7 changed files with 18 additions and 469 deletions
--- a/0001-fix-CVE-2024-24786.patch
+++ b/0001-fix-CVE-2024-24786.patch
@ -1,59 +0,0 @@
 From 171172b7a8a24104415f1d461da7a839dd9933a3 Mon Sep 17 00:00:00 2001
 From: bwzhang <zhangbowei@kylinos.cn>
 Date: Mon, 25 Mar 2024 10:47:11 +0800
 Subject: [PATCH] fix CVE-2024-24786
 encoding/protojson, internal/encoding/json: handle missing object values
 In internal/encoding/json, report an error when encountering a }
 when we are expecting an object field value. For example, the input
 now correctly results in an error at the closing } token.
 In encoding/protojson, check for an unexpected EOF token in
 skipJSONValue. This is redundant with the check in internal/encoding/json,
 but adds a bit more defense against any other similar bugs that
 might exist.
 Fixes CVE-2024-24786
 Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
 Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
 TryBot-Bypass: Damien Neil <dneil@google.com>
 Reviewed-by: Roland Shoemaker <roland@golang.org>
 Commit-Queue: Damien Neil <dneil@google.com>
 ---
 .../protobuf/encoding/protojson/well_known_types.go           | 4 ++++
 .../protobuf/internal/encoding/json/decode.go                 | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)
 diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
 index 72924a9..d3825ba 100644
 --- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
 +++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
 				if err := d.skipJSONValue(); err != nil {
 					return err
 				}
 +			case json.EOF:
 +				// This can only happen if there's a bug in Decoder.Read.
 +				// Avoid an infinite loop if this does happen.
 +				return errors.New("unexpected EOF")
 			}
 		}
 diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
 index b13fd29..b2be4e8 100644
 --- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
 +++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
 	case ObjectClose:
 		if len(d.openStack) == 0 ||
 -			d.lastToken.kind == comma ||
 +			d.lastToken.kind&(Name|comma) != 0 ||
 			d.openStack[len(d.openStack)-1] != ObjectOpen {
 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
 		}
 -- 
 2.20.1
--- a/0002-fix-CVE-2023-48795.patch
+++ b/0002-fix-CVE-2023-48795.patch
@ -1,271 +0,0 @@
 From e5fb0cbe2c404b584a0631ebb94ca0d82574132f Mon Sep 17 00:00:00 2001
 From: bwzhang <zhangbowei@kylinos.cn>
 Date: Tue, 26 Mar 2024 11:09:13 +0800
 Subject: [PATCH] fix CVE-2023-48795
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 ssh: implement strict KEX protocol changes
 Implement the "strict KEX" protocol changes, as described in section
 1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1).
 Namely this makes the following changes:
  * Both the server and the client add an additional algorithm to the
    initial KEXINIT message, indicating support for the strict KEX mode.
  * When one side of the connection sees the strict KEX extension
    algorithm, the strict KEX mode is enabled for messages originating
    from the other side of the connection. If the sequence number for
    the side which requested the extension is not 1 (indicating that it
    has already received non-KEXINIT packets), the connection is
    terminated.
  * When strict kex mode is enabled, unexpected messages during the
    handshake are considered fatal. Additionally when a key change
    occurs (on the receipt of the NEWKEYS message) the message sequence
    numbers are reset.
 Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr
 University Bochum for reporting this issue.
 Fixes CVE-2023-48795
 Fixes golang/go#64784
 Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604
 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715
 Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
 Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
 TryBot-Result: Gopher Robot <gobot@golang.org>
 Run-TryBot: Roland Shoemaker <roland@golang.org>
 Reviewed-by: Damien Neil <dneil@google.com>
 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 ---
 vendor/golang.org/x/crypto/ssh/handshake.go | 56 +++++++++++++++++++--
 vendor/golang.org/x/crypto/ssh/transport.go | 32 ++++++++++--
 2 files changed, 79 insertions(+), 9 deletions(-)
 diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
 index 49bbba7..bb2099c 100644
 --- a/vendor/golang.org/x/crypto/ssh/handshake.go
 +++ b/vendor/golang.org/x/crypto/ssh/handshake.go
@@ -35,6 +35,16 @@ type keyingTransport interface {
 	// direction will be effected if a msgNewKeys message is sent
 	// or received.
 	prepareKeyChange(*algorithms, *kexResult) error
 +
 +	// setStrictMode sets the strict KEX mode, notably triggering
 +	// sequence number resets on sending or receiving msgNewKeys.
 +	// If the sequence number is already > 1 when setStrictMode
 +	// is called, an error is returned.
