Patch cri-o for CVE-2024-9676 (#13470)

SeanDougherty · web-flow · commit 7d3bbd5a123b · 2025-04-21T22:54:55.000-07:00
Fixes CVE-2024-9676 in a vendored dependency of cri-o
diff --git a/SPECS/cri-o/CVE-2024-9676.patch b/SPECS/cri-o/CVE-2024-9676.patch
@@ -0,0 +1,187 @@
+From 8e5231ee0aef99899c13157c3c4ed4cb30ad4694 Mon Sep 17 00:00:00 2001
+From: Sean Dougherty <sdougherty@microsoft.com>
+Date: Thu, 17 Apr 2025 21:38:26 +0000
+Subject: [PATCH] Backport CVE-2024-9676 fix from
+ https://github.com/containers/storage/pull/2146 by Matt Heon
+ <mheon@redhat.com>
+
+---
+ .../github.com/containers/storage/.cirrus.yml |  2 +-
+ .../github.com/containers/storage/userns.go   | 92 +++++++++++++------
+ .../containers/storage/userns_unsupported.go  | 14 +++
+ 3 files changed, 81 insertions(+), 27 deletions(-)
+ create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go
+
+diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml
+index 20bede4..7f20643 100644
+--- a/vendor/github.com/containers/storage/.cirrus.yml
++++ b/vendor/github.com/containers/storage/.cirrus.yml
+@@ -128,7 +128,7 @@ lint_task:
+     env:
+         CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage"
+     container:
+-        image: golang:1.15
++        image: golang:1.19
+     modules_cache:
+         fingerprint_script: cat go.sum
+         folder: $GOPATH/pkg/mod
+diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go
+index 3ada41f..2a6298e 100644
+--- a/vendor/github.com/containers/storage/userns.go
++++ b/vendor/github.com/containers/storage/userns.go
+@@ -1,18 +1,20 @@
++//go:build linux
+ package storage
+ 
+ import (
+ 	"os"
+ 	"os/user"
+-	"path/filepath"
+ 	"strconv"
+ 
+ 	drivers "github.com/containers/storage/drivers"
+ 	"github.com/containers/storage/pkg/idtools"
+ 	"github.com/containers/storage/pkg/unshare"
+ 	"github.com/containers/storage/types"
++	securejoin "github.com/cyphar/filepath-securejoin"
+ 	libcontainerUser "github.com/opencontainers/runc/libcontainer/user"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
++	"golang.org/x/sys/unix"
+ )
+ 
+ // getAdditionalSubIDs looks up the additional IDs configured for
+@@ -78,43 +80,65 @@ func (s *store) getAvailableIDs() (*idSet, *idSet, error) {
+ 	return u, g, nil
+ }
+ 
++const nobodyUser = 65534
++
+ // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
+ // /etc/group files.
+ func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
++	var (
++		passwd *os.File
++		group  *os.File
++		size   int
++		err    error
++	)
+ 	if passwdFile == "" {
+-		passwdFile = filepath.Join(containerMount, "etc/passwd")
+-	}
+-	if groupFile == "" {
+-		groupFile = filepath.Join(groupFile, "etc/group")
++		passwd, err = secureOpen(containerMount, "/etc/passwd")
++	} else {
++		// User-specified override from a volume. Will not be in
++		// container root.
++		passwd, err = os.Open(passwdFile)
+ 	}
+ 
+-	size := 0
+-
+-	users, err := libcontainerUser.ParsePasswdFile(passwdFile)
+ 	if err == nil {
+-		for _, u := range users {
+-			// Skip the "nobody" user otherwise we end up with 65536
+-			// ids with most images
+-			if u.Name == "nobody" {
+-				continue
+-			}
+-			if u.Uid > size {
+-				size = u.Uid
+-			}
+-			if u.Gid > size {
+-				size = u.Gid
++		defer passwd.Close()
++
++		users, err := libcontainerUser.ParsePasswd(passwd)
++		if err == nil {
++			for _, u := range users {
++				// Skip the "nobody" user otherwise we end up with 65536
++				// ids with most images
++				if u.Name == "nobody" || u.Name == "nogroup" {
++					continue
++				}
++				if u.Uid > size && u.Uid != nobodyUser {
++					size = u.Uid + 1
++				}
++				if u.Gid > size && u.Gid != nobodyUser {
++					size = u.Gid + 1
++				}
+ 			}
+ 		}
+ 	}
+ 
+-	groups, err := libcontainerUser.ParseGroupFile(groupFile)
++	if groupFile == "" {
++		group, err = secureOpen(containerMount, "/etc/group")
++	} else {
++		// User-specified override from a volume. Will not be in
++		// container root.
++		group, err = os.Open(groupFile)
++	}
+ 	if err == nil {
+-		for _, g := range groups {
+-			if g.Name == "nobody" {
+-				continue
+-			}
+-			if g.Gid > size {
+-				size = g.Gid
++		defer group.Close()
++
++		groups, err := libcontainerUser.ParseGroup(group)
++		if err == nil {
++			for _, g := range groups {
++				if g.Name == "nobody" || g.Name == "nogroup" {
++					continue
++				}
++				if g.Gid > size && g.Gid != nobodyUser {
++					size = g.Gid + 1
++				}
+ 			}
+ 		}
+ 	}
+@@ -300,3 +324,19 @@ func getAutoUserNSIDMappings(
+ 	gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
+ 	return uidMap, gidMap, nil
+ }
++
++// Securely open (read-only) a file in a container mount.
++func secureOpen(containerMount, file string) (*os.File, error) {
++	filePath, err := securejoin.SecureJoin(containerMount, file)
++	if err != nil {
++		return nil, err
++	}
++
++	flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY
++	fileHandle, err := os.OpenFile(filePath, flags, 0)
++	if err != nil {
++		return nil, err
++	}
++
++	return fileHandle, nil
++}
+diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go
+new file mode 100644
+index 0000000..e37c18f
+--- /dev/null
++++ b/vendor/github.com/containers/storage/userns_unsupported.go
+@@ -0,0 +1,14 @@
++//go:build !linux
++
++package storage
++
++import (
++	"errors"
++
++	"github.com/containers/storage/pkg/idtools"
++	"github.com/containers/storage/types"
++)
++
++func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
++	return nil, nil, errors.New("user namespaces are not supported on this platform")
++}
+-- 
+2.40.4
+
diff --git a/SPECS/cri-o/cri-o.spec b/SPECS/cri-o/cri-o.spec
@@ -26,7 +26,7 @@ Summary:        OCI-based implementation of Kubernetes Container Runtime Interfa
 # Define macros for further referenced sources
 Name:           cri-o
 Version:        1.22.3
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -76,6 +76,7 @@ Patch20:        CVE-2023-6476.patch
 Patch21:        CVE-2024-44337.patch
 Patch22:        CVE-2025-27144.patch
 Patch23:        CVE-2025-21614.patch
+Patch24:        CVE-2024-9676.patch
 BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes
@@ -228,6 +229,9 @@ mkdir -p /opt/cni/bin
 %{_fillupdir}/sysconfig.kubelet
 
 %changelog
+* Thu Apr 17 2025 Sean Dougherty <sdougherty@microsoft.com> - 1.22.3-14
+- Add patch for CVE-2024-9676.
+
 * Fri Apr 04 2025 Henry Li <lihl@microsoft.com> - 1.22.3-13
 - Add patch for CVE-2025-21614
 
