diff options
| author | Valentin Rothberg <vrothberg@redhat.com> | 2022-04-14 14:51:35 +0200 |
|---|---|---|
| committer | Valentin Rothberg <vrothberg@redhat.com> | 2022-04-14 15:27:58 +0200 |
| commit | f7bb8c44954934e2b671e2ebe4f9136b2ed9060e (patch) | |
| tree | 23f7880a84f065bc0d17b993327457b8630f89b7 /test | |
| parent | 7c7020ba16660141da77cc4a61c2d7c3ab4efe59 (diff) | |
| download | podman-f7bb8c44954934e2b671e2ebe4f9136b2ed9060e.tar.gz podman-f7bb8c44954934e2b671e2ebe4f9136b2ed9060e.tar.bz2 podman-f7bb8c44954934e2b671e2ebe4f9136b2ed9060e.zip | |
fix CVE-2022-1227
Vendor in the backports for psgo. Note that we cannot use psgo v1.7.1+
as v1.7.2 bumped too many dependencies.
Hence psgo has a v1.7.1-fedora branch that will be used for Podman v3.4.x
for Fedora. The v3.4.2-rhel branch uses c/storage v1.36.x so we need a
separate branches in psgo for Fedora and RHEL.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/system/030-run.bats | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 2900540de..92106269b 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -734,4 +734,28 @@ EOF is "$output" "$random_1" "output matches STDIN" } +# CVE-2022-1227 : podman top joins container mount NS and uses nsenter from image +@test "podman top does not use nsenter from image" { + tmpdir=$PODMAN_TMPDIR/build-test + mkdir -p $tmpdir + tmpbuilddir=$tmpdir/build + mkdir -p $tmpbuilddir + dockerfile=$tmpbuilddir/Dockerfile + cat >$dockerfile <<EOF +FROM $IMAGE +RUN rm /usr/bin/nsenter; \ +echo -e "#!/bin/sh\nfalse" >> /usr/bin/nsenter; \ +chmod +x /usr/bin/nsenter +EOF + + test_image="cve_2022_1227_test" + run_podman build -t $test_image $tmpbuilddir + run_podman run -d --userns=keep-id $test_image top + ctr="$output" + run_podman top $ctr huser,user + run_podman kill $ctr + run_podman rm -f $ctr + run_podman rmi $test_image +} + # vim: filetype=sh |