Apply patches to fix CVE-2021-3602, CVE-2022-27651, CVE-2022-2995, CVE-2023-42821

SPECS/cri-o/CVE-2021-3602.patch

@@ -0,0 +1,119 @@
+From 8716daa06e9eb421438b338f18b6b650b082b208 Mon Sep 17 00:00:00 2001
+From: Cameron Baird <cameronbaird@microsoft.com>
+Date: Tue, 16 Apr 2024 22:33:46 +0000
+Subject: [PATCH 4/4] CVE-2021-3602
+
+---
+ .../github.com/containers/buildah/chroot/run.go   | 15 +++++----------
+ .../podman/v3/pkg/specgen/generate/security.go    |  7 +++++--
+ 2 files changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go
+index a93f97dcd..643f5c91d 100644
+--- a/vendor/github.com/containers/buildah/chroot/run.go
++++ b/vendor/github.com/containers/buildah/chroot/run.go
+@@ -160,7 +160,7 @@ func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reade
+ 	cmd := unshare.Command(runUsingChrootCommand)
+ 	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
+ 	cmd.Dir = "/"
+-	cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
++	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
+
+ 	logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
+ 	confwg.Add(1)
+@@ -206,7 +206,7 @@ func runUsingChrootMain() {
+ 		os.Exit(1)
+ 	}
+
+-	if options.Spec == nil {
++	if options.Spec == nil || options.Spec.Process == nil {
+ 		fmt.Fprintf(os.Stderr, "invalid options spec in runUsingChrootMain\n")
+ 		os.Exit(1)
+ 	}
+@@ -572,7 +572,7 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
+ 	cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...)
+ 	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
+ 	cmd.Dir = "/"
+-	cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
++	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
+ 	cmd.UnshareFlags = syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS
+ 	requestedUserNS := false
+ 	for _, ns := range spec.Linux.Namespaces {
+@@ -662,7 +662,7 @@ func runUsingChrootExecMain() {
+ 	// Set the hostname.  We're already in a distinct UTS namespace and are admins in the user
+ 	// namespace which created it, so we shouldn't get a permissions error, but seccomp policy
+ 	// might deny our attempt to call sethostname() anyway, so log a debug message for that.
+-	if options.Spec == nil {
++	if options.Spec == nil || options.Spec.Process == nil {
+ 		fmt.Fprintf(os.Stderr, "invalid options spec passed in\n")
+ 		os.Exit(1)
+ 	}
+@@ -818,7 +818,6 @@ func runUsingChrootExecMain() {
+ // Output debug messages when that differs from what we're being asked to do.
+ func logNamespaceDiagnostics(spec *specs.Spec) {
+ 	sawMountNS := false
+-	sawUserNS := false
+ 	sawUTSNS := false
+ 	for _, ns := range spec.Linux.Namespaces {
+ 		switch ns.Type {
+@@ -853,9 +852,8 @@ func logNamespaceDiagnostics(spec *specs.Spec) {
+ 			}
+ 		case specs.UserNamespace:
+ 			if ns.Path != "" {
+-				logrus.Debugf("unable to join user namespace %q, creating a new one", ns.Path)
++				logrus.Debugf("unable to join user namespace, sorry about that")
+ 			}
+-			sawUserNS = true
+ 		case specs.UTSNamespace:
+ 			if ns.Path != "" {
+ 				logrus.Debugf("unable to join UTS namespace %q, creating a new one", ns.Path)
+@@ -866,9 +864,6 @@ func logNamespaceDiagnostics(spec *specs.Spec) {
+ 	if !sawMountNS {
+ 		logrus.Debugf("mount namespace not requested, but creating a new one anyway")
+ 	}
+-	if !sawUserNS {
+-		logrus.Debugf("user namespace not requested, but creating a new one anyway")
+-	}
+ 	if !sawUTSNS {
+ 		logrus.Debugf("UTS namespace not requested, but creating a new one anyway")
+ 	}
+diff --git a/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go b/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go
+index e0e4a47a4..3cda89a32 100644
+--- a/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go
++++ b/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go
+@@ -146,6 +146,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+
+ 	configSpec := g.Config
+ 	configSpec.Process.Capabilities.Ambient = []string{}
++
++	// Always unset the inheritable capabilities similarly to what the Linux kernel does
++	// They are used only when using capabilities with uid != 0.
++	configSpec.Process.Capabilities.Inheritable = []string{}
+ 	configSpec.Process.Capabilities.Bounding = caplist
+
+ 	user := strings.Split(s.User, ":")[0]
+@@ -153,7 +157,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+ 	if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
+ 		configSpec.Process.Capabilities.Effective = caplist
+ 		configSpec.Process.Capabilities.Permitted = caplist
+-		configSpec.Process.Capabilities.Inheritable = caplist
+ 	} else {
+ 		mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
+ 		if err != nil {
+@@ -175,12 +178,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+ 		}
+ 		configSpec.Process.Capabilities.Effective = userCaps
+ 		configSpec.Process.Capabilities.Permitted = userCaps
+-		configSpec.Process.Capabilities.Inheritable = userCaps
+
+ 		// Ambient capabilities were added to Linux 4.3.  Set ambient
+ 		// capabilities only when the kernel supports them.
+ 		if supportAmbientCapabilities() {
+ 			configSpec.Process.Capabilities.Ambient = userCaps
++			configSpec.Process.Capabilities.Inheritable = userCaps
+ 		}
+ 	}
+
+-- 
+2.33.8
+

SPECS/cri-o/CVE-2021-44716.patch

@@ -0,0 +1,45 @@
+From deb00def7d110f1b4edbe5d03044a9d9f2516151 Mon Sep 17 00:00:00 2001
+From: Cameron Baird <cameronbaird@microsoft.com>
+Date: Wed, 17 Apr 2024 20:57:05 +0000
+Subject: [PATCH 2/2] CVE-2021-44716
+
+---
+ vendor/golang.org/x/net/http2/server.go | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index e125bbd2a..5f417b444 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -720,7 +720,15 @@ func (sc *serverConn) canonicalHeader(v string) string {
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}
+ 	return cv
+ }
+
+@@ -2530,8 +2538,9 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
+ // prior to the headers being written. If the set of trailers is fixed
+ // or known before the header is written, the normal Go trailers mechanism
+ // is preferred:
+-//    https://golang.org/pkg/net/http/#ResponseWriter
+-//    https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
++//
++//	https://golang.org/pkg/net/http/#ResponseWriter
++//	https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
+ const TrailerPrefix = "Trailer:"
+
+ // promoteUndeclaredTrailers permits http.Handlers to set trailers
+-- 
+2.33.8
+