!64 [sync] PR-61: containerd:Fix CVE-2022-23471

From: @openeuler-sync-bot 
Reviewed-by: @Vanient, @duguhaotian 
Signed-off-by: @duguhaotian

containerd.spec

@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        306
+Release:        307
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -13,7 +13,7 @@ Source3:        series.conf
 Source4:        git-commit
 Source5:        gen-commit.sh
 
-BuildRequires:  golang glibc-static make btrfs-progs-devel
+BuildRequires:  golang glibc-static make btrfs-progs-devel git
 
 %description
 containerd is an industry-standard container runtime with an emphasis on
@@ -55,6 +55,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr
 %{_bindir}/ctr
 
 %changelog
+* Tue Dec 13 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-307
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: Fix goroutine leak in Exec
+
 * Wed Nov 16 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-306
 - Type:bugfix
 - ID:NA

git-commit

@@ -1 +1 @@
-e6eb87f907c974224e5fe4da723815fa9618a3b2
+3085d60635563122919063f97af58b92e352fe93

patch/0094-containerd-Fix-goroutine-leak-in-Exec.patch

@@ -0,0 +1,54 @@
+From 02d2ff546e0727d57bcd14b73aafcc23961b8304 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Tue, 13 Dec 2022 11:22:07 +0800
+Subject: [PATCH] containerd:Fix goroutine leak in Exec
+
+Conflict:NA
+Reference:https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0 
+Signed-off-by:  mcgowan <derek@mcg.dev>
+---
+ .../pkg/kubelet/server/remotecommand/httpstream.go | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/server/remotecommand/httpstream.go b/vendor/k8s.io/kubernetes/pkg/kubelet/server/remotecommand/httpstream.go
+index 387ad3d..0da6f99 100644
+--- a/vendor/k8s.io/kubernetes/pkg/kubelet/server/remotecommand/httpstream.go
++++ b/vendor/k8s.io/kubernetes/pkg/kubelet/server/remotecommand/httpstream.go
+@@ -116,7 +116,7 @@ func createStreams(req *http.Request, w http.ResponseWriter, opts *Options, supp
+ 
+ 	if ctx.resizeStream != nil {
+ 		ctx.resizeChan = make(chan remotecommand.TerminalSize)
+-		go handleResizeEvents(ctx.resizeStream, ctx.resizeChan)
++		go handleResizeEvents(req.Context(), ctx.resizeStream, ctx.resizeChan)
+ 	}
+ 
+ 	return ctx, true
+@@ -410,7 +410,7 @@ WaitForStreams:
+ // supportsTerminalResizing returns false because v1ProtocolHandler doesn't support it.
+ func (*v1ProtocolHandler) supportsTerminalResizing() bool { return false }
+ 
+-func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalSize) {
++func handleResizeEvents(ctx gocontext.Context, stream io.Reader, channel chan<- remotecommand.TerminalSize) {
+ 	defer runtime.HandleCrash()
+ 
+ 	decoder := json.NewDecoder(stream)
+@@ -419,7 +419,15 @@ func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalS
+ 		if err := decoder.Decode(&size); err != nil {
+ 			break
+ 		}
+-		channel <- size
++
++		select {
++		case channel <- size:
++		case <-ctx.Done():
++			// To avoid leaking this routine, exit if the http request finishes. This path
++			// would generally be hit if starting the process fails and nothing is started to
++			// ingest these resize events.
++			return
++		}
+ 	}
+ }
+ 
+-- 
+2.30.0
+

series.conf

@@ -98,4 +98,5 @@ patch/0090-images-validate-document-type-before-unmarshal.patch
 patch/0091-schema1-reject-ambiguous-documents.patch
 patch/0092-containerd-add-CGO-sercurity-build-options.patch
 patch/0093-containerd-fix-version-number-wrong.patch
+patch/0094-containerd-Fix-goroutine-leak-in-Exec.patch
 # end