 +	setStrictMode() error
 +
 +	// setInitialKEXDone indicates to the transport that the initial key exchange
 +	// was completed
 +	setInitialKEXDone()
 }
 // handshakeTransport implements rekeying on top of a keyingTransport
@@ -100,6 +110,10 @@ type handshakeTransport struct {
 	// The session ID or nil if first kex did not complete yet.
 	sessionID []byte
 +
 +	// strictMode indicates if the other side of the handshake indicated
 +	// that we should be following the strict KEX protocol restrictions.
 +	strictMode bool
 }
 type pendingKex struct {
@@ -209,7 +223,10 @@ func (t *handshakeTransport) readLoop() {
 			close(t.incoming)
 			break
 		}
 -		if p[0] == msgIgnore || p[0] == msgDebug {
 +		// If this is the first kex, and strict KEX mode is enabled,
 +		// we don't ignore any messages, as they may be used to manipulate
 +		// the packet sequence numbers.
 +		if !(t.sessionID == nil && t.strictMode) && (p[0] == msgIgnore || p[0] == msgDebug){
 			continue
 		}
 		t.incoming <- p
@@ -441,6 +458,11 @@ func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) {
 	return successPacket, nil
 }
 +const (
 +	kexStrictClient = "kex-strict-c-v00@openssh.com"
 +	kexStrictServer = "kex-strict-s-v00@openssh.com"
 +)
 +
 // sendKexInit sends a key change message.
 func (t *handshakeTransport) sendKexInit() error {
 	t.mu.Lock()
@@ -454,7 +476,6 @@ func (t *handshakeTransport) sendKexInit() error {
 	}
 	msg := &kexInitMsg{
 -		KexAlgos:                t.config.KeyExchanges,
 		CiphersClientServer:     t.config.Ciphers,
 		CiphersServerClient:     t.config.Ciphers,
 		MACsClientServer:        t.config.MACs,
@@ -464,6 +485,13 @@ func (t *handshakeTransport) sendKexInit() error {
 	}
 	io.ReadFull(rand.Reader, msg.Cookie[:])
 +	// We mutate the KexAlgos slice, in order to add the kex-strict extension algorithm,
 +	// and possibly to add the ext-info extension algorithm. Since the slice may be the
 +	// user owned KeyExchanges, we create our own slice in order to avoid using user
 +	// owned memory by mistake.
 +	msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+2) // room for kex-strict and ext-info
 +	msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...)
 +
 	isServer := len(t.hostKeys) > 0
 	if isServer {
 		for _, k := range t.hostKeys {
@@ -488,17 +516,24 @@ func (t *handshakeTransport) sendKexInit() error {
 				msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, keyFormat)
 			}
 		}
 +
 +		if t.sessionID == nil {
 +			msg.KexAlgos = append(msg.KexAlgos, kexStrictServer)
 +		}
 	} else {
 		msg.ServerHostKeyAlgos = t.hostKeyAlgorithms
 		// As a client we opt in to receiving SSH_MSG_EXT_INFO so we know what
 		// algorithms the server supports for public key authentication. See RFC
 		// 8308, Section 2.1.
 +		//
 +		// We also send the strict KEX mode extension algorithm, in order to opt
 +		// into the strict KEX mode.
 		if firstKeyExchange := t.sessionID == nil; firstKeyExchange {
 -			msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+1)
 -			msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...)
 			msg.KexAlgos = append(msg.KexAlgos, "ext-info-c")
 +			msg.KexAlgos = append(msg.KexAlgos, kexStrictClient)
 		}
 +
 	}
 	packet := Marshal(msg)
@@ -604,6 +639,13 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 		return err
 	}
 +	if t.sessionID == nil && ((isClient && contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && contains(clientInit.KexAlgos, kexStrictClient))) {
 +		t.strictMode = true
 +		if err := t.conn.setStrictMode(); err != nil {
 +			return err
 +		}
 +	}
 +
 	// We don't send FirstKexFollows, but we handle receiving it.
 	//
 	// RFC 4253 section 7 defines the kex and the agreement method for
@@ -679,6 +721,12 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 		return unexpectedMessageError(msgNewKeys, packet[0])
 	}
 +	if firstKeyExchange {
 +		// Indicates to the transport that the first key exchange is completed
 +		// after receiving SSH_MSG_NEWKEYS.
