containerd - Address CVE-2023-44487 and CVE-2023-47108 (#9516)

Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
2024-06-26 15:41:21 -04:00 · 2024-06-26 15:41:21 -04:00 · b67a322ee4
--- a/SPECS/containerd/CVE-2023-44487.patch
+++ b/SPECS/containerd/CVE-2023-44487.patch
@ -0,0 +1,30 @@
+backport of a0fd4b065528566eec54fe207aa5e3131babc378 (https://github.com/kubernetes/apimachinery/commit/a0fd4b065528566eec54fe207aa5e3131babc378.patch)
+
+diff -ru containerd-1.7.13-orig/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go containerd-1.7.13/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go
+--- containerd-1.7.13-orig/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go	2024-06-26 14:41:05.173893133 +0000
+++ containerd-1.7.13/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go	2024-06-26 14:56:56.288354267 +0000
+@@ -126,14 +126,18 @@
+ // OnError will block if it is called more often than the embedded period time.
+ // This will prevent overly tight hot error loops.
+ func (r *rudimentaryErrorBackoff) OnError(error) {
+	now := time.Now() // start the timer before acquiring the lock
+ 	r.lastErrorTimeLock.Lock()
+-	defer r.lastErrorTimeLock.Unlock()
+-	d := time.Since(r.lastErrorTime)
+-	if d < r.minPeriod {
+-		// If the time moves backwards for any reason, do nothing
+-		time.Sleep(r.minPeriod - d)
+-	}
+	d := now.Sub(r.lastErrorTime)
+ 	r.lastErrorTime = time.Now()
+	r.lastErrorTimeLock.Unlock()
+
+	// Do not sleep with the lock held because that causes all callers of HandleError to block.
+	// We only want the current goroutine to block.
+	// A negative or zero duration causes time.Sleep to return immediately.
+	// If the time moves backwards for any reason, do nothing.
+	time.Sleep(r.minPeriod - d)
+
+ }
+ 
+ // GetCaller returns the caller of the function that calls it.
--- a/SPECS/containerd/CVE-2023-47108.patch
+++ b/SPECS/containerd/CVE-2023-47108.patch
@ -0,0 +1,67 @@
+backport of b44dfc9092b157625a5815cb437583cee663333b (https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b)
+
+diff -ru containerd-1.7.13-orig/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go containerd-1.7.13/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
+--- containerd-1.7.13-orig/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go	2024-06-26 14:41:04.713891799 +0000
+++ containerd-1.7.13/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go	2024-06-26 15:24:51.636920349 +0000
+@@ -83,7 +83,7 @@
+ 			return invoker(ctx, method, req, reply, cc, callOpts...)
+ 		}
+ 
+-		name, attr := spanInfo(method, cc.Target())
+		name, attr, _ := telemetryAttributes(method, cc.Target())
+ 
+ 		startOpts := append([]trace.SpanStartOption{
+ 			trace.WithSpanKind(trace.SpanKindClient),
+@@ -278,7 +278,7 @@
+ 			return streamer(ctx, desc, cc, method, callOpts...)
+ 		}
+ 
+-		name, attr := spanInfo(method, cc.Target())
+		name, attr, _ := telemetryAttributes(method, cc.Target())
+ 
+ 		startOpts := append([]trace.SpanStartOption{
+ 			trace.WithSpanKind(trace.SpanKindClient),
+@@ -346,7 +346,7 @@
+ 		}
+ 
+ 		ctx = extract(ctx, cfg.Propagators)
+-		name, attr := spanInfo(info.FullMethod, peerFromCtx(ctx))
+		name, attr, _ := telemetryAttributes(info.FullMethod, peerFromCtx(ctx))
+ 
+ 		startOpts := append([]trace.SpanStartOption{
+ 			trace.WithSpanKind(trace.SpanKindServer),
+@@ -469,7 +469,7 @@
+ 		}
+ 
+ 		ctx = extract(ctx, cfg.Propagators)
+-		name, attr := spanInfo(info.FullMethod, peerFromCtx(ctx))
+		name, attr, _ := telemetryAttributes(info.FullMethod, peerFromCtx(ctx))
+ 
+ 		startOpts := append([]trace.SpanStartOption{
+ 			trace.WithSpanKind(trace.SpanKindServer),
+@@ -498,17 +498,18 @@
+ 	}
+ }
+ 
+-// spanInfo returns a span name and all appropriate attributes from the gRPC
+-// method and peer address.
+-func spanInfo(fullMethod, peerAddress string) (string, []attribute.KeyValue) {
+-	name, mAttrs := internal.ParseFullMethod(fullMethod)
+// telemetryAttributes returns a span name and span and metric attributes from
+// the gRPC method and peer address.
+func telemetryAttributes(fullMethod, peerAddress string) (string, []attribute.KeyValue, []attribute.KeyValue) {
+	name, methodAttrs := internal.ParseFullMethod(fullMethod)
+ 	peerAttrs := peerAttr(peerAddress)
+ 
+-	attrs := make([]attribute.KeyValue, 0, 1+len(mAttrs)+len(peerAttrs))
+	attrs := make([]attribute.KeyValue, 0, 1+len(methodAttrs)+len(peerAttrs))
+ 	attrs = append(attrs, RPCSystemGRPC)
+-	attrs = append(attrs, mAttrs...)
+	attrs = append(attrs, methodAttrs...)
+	metricAttrs := attrs[:1+len(methodAttrs)]
+ 	attrs = append(attrs, peerAttrs...)
+-	return name, attrs
+	return name, attrs, metricAttrs
+ }
+ 
+ // peerAttr returns attributes about the peer address.
--- a/SPECS/containerd/containerd.spec
+++ b/SPECS/containerd/containerd.spec
@ -4,7 +4,7 @@
 Summary: Industry-standard container runtime
 Name: containerd
 Version: 1.7.13
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@ -16,6 +16,8 @@ Source1: containerd.service
 Source2: containerd.toml
 Patch0:  Makefile.patch
 Patch1:  fix_tests_for_golang1.21.patch
+Patch2:	 CVE-2023-44487.patch
+Patch3:  CVE-2023-47108.patch

 %{?systemd_requires}

@ -85,6 +87,9 @@ fi
 %dir /opt/containerd/lib

 %changelog
+* Wed Jun 26 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 1.7.13-3
+- Address CVE-2023-44487 and CVE-2023-47108
+
 * Fri Mar 08 2024 Henry Beberman <henry.beberman@microsoft.com> - 1.7.13-2
 - Add OOMScoreAdjust -999 to containerd.service