!18 [sync] PR-17: Fix CVE-2023-25153

From: @openeuler-sync-bot Reviewed-by: @duyiwei7w Signed-off-by: @duyiwei7w
Fix CVE-2023-25153
2024-03-18 06:20:25 +00:00 · 2024-03-13 16:50:19 +08:00 · 2023-07-13 05:33:10 +00:00 · 2023-07-13 01:56:36 +00:00 · 2023-07-11 12:06:18 +00:00 · 2023-06-06 06:13:09 +00:00
4 changed files with 104 additions and 5 deletions
--- a/0001-Fix-CVE-2023-25153.patch
+++ b/0001-Fix-CVE-2023-25153.patch
@ -0,0 +1,36 @@
+From e1ec32e24f11bb3f003ef876e404777c1041349b Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Wed, 13 Mar 2024 15:03:38 +0800
+Subject: [PATCH] Fix CVE-2023-25153
+
+---
+ images/archive/importer.go | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/images/archive/importer.go b/images/archive/importer.go
+index c531049..8ba3206 100644
+--- a/images/archive/importer.go
+++ b/images/archive/importer.go
+@@ -232,12 +232,14 @@ func ImportIndex(ctx context.Context, store content.Store, reader io.Reader, opt
+ 	return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex)
+ }
+ 
+const (
+	kib       = 1024
+	mib       = 1024 * kib
+	jsonLimit = 20 * mib
+)
+
+ func onUntarJSON(r io.Reader, j interface{}) error {
+-	b, err := io.ReadAll(r)
+-	if err != nil {
+-		return err
+-	}
+-	return json.Unmarshal(b, j)
+	return json.NewDecoder(io.LimitReader(r, jsonLimit)).Decode(j)
+ }
+ 
+ func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) {
+-- 
+2.20.1
+
--- a/bbolt-add-loong64-support.patch
+++ b/bbolt-add-loong64-support.patch
@ -0,0 +1,28 @@
+From 1dea428808d6a7bbc01c891649bad93adb012eb0 Mon Sep 17 00:00:00 2001
+From: Jingyun Hua <huajingyun@loongson.cn>
+Date: Thu, 1 Jun 2023 06:52:55 +0000
+Subject: [PATCH] bbolt:add loong64 support
+
+---
+ vendor/go.etcd.io/bbolt/bolt_loong64.go | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+ create mode 100644 vendor/go.etcd.io/bbolt/bolt_loong64.go
+
+diff --git a/vendor/go.etcd.io/bbolt/bolt_loong64.go b/vendor/go.etcd.io/bbolt/bolt_loong64.go
+new file mode 100644
+index 0000000..31c17c1
+--- /dev/null
+++ b/vendor/go.etcd.io/bbolt/bolt_loong64.go
+@@ -0,0 +1,10 @@
+//go:build loong64
+// +build loong64
+
+package bbolt
+
+// maxMapSize represents the largest mmap size supported by Bolt.
+const maxMapSize = 0xFFFFFFFFFFFF // 256TB
+
+// maxAllocSize is the size used when creating array pointers.
+const maxAllocSize = 0x7FFFFFFF
+-- 
+2.33.0
--- a/k3s-containerd.spec
+++ b/k3s-containerd.spec
@ -3,11 +3,16 @@
 %global version_suffix k3s1
 Version:        1.6.6
 Name:           k3s-containerd
-Release:        1
+Release:        7
 Summary:        An industry-standard container runtime
-License:        Apache 2.0
+License:        Apache-2.0
 URL:            https://github.com/k3s-io/containerd
 Source0:        https://github.com/k3s-io/containerd/archive/refs/tags/v%{version}-%{version_suffix}.tar.gz
+#source1 from https://github.com/golang/sys version: v0.4.0
+Source1:        sys.tar.gz
+
+Patch0:         bbolt-add-loong64-support.patch
+Patch0001:      0001-Fix-CVE-2023-25153.patch

 BuildRequires:  golang glibc-static make btrfs-progs-devel

@ -19,7 +24,11 @@ system: image transfer and storage, container execution and supervision,
 low-level storage and network attachments, etc.

