Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 110 additions & 0 deletions SPECS/moby-containerd-cc/CVE-2026-46680.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
From 578d48b829d70705a0e78b1777455160b6d9bf66 Mon Sep 17 00:00:00 2001
From: LEI WANG <ssst0n3@gmail.com>
Date: Tue, 17 Mar 2026 17:58:00 +0800
Subject: [PATCH] oci: return explicit error for out-of-range USER values

Detect strconv.ErrRange and validate uid/gid bounds to avoid falling back to username/group lookups.

Signed-off-by: LEI WANG <ssst0n3@gmail.com>
(cherry picked from commit 85706b6d4416d93b47033ba345d7b885a75657b4)
Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://patch-diff.githubusercontent.com/raw/containerd/containerd/pull/13450.patch
---
oci/spec_opts.go | 29 +++++++++++++++++++++++++----
oci/spec_opts_linux_test.go | 14 +++++++++++---
2 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/oci/spec_opts.go b/oci/spec_opts.go
index 2a77b4d..52b2f81 100644
--- a/oci/spec_opts.go
+++ b/oci/spec_opts.go
@@ -629,14 +629,25 @@ func WithUser(userstr string) SpecOpts {
return nil
}

+ isErrRange := func(err error) bool {
+ var numErr *strconv.NumError
+ return errors.As(err, &numErr) && numErr.Err == strconv.ErrRange
+ }
+
parts := strings.Split(userstr, ":")
switch len(parts) {
case 1:
v, err := strconv.Atoi(parts[0])
- if err != nil || v < minUserID || v > maxUserID {
- // if we cannot parse as an int32 then try to see if it is a username
+ if err != nil {
+ if isErrRange(err) {
+ return fmt.Errorf("invalid USER value %q: uid out of range", userstr)
+ }
+ // Non-numeric user value; treat it as a username.
return WithUsername(userstr)(ctx, client, c, s)
}
+ if v < minUserID || v > maxUserID {
+ return fmt.Errorf("invalid USER value %q: uid out of range", userstr)
+ }
return WithUserID(uint32(v))(ctx, client, c, s)
case 2:
var (
@@ -645,14 +656,24 @@ func WithUser(userstr string) SpecOpts {
)
var uid, gid uint32
v, err := strconv.Atoi(parts[0])
- if err != nil || v < minUserID || v > maxUserID {
+ if err != nil {
+ if isErrRange(err) {
+ return fmt.Errorf("invalid USER value %q: uid out of range", userstr)
+ }
username = parts[0]
+ } else if v < minUserID || v > maxUserID {
+ return fmt.Errorf("invalid USER value %q: uid out of range", userstr)
} else {
uid = uint32(v)
}
v, err = strconv.Atoi(parts[1])
- if err != nil || v < minGroupID || v > maxGroupID {
+ if err != nil {
+ if isErrRange(err) {
+ return fmt.Errorf("invalid USER value %q: gid out of range", userstr)
+ }
groupname = parts[1]
+ } else if v < minGroupID || v > maxGroupID {
+ return fmt.Errorf("invalid USER value %q: gid out of range", userstr)
} else {
gid = uint32(v)
}
diff --git a/oci/spec_opts_linux_test.go b/oci/spec_opts_linux_test.go
index 0cd79e0..d387931 100644
--- a/oci/spec_opts_linux_test.go
+++ b/oci/spec_opts_linux_test.go
@@ -92,15 +92,23 @@ guest:x:100:guest
},
{
user: "405:2147483648",
- err: "no groups found",
+ err: "invalid USER value \"405:2147483648\": gid out of range",
},
{
user: "-1000",
- err: "no users found",
+ err: "invalid USER value \"-1000\": uid out of range",
},
{
user: "2147483648",
- err: "no users found",
+ err: "invalid USER value \"2147483648\": uid out of range",
+ },
+ {
+ user: "999999999999999999999999999999999999",
+ err: "invalid USER value \"999999999999999999999999999999999999\": uid out of range",
+ },
+ {
+ user: "0:999999999999999999999999999999999999",
+ err: "invalid USER value \"0:999999999999999999999999999999999999\": gid out of range",
},
}
for _, testCase := range testCases {
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/moby-containerd-cc/moby-containerd-cc.spec
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
Summary: Industry-standard container runtime for confidential containers
Name: moby-%{upstream_name}
Version: 1.7.7
Release: 13%{?dist}
Release: 14%{?dist}
License: ASL 2.0
Group: Tools/Container
URL: https://www.containerd.io
Expand All @@ -30,6 +30,7 @@ Patch11:CVE-2025-64329.patch
Patch12:CVE-2026-39882.patch
Patch13:CVE-2026-35469.patch
Patch14:CVE-2026-39821.patch
Patch15:CVE-2026-46680.patch

%{?systemd_requires}

Expand Down Expand Up @@ -87,6 +88,9 @@ fi
%config(noreplace) %{_sysconfdir}/containerd/config.toml

%changelog
* Thu Jul 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.7.7-14
- Patch for CVE-2026-46680

* Thu May 28 2026 Akhila Guruju <v-guakhila@microsoft.com> - 1.7.7-13
- Patch CVE-2026-39821

Expand Down
Loading