 +		t.conn.setInitialKEXDone()
 +	}
 +
 	return nil
 }
 diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go
 index da01580..0424d2d 100644
 --- a/vendor/golang.org/x/crypto/ssh/transport.go
 +++ b/vendor/golang.org/x/crypto/ssh/transport.go
@@ -49,6 +49,9 @@ type transport struct {
 	rand      io.Reader
 	isClient  bool
 	io.Closer
 +
 +	strictMode     bool
 +	initialKEXDone bool
 }
 // packetCipher represents a combination of SSH encryption/MAC
@@ -74,6 +77,18 @@ type connectionState struct {
 	pendingKeyChange chan packetCipher
 }
 +func (t *transport) setStrictMode() error {
 +	if t.reader.seqNum != 1 {
 +		return errors.New("ssh: sequence number != 1 when strict KEX mode requested")
 +	}
 +	t.strictMode = true
 +	return nil
 +}
 +
 +func (t *transport) setInitialKEXDone() {
 +	t.initialKEXDone = true
 +}
 +
 // prepareKeyChange sets up key material for a keychange. The key changes in
 // both directions are triggered by reading and writing a msgNewKey packet
 // respectively.
@@ -112,11 +127,12 @@ func (t *transport) printPacket(p []byte, write bool) {
 // Read and decrypt next packet.
 func (t *transport) readPacket() (p []byte, err error) {
 	for {
 -		p, err = t.reader.readPacket(t.bufReader)
 +		p, err = t.reader.readPacket(t.bufReader, t.strictMode)
 		if err != nil {
 			break
 		}
 -		if len(p) == 0 || (p[0] != msgIgnore && p[0] != msgDebug) {
 +		// in strict mode we pass through DEBUG and IGNORE packets only during the initial KEX
 +		if len(p) == 0 || (t.strictMode && !t.initialKEXDone) || (p[0] != msgIgnore && p[0] != msgDebug) {
 			break
 		}
 	}
@@ -127,7 +143,7 @@ func (t *transport) readPacket() (p []byte, err error) {
 	return p, err
 }
 -func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
 +func (s *connectionState) readPacket(r *bufio.Reader, strictMode bool) ([]byte, error) {
 	packet, err := s.packetCipher.readCipherPacket(s.seqNum, r)
 	s.seqNum++
 	if err == nil && len(packet) == 0 {
@@ -140,6 +156,9 @@ func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
 			select {
 			case cipher := <-s.pendingKeyChange:
 				s.packetCipher = cipher
 +				if strictMode {
 +					s.seqNum = 0
 +				}
 			default:
 				return nil, errors.New("ssh: got bogus newkeys message")
 			}
@@ -170,10 +189,10 @@ func (t *transport) writePacket(packet []byte) error {
 	if debugTransport {
 		t.printPacket(packet, true)
 	}
 -	return t.writer.writePacket(t.bufWriter, t.rand, packet)
 +	return t.writer.writePacket(t.bufWriter, t.rand, packet, t.strictMode)
 }
 -func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte) error {
 +func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte, strictMode bool) error {
 	changeKeys := len(packet) > 0 && packet[0] == msgNewKeys
 	err := s.packetCipher.writeCipherPacket(s.seqNum, w, rand, packet)
@@ -188,6 +207,9 @@ func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []
 		select {
 		case cipher := <-s.pendingKeyChange:
 			s.packetCipher = cipher
 +			if strictMode {
 +				s.seqNum = 0
 +			}
 		default:
 			panic("ssh: no key material for msgNewKeys")
 		}
 -- 
 2.20.1
--- a/0003-fix-CVE-2024-28180.patch
+++ b/0003-fix-CVE-2024-28180.patch
@ -1,89 +0,0 @@
 From d1aef6461e6fff7afce01fa6aa832914cb0f26a8 Mon Sep 17 00:00:00 2001
 From: bwzhang <zhangbowei@kylinos.cn>
 Date: Thu, 28 Mar 2024 16:30:28 +0800
 Subject: [PATCH] fix CVE-2024-28180
 ---
 .../github.com/go-jose/go-jose/v3/crypter.go  |  6 ++++++
 .../github.com/go-jose/go-jose/v3/encoding.go | 21 +++++++++++++++----
 2 files changed, 23 insertions(+), 4 deletions(-)
 diff --git a/vendor/github.com/go-jose/go-jose/v3/crypter.go b/vendor/github.com/go-jose/go-jose/v3/crypter.go
 index 6901137..34d4e1f 100644
 --- a/vendor/github.com/go-jose/go-jose/v3/crypter.go
 +++ b/vendor/github.com/go-jose/go-jose/v3/crypter.go
@@ -406,6 +406,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
 // Decrypt and validate the object and return the plaintext. Note that this
 // function does not support multi-recipient, if you desire multi-recipient
 // decryption use DecryptMulti instead.