 %prep
-%autosetup -n containerd-%{version}-%{version_suffix} 
+%autosetup -n containerd-%{version}-%{version_suffix} -p1
+%ifarch loongarch64
+rm -rf vendor/golang.org/x/sys
+tar -xf %{SOURCE1} -C vendor/golang.org/x/
+%endif

 %build
 mkdir -p k3s-containerd/bin
@ -53,15 +62,41 @@ VERSIONFLAGS="
 TAGS="apparmor seccomp netgo osusergo providerless urfave_cli_no_docs"
 LDFLAGS=" -w -s"
 CGO_ENABLED=1 go build -tags "$TAGS" -ldflags "$VERSIONFLAGS $LDFLAGS" -o k3s-containerd/bin ./cmd/containerd
-CGO_ENABLED=1 go build -tags "$TAGS" -ldflags "$VERSIONFLAGS $LDFLAGS" -o k3s-containerd/bin ./cmd/containerd-shim-runc-v2
+CGO_ENABLED=1 go build -buildmode=pie -tags "$TAGS" -ldflags "$VERSIONFLAGS $LDFLAGS -linkmode=external -extldflags '-Wl,-z,relro -Wl,-z,now'" -o k3s-containerd/bin ./cmd/containerd-shim-runc-v2

 %install
 install -d -p %{buildroot}%{_libexecdir}/containerd/
 cp k3s-containerd/bin/* %{buildroot}%{_libexecdir}/containerd/
+mkdir -p %{buildroot}%{_libexecdir}/containerd/containerd-%{version}
+cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_libexecdir}/containerd/containerd-%{version} 

 %files
-%{_libexecdir}/containerd/*
+%{_libexecdir}/containerd/containerd
+%{_libexecdir}/containerd/containerd-shim-runc-v2
+%{_libexecdir}/containerd/containerd-%{version}/.
+

 %changelog
+* Wed Mar 13 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-7
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2023-25153
+
+* Wed Jul 12 2023 huajingyun <huajingyun@loongson.cn> - 1.6.6-k3s1-6
+- Update sys to v0.4.0
+
+* Tue Jun 06 2023 huajingyun <huajingyun@loongson.cn> - 1.6.6-k3s1-5
+- Add loong64 support
+
+* Fri Mar 03 2023 wangkai <wangkai385@h-partners.com> - 1.6.6-k3s1-4
+- Add PIE,BIND_NOW,RELRO secure compilation options
+
+* Wed Aug 03 2022 liukuo <liukuo@kylinos.cn> - 1.6.6-k3s1-3
+- License compliance rectification
+
+* Tue Aug 02 2022 Ge Wang <wangge20@h-partners.com> - 1.6.6-k3s1-2
+- Add src code to package, which is dependended by k3s
+
 * Fri Jul 22 2022 Ge Wang <wangge20@h-partners.com> - 1.6.6-k3s1-1
 - Init package
--- a/sys.tar.gz
+++ b/sys.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	605996091f	!18 [sync] PR-17: Fix CVE-2023-25153 From: @openeuler-sync-bot Reviewed-by: @duyiwei7w Signed-off-by: @duyiwei7w	2024-03-18 06:20:25 +00:00
bwzhang	00428ed060	Fix CVE-2023-25153 (cherry picked from commit 4b551d551bfde35da03b591b6a3953e235f21d02)	2024-03-13 16:50:19 +08:00
openeuler-ci-bot	fdffe99b04	!14 Update sys to v0.4.0 From: @huajingyun Reviewed-by: @wangyueliang Signed-off-by: @wangyueliang	2023-07-13 05:33:10 +00:00
Jingyun Hua	d92bc6cd4f	Update sys to v0.4.0	2023-07-13 01:56:36 +00:00
openeuler-ci-bot	a6c7989bd9	!13 add loong64 support From: @huajingyun Reviewed-by: @yangzhao_kl Signed-off-by: @yangzhao_kl	2023-07-11 12:06:18 +00:00
Jingyun Hua	3d5303cb1b	Add loong64 support Signed-off-by: Jingyun Hua <huajingyun@loongson.cn>	2023-06-06 06:13:09 +00:00
openeuler-ci-bot	685b8cebe7	!10 [sync] PR-9: Add PIE,BIND_NOW,RELRO secure compilation options From: @openeuler-sync-bot Reviewed-by: @zhu-yuncheng Signed-off-by: @zhu-yuncheng	2023-03-03 11:11:47 +00:00
wk333	1ac70eb50b	Add PIE,BIND_NOW,RELRO secure compilation options (cherry picked from commit e5cbee4500453efb9393b5c621e276fe06c6a395)	2023-03-03 16:27:59 +08:00
openeuler-ci-bot	4d865d467e	!7 License compliance rectification From: @lauk001 Reviewed-by: @duyiwei7w Signed-off-by: @duyiwei7w	2022-08-03 08:29:23 +00:00
openeuler-ci-bot	5463144402	!4 Add src code to package ,which is dependented by k3s From: @wang--ge Reviewed-by: @duyiwei7w Signed-off-by: @duyiwei7w	2022-08-03 07:36:16 +00:00
lauk001	79293efb2f	License compliance rectification	2022-08-03 13:45:36 +08:00
wang--ge	bd1d7ba729	add src code to package, which is dependented by k3s	2022-08-03 11:12:22 +08:00