| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| test--skip-TestGetPIDSFromCgroup.patch | disabled failing test. ~~~~ FAIL: TestGetPIDSFromCgroup (0.00s) pids_test.go:33: Error Trace: pids_test.go:33 Error: Expected nil, but got: &os.PathError{Op:"open", Path:"/sys/fs/cgroup/pids//user.slice/user-1000.slice/session-6.scope/cgroup.procs", Err:0x2} Test: TestGetPIDSFromCgroup pids_test.go:34: Error Trace: pids_test.go:34 Error: Should be true Test: TestGetPIDSFromCgroup ~~~~ |
Dmitry Smirnov <onlyjob@debian.org> | not-needed | 2019-09-10 | ||
| CVE-2022-1227.patch | commit 3ae3044916481f5c001f64a9d26110b878a676e0 (github/v1.7.1-fedora) internal: proc: do not join the process user namespace The only reason we joined the process user namespace was to map a handful of fields into the same usernamepsace as that process. This procedure can be implemented entirely in Go without having to run code inside the container. In addition, since psgo is used inside "podman top", we were actually executing the nsenter binary *from the container* without all of the container's security profiles applied. At the very least this would allow a container process to return bad data to psgo (possibly confusing management scripts using psgo) and at the very worst it would allow the container process to escalate privileges by getting podman to execute code without all of the container security profiles applied. Fixes: CVE-2022-1227 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> Backported-by: Valentin Rothberg <vrothberg@redhat.com> Signed-off-by: Valentin Rothberg <vrothberg@redhat.com> diff --git a/internal/proc/ns.go b/internal/proc/ns.go index 28ee6a2..9e77b86 100644 |
Aleksa Sarai <cyphar@cyphar.com> | no | 2022-01-12 |