 +//
 +// Automatically decompresses plaintext, but returns an error if the decompressed
 +// data would be >250kB or >10x the size of the compressed data, whichever is larger.
 func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
 	headers := obj.mergedHeaders(nil)
@@ -471,6 +474,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
 // with support for multiple recipients. It returns the index of the recipient
 // for which the decryption was successful, the merged headers for that recipient,
 // and the plaintext.
 +//
 +// Automatically decompresses plaintext, but returns an error if the decompressed
 +// data would be >250kB or >3x the size of the compressed data, whichever is larger.
 func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
 	globalHeaders := obj.mergedHeaders(nil)
 diff --git a/vendor/github.com/go-jose/go-jose/v3/encoding.go b/vendor/github.com/go-jose/go-jose/v3/encoding.go
 index 968a424..c378031 100644
 --- a/vendor/github.com/go-jose/go-jose/v3/encoding.go
 +++ b/vendor/github.com/go-jose/go-jose/v3/encoding.go
@@ -21,6 +21,7 @@ import (
 	"compress/flate"
 	"encoding/base64"
 	"encoding/binary"
 +	"fmt"
 	"io"
 	"math/big"
 	"strings"
@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
 	}
 }
 -// Compress with DEFLATE
 +// deflate compresses the input.
 func deflate(input []byte) ([]byte, error) {
 	output := new(bytes.Buffer)
@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
 	return output.Bytes(), err
 }
 -// Decompress with DEFLATE
 +// inflate decompresses the input.
 +//
 +// Errors if the decompressed data would be >250kB or >10x the size of the
 +// compressed data, whichever is larger
 func inflate(input []byte) ([]byte, error) {
 	output := new(bytes.Buffer)
 	reader := flate.NewReader(bytes.NewBuffer(input))
 -	_, err := io.Copy(output, reader)
 -	if err != nil {
 +	maxCompressedSize := 10 * int64(len(input))
 +	if maxCompressedSize < 250000 {
 +		maxCompressedSize = 250000
 +	}
 +
 +	limit := maxCompressedSize + 1
 +	n, err := io.CopyN(output, reader, limit)
 +	if err != nil && err != io.EOF {
 		return nil, err
 	}
 +	if n == limit {
 +		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
 +	}
 	err = reader.Close()
 	return output.Bytes(), err
 -- 
 2.20.1
--- a/cri-o-1.23.2.tar.gz
+++ b/cri-o-1.23.2.tar.gz
--- a/cri-o.spec
+++ b/cri-o.spec
@ -2,9 +2,9 @@
 %define gobuild(o:) %{expand:
  %global _dwz_low_mem_die_limit 0
  %ifnarch ppc64
-  go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${BASE_LDFLAGS:-}%{?currentgoldflags} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags %{?__golang_extldflags}' -compressdwarf=false" -a -v -x %{?**};
+  go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-}%{?currentgoldflags} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro  -Wl,-z,now' -compressdwarf=false" -a -v -x %{?**}; 
  %else
-  go build                -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${BASE_LDFLAGS:-}%{?currentgoldflags} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags %{?__golang_extldflags}' -compressdwarf=false" -a -v -x %{?**};
+  go build                -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-}%{?currentgoldflags} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro  -Wl,-z,now' -compressdwarf=false" -a -v -x %{?**};
  %endif
 }
 %bcond_with check
@ -16,28 +16,22 @@
 %global built_tag_strip %(b=%{built_tag}; echo ${b:1})
 %global crio_release_tag %(echo %{built_tag_strip} | cut -f1,2 -d'.')
