fix CVE-2024-3154

2024-05-09 17:17:19 +08:00 · 2024-05-09 17:17:19 +08:00 · bb0a4ba28d
commit bb0a4ba28d
parent 0d43346b69
2 changed files with 49 additions and 1 deletions
--- a/patch/0039-runc-fix-CVE-2024-3154.patch
+++ b/patch/0039-runc-fix-CVE-2024-3154.patch
@ -0,0 +1,42 @@
+From eefc6ae2544a6819da9f92c5aa8e65d356da4c96 Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Sat, 9 Mar 2024 21:30:56 +0900
+Subject: [PATCH] features: implement returning
+ potentiallyUnsafeConfigAnnotations list
+
+See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ docs/spec-conformance.md | 1 -
+ features.go              | 5 +++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/docs/spec-conformance.md b/docs/spec-conformance.md
+index 91c12aea8ac..b4f3b9df660 100644
+--- a/docs/spec-conformance.md
+++ b/docs/spec-conformance.md
+@@ -9,7 +9,6 @@ Spec version | Feature                                        | PR
+ -------------|------------------------------------------------|----------------------------------------------------------
+ v1.1.0       | `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV`       | [#3862](https://github.com/opencontainers/runc/pull/3862)
+ v1.1.0       | `.process.ioPriority`                          | [#3783](https://github.com/opencontainers/runc/pull/3783)
+-v1.2.0       | Features: `potentiallyUnsafeConfigAnnotations` | TODO
+ 
+ ## Architectures
+ 
+diff --git a/features.go b/features.go
+index 81cd149ac73..eff04c1b2d2 100644
+--- a/features.go
+++ b/features.go
+@@ -64,6 +64,11 @@ var featuresCommand = cli.Command{
+ 					},
+ 				},
+ 			},
+			PotentiallyUnsafeConfigAnnotations: []string{
+				"bundle",
+				"org.systemd.property.", // prefix form
+				"org.criu.config",
+			},
+ 		}
+ 
+ 		if seccomp.Enabled {
--- a/runc.spec
+++ b/runc.spec
@ -3,7 +3,7 @@

 Name: runc
 Version: 1.1.8
-Release: 14
+Release: 15
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.

 License: ASL 2.0
@ -57,6 +57,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc

 %changelog
+* Thu May 09 2024 zhaosai<zhaosaisai@kylinos.cn> - 1.1.8-15
+- Type:cves
+- CVE:CVE-2024-3154
+- SUG:NA
+- DESC:fix CVE-2024-3154
+
 * Wed Apr 17 2024 Huang Yang <huangyang@loongson.cn> - 1.1.8-14
 - Type:bugfix
 - CVE:NA