packages/k3s-containerd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-25153

Browse Source 
(cherry picked from commit 4b551d551bfde35da03b591b6a3953e235f21d02)
This commit is contained in:
bwzhang 2024-03-13 15:37:48 +08:00 committed by openeuler-sync-bot
parent fdffe99b04
commit 00428ed060
2 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
0001-Fix-CVE-2023-25153.patch Normal file
View File

@ -0,0 +1,36 @@
From e1ec32e24f11bb3f003ef876e404777c1041349b Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Wed, 13 Mar 2024 15:03:38 +0800
Subject: [PATCH] Fix CVE-2023-25153
---
images/archive/importer.go | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/images/archive/importer.go b/images/archive/importer.go
index c531049..8ba3206 100644
--- a/images/archive/importer.go
+++ b/images/archive/importer.go
@@ -232,12 +232,14 @@ func ImportIndex(ctx context.Context, store content.Store, reader io.Reader, opt
return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex)
}
+const (
+ kib = 1024
+ mib = 1024 * kib
+ jsonLimit = 20 * mib
+)
+
func onUntarJSON(r io.Reader, j interface{}) error {
- b, err := io.ReadAll(r)
- if err != nil {
- return err
- }
- return json.Unmarshal(b, j)
+ return json.NewDecoder(io.LimitReader(r, jsonLimit)).Decode(j)
}
func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) {
--
2.20.1

10
k3s-containerd.spec
View File

@ -3,14 +3,16 @@
%global version_suffix k3s1
Version: 1.6.6
Name: k3s-containerd
Release: 6
Release: 7
Summary: An industry-standard container runtime
License: Apache-2.0
URL: https://github.com/k3s-io/containerd
Source0: https://github.com/k3s-io/containerd/archive/refs/tags/v%{version}-%{version_suffix}.tar.gz
#source1 from https://github.com/golang/sys version: v0.4.0
Source1: sys.tar.gz
Patch0: bbolt-add-loong64-support.patch
Patch0001: 0001-Fix-CVE-2023-25153.patch
BuildRequires: golang glibc-static make btrfs-progs-devel
@ -75,6 +77,12 @@ cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_lib
%changelog
* Wed Mar 13 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-7
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2023-25153
* Wed Jul 12 2023 huajingyun <huajingyun@loongson.cn> - 1.6.6-k3s1-6
- Update sys to v0.4.0