
+ // it returns error.
+ func WithUsername(username string) SpecOpts {
+ 	return func(ctx context.Context, client Client, c *containers.Container, s *Spec) (err error) {
++		defer ensureAdditionalGids(s)
+ 		setProcess(s)
++		s.Process.User.AdditionalGids = nil
+ 		if s.Linux != nil {
+ 			if c.Snapshotter == "" && c.SnapshotKey == "" {
+ 				if !isRootfsAbs(s.Root.Path) {
+@@ -659,7 +690,9 @@ func WithAdditionalGIDs(userstr string) SpecOpts {
+ 			return nil
+ 		}
+ 		setProcess(s)
++		s.Process.User.AdditionalGids = nil
+ 		setAdditionalGids := func(root string) error {
++			defer ensureAdditionalGids(s)
+ 			var username string
+ 			uid, err := strconv.Atoi(userstr)
+ 			if err == nil {
+diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go
+index e29cb40f8..ffa6cd614 100644
+--- a/vendor/github.com/containerd/cri/pkg/server/container_create.go
++++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go
+@@ -230,7 +230,8 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
+ 		// Because it is still useful to get additional gids for uid 0.
+ 		userstr = strconv.FormatInt(securityContext.GetRunAsUser().GetValue(), 10)
+ 	}
+-	specOpts = append(specOpts, customopts.WithAdditionalGIDs(userstr))
++	specOpts = append(specOpts, customopts.WithDevices(c.os, config, c.config.DeviceOwnershipFromSecurityContext),
++		customopts.WithCapabilities(securityContext, c.allCaps))
+ 
+ 	apparmorSpecOpts, err := generateApparmorSpecOpts(
+ 		securityContext.GetApparmorProfile(),
+-- 
+2.33.0
+

patch/0096-importer-stream-oci-layout-and-manifest.json.patch

@@ -0,0 +1,48 @@
+From d86db0de932912591e4a3884305547162b87f885 Mon Sep 17 00:00:00 2001
+From: Samuel Karp <samuelkarp@google.com>
+Date: Mon, 27 Feb 2023 15:02:01 +0800
+Subject: [PATCH] importer: stream oci-layout and manifest.json
+
+Signed-off-by: Samuel Karp <samuelkarp@google.com>
+---
+ images/archive/importer.go | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/images/archive/importer.go b/images/archive/importer.go
+index da83275..443b886 100644
+--- a/images/archive/importer.go
++++ b/images/archive/importer.go
+@@ -23,7 +23,6 @@ import (
+ 	"context"
+ 	"encoding/json"
+ 	"io"
+-	"io/ioutil"
+ 	"path"
+ 
+ 	"github.com/containerd/containerd/archive/compression"
+@@ -192,15 +191,14 @@ func ImportIndex(ctx context.Context, store content.Store, reader io.Reader) (oc
+ 	return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex)
+ }
+ 
++const (
++	kib       = 1024
++	mib       = 1024 * kib
++	jsonLimit = 20 * mib
++)
++
+ func onUntarJSON(r io.Reader, j interface{}) error {
+-	b, err := ioutil.ReadAll(r)
+-	if err != nil {
+-		return err
+-	}
+-	if err := json.Unmarshal(b, j); err != nil {
+-		return err
+-	}
+-	return nil
++	return json.NewDecoder(io.LimitReader(r, jsonLimit)).Decode(j)
+ }
+ 
+ func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) {
+-- 
+2.33.0
+

series.conf

@@ -99,4 +99,6 @@ patch/0091-schema1-reject-ambiguous-documents.patch
 patch/0092-containerd-add-CGO-sercurity-build-options.patch
 patch/0093-containerd-fix-version-number-wrong.patch
 patch/0094-containerd-Fix-goroutine-leak-in-Exec.patch
+patch/0095-oci-fix-additional-GIDs.patch
+patch/0096-importer-stream-oci-layout-and-manifest.json.patch
 # end