 %global service_name crio
-%global commit0 d317b5dc918bbfbc78481072a0d93e572aa8d0e8
+%global commit0 63ca93845d5fe05cdca826367afcb601ece8d7ad
 Name:           cri-o
-Version:        1.29.2
+Version:        1.23.2
 Epoch:          0
-Release:        5
+Release:        1
 Summary:        Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
 License:        ASL 2.0
 URL:            https://github.com/cri-o/cri-o
-Source0:        https://github.com/cri-o/cri-o/archive/refs/tags/v%{version}.tar.gz
+Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
-Source1:        https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.tar.gz
+Source1:         https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
-
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}}
-Patch0001:      0001-fix-CVE-2024-24786.patch
+BuildRequires:  golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config
-Patch0002:      0002-fix-CVE-2023-48795.patch
+BuildRequires:  gpgme-devel, libassuan-devel, libseccomp-devel, systemd-devel, make 
-Patch0003:      0003-fix-CVE-2024-28180.patch
+Requires:       container-selinux, containers-common >= 1:0.1.31-14, docker-runc >= 1.0.0-16  
-
+Requires:       containernetworking-plugins >= 0.7.5-1, conmon >= 2.0.2-1, socat       
 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm} riscv64}
 BuildRequires:  btrfs-progs-devel device-mapper-devel go-srpm-macros
 BuildRequires:  golang >= 1.21, git-core, glib2-devel, glibc-static, openEuler-rpm-config
 BuildRequires:  gpgme-devel, libassuan-devel, libseccomp-devel, systemd-devel, make
 Requires:       container-selinux, containers-common >= 1:0.1.31-14, runc >= 1.0.0-16
 Requires:       containernetworking-plugins >= 1.0.0-1, conmon >= 2.0.2-1, socat
 Obsoletes:      ocid <= 0.3
 Provides:       ocid = %{epoch}:%{version}-%{release}
 Provides:       %{service_name} = %{epoch}:%{version}-%{release}
@ -75,7 +69,7 @@ $(hack/libdm_no_deferred_remove_tag.sh)
 $(hack/seccomp_tag.sh)
 $(hack/selinux_tag.sh)"
-export BASE_LDFLAGS="-X %{goipath}/internal/pkg/criocli.DefaultsPath=%{criocli_path}
+export LDFLAGS="-X %{goipath}/internal/pkg/criocli.DefaultsPath=%{criocli_path}
 -X  %{goipath}/internal/version.buildDate=%{build_timestamp}
 -X  %{goipath}/internal/version.gitCommit=%{commit0}
 -X  %{goipath}/internal/version.version=%{version}
@ -105,8 +99,8 @@ install -p -m 755 bin/%{service_name} %{buildroot}%{_bindir}
 # install conf files
 install -dp %{buildroot}%{_sysconfdir}/cni/net.d
-install -p -m 644 contrib/cni/10-crio-bridge.conflist %{buildroot}%{_sysconfdir}/cni/net.d/100-crio-bridge.conflist
+install -p -m 644 contrib/cni/10-crio-bridge.conf %{buildroot}%{_sysconfdir}/cni/net.d/100-crio-bridge.conf
-install -p -m 644 contrib/cni/99-loopback.conflist %{buildroot}%{_sysconfdir}/cni/net.d/200-loopback.conflist
+install -p -m 644 contrib/cni/99-loopback.conf %{buildroot}%{_sysconfdir}/cni/net.d/200-loopback.conf
 install -dp %{buildroot}%{_sysconfdir}/%{service_name}
 install -dp %{buildroot}%{_datadir}/containers/oci/hooks.d
@ -138,13 +132,14 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
 %doc docs code-of-conduct.md tutorial.md ADOPTERS.md CONTRIBUTING.md README.md
 %doc awesome.md transfer.md
 %{_bindir}/%{service_name}
 %{_bindir}/%{service_name}-status
 %{_bindir}/pinns
 %{_mandir}/man5/%{service_name}.conf*5*
 %{_mandir}/man8/%{service_name}*.8*
 %dir %{_sysconfdir}/%{service_name}
 %config(noreplace) %{_sysconfdir}/%{service_name}/%{service_name}.conf
-%config(noreplace) %{_sysconfdir}/cni/net.d/100-%{service_name}-bridge.conflist
+%config(noreplace) %{_sysconfdir}/cni/net.d/100-%{service_name}-bridge.conf
-%config(noreplace) %{_sysconfdir}/cni/net.d/200-loopback.conflist
+%config(noreplace) %{_sysconfdir}/cni/net.d/200-loopback.conf
 %config(noreplace) %{_sysconfdir}/crictl.yaml
 %dir %{_libexecdir}/%{service_name}
 %{_unitdir}/%{service_name}.service
@ -161,33 +156,6 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
 %{_datadir}/zsh/site-functions/_%{service_name}*
 %changelog
 * Fri May 24 2024 Jingwiw <wangjingwei@iscas.ac.cn> - 0:1.29.2-5
 - Type:enhancement
 - CVE:NA
 - SUG:NA
 - DESC: enable riscv64
 * Tue Apr 2 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.29.2-4
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC: CVE-2024-28180
 * Mon Apr 1 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.29.2-3
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC: fix CVE-2023-48795
 * Fri Mar 29 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.29.2-2
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC: fix CVE-2024-24786
 * Wed Feb 28 2024 chendexi <chendexi@kylinos.cn> - 0:1.29.2-1
 - Update cri-o to 1.29.2
 * Tue Jun 07 2022 fushanqing <fushanqing@kylinos.cn> - 0:1.23.2-1
 - Update cri-o to 1.23.2
--- a/v1.0.10.tar.gz
+++ b/v1.0.10.tar.gz
--- a/v2.0.3.tar.gz
+++ b/v2.0.3.tar.gz