!32 [sync] PR-30: containerd:Use fs.RootPath when mounting volumes

From: @openeuler-sync-bot Reviewed-by: @duguhaotian Signed-off-by: @duguhaotian
2022-04-27 01:42:37 +00:00 · 2022-04-27 01:42:37 +00:00 · d6e19e9551
commit d6e19e9551
parent 25bd1e565d e12947bfb5
3 changed files with 48 additions and 1 deletions
--- a/containerd.spec
+++ b/containerd.spec
@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        201
+Release:        202
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@ -41,6 +41,12 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
 %{_bindir}/containerd-shim

 %changelog
+* Tue Apr 26 2022 xiadanni<xiadanni1@huawei.com> - 1.2.0-202
+- Type:bugfix
+- ID:NA 
+- SUG:NA
+- DESC:Use fs.RootPath when mounting volumes for bundle dir to fix CVE-2022-23648
+
 * Fri Nov 5 2021 xiadanni<xiadanni1@huawei.com> - 1.2.0-201
 - Type:bugfix                                          
 - ID:NA                                                   
--- a/patch/0069-containerd-Use-fs.RootPath-when-mounting-vo.patch
+++ b/patch/0069-containerd-Use-fs.RootPath-when-mounting-vo.patch
@ -0,0 +1,40 @@
+From 53c45a7abaea09e60e0175f192742c74d1be60e2 Mon Sep 17 00:00:00 2001
+From: Vanient <xiadanni1@huawei.com>
+Date: Thu, 31 Mar 2022 21:30:15 +0800
+Subject: [PATCH] containerd:Use fs.RootPath when mounting volumes
+
+fix CVE-2022-23648
+upstream:https://github.com/containerd/containerd/commit/3406af86394c2426ce7f55d5f52be2b79f456211
+
+Signed-off-by: Vanient <xiadanni1@huawei.com>
+---
+ .../containerd/cri/pkg/containerd/opts/container.go         | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
+index 7647c373c..2ea49b594 100644
+--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
+++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
+@@ -20,7 +20,6 @@ import (
+ 	"context"
+ 	"io/ioutil"
+ 	"os"
+-	"path/filepath"
+ 
+ 	"github.com/containerd/containerd"
+ 	"github.com/containerd/containerd/containers"
+@@ -88,7 +87,10 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
+ 		}()
+ 
+ 		for host, volume := range volumeMounts {
+-			src := filepath.Join(root, volume)
+			src, err := fs.RootPath(root, volume)
+			if err != nil {
+				return errors.Wrapf(err, "rootpath on root %s, volume %s", root, volume)
+			}
+ 			if _, err := os.Stat(src); err != nil {
+ 				if os.IsNotExist(err) {
+ 					// Skip copying directory if it does not exist.
+-- 
+2.27.0
+
--- a/series.conf
+++ b/series.conf
@ -70,3 +70,4 @@ patch/0065-containerd-fix-dead-loop.patch
 patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch
 patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch
 patch/0068-containerd-reduce-permissions-for-bundle-dir-to-fix-.patch
+patch/0069-containerd-Use-fs.RootPath-when-mounting-vo.patch