diff --git a/SPECS/moby-containerd-cc/CVE-2026-46680.patch b/SPECS/moby-containerd-cc/CVE-2026-46680.patch new file mode 100644 index 00000000000..72511e6e315 --- /dev/null +++ b/SPECS/moby-containerd-cc/CVE-2026-46680.patch @@ -0,0 +1,110 @@ +From 578d48b829d70705a0e78b1777455160b6d9bf66 Mon Sep 17 00:00:00 2001 +From: LEI WANG +Date: Tue, 17 Mar 2026 17:58:00 +0800 +Subject: [PATCH] oci: return explicit error for out-of-range USER values + +Detect strconv.ErrRange and validate uid/gid bounds to avoid falling back to username/group lookups. + +Signed-off-by: LEI WANG +(cherry picked from commit 85706b6d4416d93b47033ba345d7b885a75657b4) +Signed-off-by: Chris Henzie +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://patch-diff.githubusercontent.com/raw/containerd/containerd/pull/13450.patch +--- + oci/spec_opts.go | 29 +++++++++++++++++++++++++---- + oci/spec_opts_linux_test.go | 14 +++++++++++--- + 2 files changed, 36 insertions(+), 7 deletions(-) + +diff --git a/oci/spec_opts.go b/oci/spec_opts.go +index 2a77b4d..52b2f81 100644 +--- a/oci/spec_opts.go ++++ b/oci/spec_opts.go +@@ -629,14 +629,25 @@ func WithUser(userstr string) SpecOpts { + return nil + } + ++ isErrRange := func(err error) bool { ++ var numErr *strconv.NumError ++ return errors.As(err, &numErr) && numErr.Err == strconv.ErrRange ++ } ++ + parts := strings.Split(userstr, ":") + switch len(parts) { + case 1: + v, err := strconv.Atoi(parts[0]) +- if err != nil || v < minUserID || v > maxUserID { +- // if we cannot parse as an int32 then try to see if it is a username ++ if err != nil { ++ if isErrRange(err) { ++ return fmt.Errorf("invalid USER value %q: uid out of range", userstr) ++ } ++ // Non-numeric user value; treat it as a username. + return WithUsername(userstr)(ctx, client, c, s) + } ++ if v < minUserID || v > maxUserID { ++ return fmt.Errorf("invalid USER value %q: uid out of range", userstr) ++ } + return WithUserID(uint32(v))(ctx, client, c, s) + case 2: + var ( +@@ -645,14 +656,24 @@ func WithUser(userstr string) SpecOpts { + ) + var uid, gid uint32 + v, err := strconv.Atoi(parts[0]) +- if err != nil || v < minUserID || v > maxUserID { ++ if err != nil { ++ if isErrRange(err) { ++ return fmt.Errorf("invalid USER value %q: uid out of range", userstr) ++ } + username = parts[0] ++ } else if v < minUserID || v > maxUserID { ++ return fmt.Errorf("invalid USER value %q: uid out of range", userstr) + } else { + uid = uint32(v) + } + v, err = strconv.Atoi(parts[1]) +- if err != nil || v < minGroupID || v > maxGroupID { ++ if err != nil { ++ if isErrRange(err) { ++ return fmt.Errorf("invalid USER value %q: gid out of range", userstr) ++ } + groupname = parts[1] ++ } else if v < minGroupID || v > maxGroupID { ++ return fmt.Errorf("invalid USER value %q: gid out of range", userstr) + } else { + gid = uint32(v) + } +diff --git a/oci/spec_opts_linux_test.go b/oci/spec_opts_linux_test.go +index 0cd79e0..d387931 100644 +--- a/oci/spec_opts_linux_test.go ++++ b/oci/spec_opts_linux_test.go +@@ -92,15 +92,23 @@ guest:x:100:guest + }, + { + user: "405:2147483648", +- err: "no groups found", ++ err: "invalid USER value \"405:2147483648\": gid out of range", + }, + { + user: "-1000", +- err: "no users found", ++ err: "invalid USER value \"-1000\": uid out of range", + }, + { + user: "2147483648", +- err: "no users found", ++ err: "invalid USER value \"2147483648\": uid out of range", ++ }, ++ { ++ user: "999999999999999999999999999999999999", ++ err: "invalid USER value \"999999999999999999999999999999999999\": uid out of range", ++ }, ++ { ++ user: "0:999999999999999999999999999999999999", ++ err: "invalid USER value \"0:999999999999999999999999999999999999\": gid out of range", + }, + } + for _, testCase := range testCases { +-- +2.45.4 + diff --git a/SPECS/moby-containerd-cc/moby-containerd-cc.spec b/SPECS/moby-containerd-cc/moby-containerd-cc.spec index b37170ad6c5..3cb5c1c0231 100644 --- a/SPECS/moby-containerd-cc/moby-containerd-cc.spec +++ b/SPECS/moby-containerd-cc/moby-containerd-cc.spec @@ -6,7 +6,7 @@ Summary: Industry-standard container runtime for confidential containers Name: moby-%{upstream_name} Version: 1.7.7 -Release: 13%{?dist} +Release: 14%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -30,6 +30,7 @@ Patch11:CVE-2025-64329.patch Patch12:CVE-2026-39882.patch Patch13:CVE-2026-35469.patch Patch14:CVE-2026-39821.patch +Patch15:CVE-2026-46680.patch %{?systemd_requires} @@ -87,6 +88,9 @@ fi %config(noreplace) %{_sysconfdir}/containerd/config.toml %changelog +* Thu Jul 02 2026 Azure Linux Security Servicing Account - 1.7.7-14 +- Patch for CVE-2026-46680 + * Thu May 28 2026 Akhila Guruju - 1.7.7-13 - Patch CVE-2026-39821