!122 【20.03-LTS-SP4】fix CVE in batches through rebuild

From: @duyiwei7w 
Reviewed-by: @jianli-97 
Signed-off-by: @jianli-97

0002-Fix-the-invalid-memory-address-reference.patch

@@ -0,0 +1,31 @@
+From a9e6a71f9435a50c582993e946be4d53828bb48d Mon Sep 17 00:00:00 2001
+From: maminjie <maminjie1@huawei.com>
+Date: Sat, 13 Mar 2021 16:03:03 +0800
+Subject: [PATCH] Fix the invalid memory address or nil pointer reference
+
+---
+ libpod/stats.go | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/libpod/stats.go b/libpod/stats.go
+index c58a461..97a2169 100644
+--- a/libpod/stats.go
++++ b/libpod/stats.go
+@@ -57,9 +57,11 @@ func (c *Container) GetContainerStats(previousStats *ContainerStats) (*Container
+ 	previousCPU := previousStats.CPUNano
+ 	previousSystem := previousStats.SystemNano
+ 	stats.CPU = calculateCPUPercent(cgroupStats, previousCPU, previousSystem)
+-	stats.MemUsage = cgroupStats.Memory.Usage.Usage
+-	stats.MemLimit = getMemLimit(cgroupStats.Memory.Usage.Limit)
+-	stats.MemPerc = (float64(stats.MemUsage) / float64(stats.MemLimit)) * 100
++    if cgroupStats.Memory != nil {
++	    stats.MemUsage = cgroupStats.Memory.Usage.Usage
++	    stats.MemLimit = getMemLimit(cgroupStats.Memory.Usage.Limit)
++	    stats.MemPerc = (float64(stats.MemUsage) / float64(stats.MemLimit)) * 100
++    }
+ 	stats.PIDs = 0
+ 	if conState == ContainerStateRunning {
+ 		stats.PIDs = cgroupStats.Pids.Current
+-- 
+2.23.0
+

0003-eat-signal-23-in-signal-proxy.patch

@@ -0,0 +1,29 @@
+From 7bb9c6b9d1f195391f50047447b8caec404b5c2a Mon Sep 17 00:00:00 2001
+From: maminjie <maminjie1@huawei.com>
+Date: Wed, 31 Mar 2021 11:22:39 +0800
+Subject: [PATCH] eat signal 23 in signal proxy
+
+reference to: https://github.com/containers/podman/pull/5496
+---
+ cmd/podman/sigproxy.go | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go
+index 16861ba..9bb104d 100644
+--- a/cmd/podman/sigproxy.go
++++ b/cmd/podman/sigproxy.go
+@@ -19,7 +19,10 @@ func ProxySignals(ctr *libpod.Container) {
+ 		for s := range sigBuffer {
+ 			// Ignore SIGCHLD and SIGPIPE - these are mostly likely
+ 			// intended for the podman command itself.
+-			if s == signal.SIGCHLD || s == signal.SIGPIPE {
++			// SIGURG was added because of golang 1.14 and its preemptive changes
++			// causing more signals to "show up".
++			// https://github.com/containers/libpod/issues/5483
++			if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG {
+ 				continue
+ 			}
+ 
+-- 
+2.23.0
+

podman.spec

@@ -1,16 +1,18 @@
 Name:          podman
 Version:       0.10.1
-Release:       5
+Release:       10
 Summary:       A daemonless container engine for managing Containers
 Epoch:         1
 License:       ASL 2.0
 URL:           https://podman.io/
 Source0:       https://github.com/containers/libpod/archive/e4a155328fb88590fafd3d4e845f9bca49133f62/libpod-e4a1553.tar.gz
-BuildRequires: compiler(go-compiler) btrfs-progs-devel glib2-devel glibc-devel glibc-static
-BuildRequires: git go-md2man gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel
+Source1:       https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
+BuildRequires: golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
+BuildRequires: git gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel
 BuildRequires: libselinux-devel ostree-devel pkgconfig make
 Requires:      docker-runc containers-common containernetworking-plugins >= 0.7.3-2 iptables nftables conmon
-Recommends:    container-selinux >= 2:2.71 slirp4netns
+Requires:      (container-selinux if selinux-policy)
+Recommends:    slirp4netns
 
 Provides: bundled(golang(github.com/Azure/go-ansiterm)) = 19f72df4d05d31cbe1c56bfc8045c96babff6c7e
 Provides: bundled(golang(github.com/blang/semver)) = v3.5.0
@@ -113,6 +115,8 @@ Patch2:   CVE-2021-20188-PRE1.patch
 Patch3:   CVE-2021-20188-PRE2.patch
 Patch4:   CVE-2021-20188-PRE3.patch
 Patch5:   CVE-2021-20188.patch
+Patch6:   0002-Fix-the-invalid-memory-address-reference.patch
+Patch7:   0003-eat-signal-23-in-signal-proxy.patch
 
 %description
 Podman manages the entire container ecosystem which includes pods,
@@ -158,9 +162,14 @@ sed -i '/\/bin\/env/d' completions/bash/%{name}
 sed -i 's/0.0.0/%{version}/' contrib/python/%{name}/setup.py
 sed -i 's/0.0.0/%{version}/' contrib/python/py%{name}/setup.py
 mv pkg/hooks/README.md pkg/hooks/README-hooks.md
+tar -xf %SOURCE1
 
 %build
-mkdir _build
+mkdir -p _build/bin _output/bin
+cd go-md2man-*
+go build -mod=vendor -o ../_build/bin/go-md2man .
+cp ../_build/bin/go-md2man ../_output/bin/go-md2man
+cd -
 cd _build
 mkdir -p src/github.com/containers
 ln -s ../../../../ src/github.com/containers/libpod
@@ -215,6 +224,25 @@ install -Dp -m644 libpod.conf %{buildroot}%{_datadir}/containers/libpod.conf
 %{_mandir}/man5/*.5*
 
 %changelog
+* Thu Jan 09 2025 duyiwei <duyiwei@kylinos.cn> - 1:0.10.1-10
+- Type:bugfix
+- CVE:CVE-2024-9355、CVE-2019-9514、CVE-2024-24791、CVE-2022-32189、CVE-2022-41715、CVE-2022-2880、CVE-2022-1962、CVE-2023-45290、CVE-2024-24783、CVE-2024-24785
+- SUG:NA
+- DESC:  fix CVE in batches through rebuild
+
+* Wed Dec  4 2024 Jianmin <jianmin@iscas.ac.cn> - 1:0.10.1-9
+- Rebuild on Golang 1.15.7-48 to fix CVE-2023-24538
+
+* Thu May  6 2021 lingsheng <lingsheng@huawei.com> - 1:0.10.1-8
+- Change BuildRequires to golang
+
+* Wed Mar 31 2021 maminjie <maminjie1@huawei.com> - 1:0.10.1-7
+- Eat signal 23 in signal proxy
+- Require container-selinux only when selinux-policy is installed
+
+* Sat Mar 13 2021 maminjie <maminjie1@huawei.com> - 1:0.10.1-6
+- Fix the invalid memory address reference
+
 * Thu Mar 4 2021 wangxiao <wangxiao65@huawei.com> - 1:0.10.1-5
 - Fix CVE-2021-20188