[AUTO-CHERRYPICK] Patch cri-o for CVE-2023-6476 & CVE-2023-0778 [MEDIUM] - branch main (#12412)

CBL-Mariner-Bot · Sumynwa · web-flow · commit 220b01cf63a4 · 2025-02-25T11:33:52.000-05:00
Co-authored-by: Sumedh Alok Sharma &lt;sumsharma@microsoft.com&gt;
diff --git a/SPECS/cri-o/CVE-2023-0778.patch b/SPECS/cri-o/CVE-2023-0778.patch
@@ -0,0 +1,54 @@
+Modified Patch to apply only for container export. The utils.go file
+does not have the volume export code in the vendored podman version.
+Modified by: Sumedh Sharma <sumsharma@microsoft.com>
+
+From 6ca857feb07a5fdc96fd947afef03916291673d8 Mon Sep 17 00:00:00 2001
+From: Aditya R <arajan@redhat.com>
+Date: Fri, 10 Feb 2023 15:16:27 +0530
+Subject: [PATCH] volume,container: chroot to source before exporting content
+
+* Utils must support higher level API to create Tar with chrooted into
+  directory
+* Volume export: use TarwithChroot instead of Tar so we can make sure no
+  symlink can be exported by tar if it exists outside of the source
+directory.
+* container export: use chroot and Tar instead of Tar so we can make sure no
+  symlink can be exported by tar if it exists outside of the mointPoint.
+
+[NO NEW TESTS NEEDED]
+[NO TESTS NEEDED]
+Race needs combination of external/in-container mechanism which is hard to repro in CI.
+
+Closes: BZ:#2168256
+CVE: https://access.redhat.com/security/cve/CVE-2023-0778
+
+Signed-off-by: Aditya R <arajan@redhat.com>
+---
+ .../containers/podman/v3/libpod/container_internal.go         | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/containers/podman/v3/libpod/container_internal.go b/vendor/github.com/containers/podman/v3/libpod/container_internal.go
+index 8ffcccf..42cb682 100644
+--- a/vendor/github.com/containers/podman/v3/libpod/container_internal.go
++++ b/vendor/github.com/containers/podman/v3/libpod/container_internal.go
+@@ -26,7 +26,7 @@ import (
+ 	"github.com/containers/podman/v3/pkg/selinux"
+ 	"github.com/containers/podman/v3/pkg/util"
+ 	"github.com/containers/storage"
+-	"github.com/containers/storage/pkg/archive"
++	"github.com/containers/storage/pkg/chrootarchive"
+ 	"github.com/containers/storage/pkg/idtools"
+ 	"github.com/containers/storage/pkg/mount"
+ 	"github.com/coreos/go-systemd/v22/daemon"
+@@ -757,7 +757,7 @@ func (c *Container) export(path string) error {
+ 		}()
+ 	}
+ 
+-	input, err := archive.Tar(mountPoint, archive.Uncompressed)
++	input, err := chrootarchive.Tar(mountPoint, nil, mountPoint)
+ 	if err != nil {
+ 		return errors.Wrapf(err, "error reading container directory %q", c.ID())
+ 	}
+-- 
+2.25.1
+
diff --git a/SPECS/cri-o/CVE-2023-6476.patch b/SPECS/cri-o/CVE-2023-6476.patch
@@ -0,0 +1,32 @@
+From 5faee5d82556a6bf4dd1144d2a86e70d097ab200 Mon Sep 17 00:00:00 2001
+From: Peter Hunt <pehunt@redhat.com>
+Date: Thu, 7 Dec 2023 16:07:12 -0500
+Subject: [PATCH] allowed annotations: correctly filter prefixed annotations
+
+without this fix, a pod is able to gain access to experimental annotations that are prefixes of container names.
+The most problematic of these is io.kubernetes.cri-o.UnifiedCgroup, which allows a user to arbitrarily
+change the resources of the pod, potentially leading to OOM.
+
+Fixes CVE-2023-6476
+
+Signed-off-by: Peter Hunt <pehunt@redhat.com>
+---
+ internal/oci/oci.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/internal/oci/oci.go b/internal/oci/oci.go
+index 89ecfb2..b56b6d9 100644
+--- a/internal/oci/oci.go
++++ b/internal/oci/oci.go
+@@ -216,7 +216,7 @@ func (r *Runtime) FilterDisallowedAnnotations(handler string, annotations map[st
+ 	for ann := range annotations {
+ 		for _, disallowed := range rh.DisallowedAnnotations {
+ 			if strings.HasPrefix(ann, disallowed) {
+-				delete(annotations, disallowed)
++				delete(annotations, ann)
+ 			}
+ 		}
+ 	}
+-- 
+2.25.1
+
diff --git a/SPECS/cri-o/cri-o.spec b/SPECS/cri-o/cri-o.spec
@@ -26,7 +26,7 @@ Summary:        OCI-based implementation of Kubernetes Container Runtime Interfa
 # Define macros for further referenced sources
 Name:           cri-o
 Version:        1.22.3
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -71,6 +71,8 @@ Patch15:        CVE-2022-32149.patch
 Patch16:        CVE-2022-4318.patch
 Patch17:        CVE-2024-9341.patch
 Patch18:        CVE-2024-45338.patch
+Patch19:        CVE-2023-0778.patch
+Patch20:        CVE-2023-6476.patch
 BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes
@@ -223,6 +225,9 @@ mkdir -p /opt/cni/bin
 %{_fillupdir}/sysconfig.kubelet
 
 %changelog
+* Thu Jan 23 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.22.3-10
+- Add patch for CVE-2023-0778 & CVE-2023-6476.
+
 * Mon Jan 06 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.22.3-9
 - Apply patch after extracting the vendor sources.
 - Fix patches with compilation errors.
