From 3fc2987222854fbfc3cb4cdaa27dfbf6288507bd Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Thu, 18 Sep 2025 13:58:26 +0800 Subject: [PATCH] fix CVE-2023-47108 --- containerd.spec | 8 +- git-commit | 2 +- .../0047-containerd-fix-CVE-2023-47108.patch | 78 +++++++++++++++++++ series.conf | 1 + 4 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 patch/0047-containerd-fix-CVE-2023-47108.patch diff --git a/containerd.spec b/containerd.spec index 1eb94b1..d74b34f 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.6.22 Name: containerd -Release: 23 +Release: 24 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -68,6 +68,12 @@ install -D -p -m 0644 %{S:7} %{buildroot}%{_sysconfdir}/containerd/config.toml %exclude %{_bindir}/containerd-stress %changelog +* Thu Sep 18 2025 dongyuzhen - 1.6.22-24 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2023-47108 + * Mon Aug 25 2025 Yu Peng - 1.6.22-23 - Type:bugfix - ID:NA diff --git a/git-commit b/git-commit index 4cdbc79..3d9c301 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -505c543740cc9cd666836e5c541d60d5296fa6ee +2ac7db5bca96aacae4851ae389a71c8e83818473 diff --git a/patch/0047-containerd-fix-CVE-2023-47108.patch b/patch/0047-containerd-fix-CVE-2023-47108.patch new file mode 100644 index 0000000..9680ab4 --- /dev/null +++ b/patch/0047-containerd-fix-CVE-2023-47108.patch @@ -0,0 +1,78 @@ +From b44dfc9092b157625a5815cb437583cee663333b Mon Sep 17 00:00:00 2001 +From: Aaron Clawson <3766680+MadVikingGod@users.noreply.github.com> +Date: Mon, 6 Nov 2023 17:34:22 -0600 +Subject: [PATCH] otelgrpc: Remove high cardinality metric attributes (#4322) + +--- + .../grpc/otelgrpc/interceptor.go | 28 +++++++++++-------- + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go +index b1d9f64..df0fb70 100644 +--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go ++++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go +@@ -81,7 +81,7 @@ func UnaryClientInterceptor(opts ...Option) grpc.UnaryClientInterceptor { + trace.WithInstrumentationVersion(SemVersion()), + ) + +- name, attr := spanInfo(method, cc.Target()) ++ name, attr, _ := telemetryAttributes(method, cc.Target()) + var span trace.Span + ctx, span = tracer.Start( + ctx, +@@ -251,7 +251,7 @@ func StreamClientInterceptor(opts ...Option) grpc.StreamClientInterceptor { + trace.WithInstrumentationVersion(SemVersion()), + ) + +- name, attr := spanInfo(method, cc.Target()) ++ name, attr, _ := telemetryAttributes(method, cc.Target()) + var span trace.Span + ctx, span = tracer.Start( + ctx, +@@ -311,7 +311,7 @@ func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor { + trace.WithInstrumentationVersion(SemVersion()), + ) + +- name, attr := spanInfo(info.FullMethod, peerFromCtx(ctx)) ++ name, attr, metricAttrs := telemetryAttributes(info.FullMethod, peerFromCtx(ctx)) + ctx, span := tracer.Start( + trace.ContextWithRemoteSpanContext(ctx, spanCtx), + name, +@@ -400,7 +400,7 @@ func StreamServerInterceptor(opts ...Option) grpc.StreamServerInterceptor { + trace.WithInstrumentationVersion(SemVersion()), + ) + +- name, attr := spanInfo(info.FullMethod, peerFromCtx(ctx)) ++ name, attr, _ := telemetryAttributes(info.FullMethod, peerFromCtx(ctx)) + ctx, span := tracer.Start( + trace.ContextWithRemoteSpanContext(ctx, spanCtx), + name, +@@ -423,14 +423,18 @@ func StreamServerInterceptor(opts ...Option) grpc.StreamServerInterceptor { + } + } + +-// spanInfo returns a span name and all appropriate attributes from the gRPC +-// method and peer address. +-func spanInfo(fullMethod, peerAddress string) (string, []attribute.KeyValue) { +- attrs := []attribute.KeyValue{RPCSystemGRPC} +- name, mAttrs := internal.ParseFullMethod(fullMethod) +- attrs = append(attrs, mAttrs...) +- attrs = append(attrs, peerAttr(peerAddress)...) +- return name, attrs ++// telemetryAttributes returns a span name and span and metric attributes from ++// the gRPC method and peer address. ++func telemetryAttributes(fullMethod, peerAddress string) (string, []attribute.KeyValue, []attribute.KeyValue) { ++ name, methodAttrs := internal.ParseFullMethod(fullMethod) ++ peerAttrs := peerAttr(peerAddress) ++ ++ attrs := make([]attribute.KeyValue, 0, 1+len(methodAttrs)+len(peerAttrs)) ++ attrs = append(attrs, RPCSystemGRPC) ++ attrs = append(attrs, methodAttrs...) ++ metricAttrs := attrs[:1+len(methodAttrs)] ++ attrs = append(attrs, peerAttrs...) ++ return name, attrs, metricAttrs + } + + // peerAttr returns attributes about the peer address. +-- +2.43.0 \ No newline at end of file diff --git a/series.conf b/series.conf index 2cd35fd..6cbcb85 100644 --- a/series.conf +++ b/series.conf @@ -43,3 +43,4 @@ patch/0043-containerd-delete-task-asynchronously-to-avoid-conta.patch patch/0044-containerd-fix-dead-loop.patch patch/0045-containerd-remove-limitnofile-from-containerd-service.patch patch/0046-containerd-Fix-ctr-snapshot-mount-produce-invalid-mount-command.patch +patch/0047-containerd-fix-CVE-2023-47108.patch -- Gitee