diff --git a/0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch b/0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch
new file mode 100644
index 0000000..7c9b874
--- /dev/null
+++ b/0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch
@@ -0,0 +1,101 @@
+From 449e8171f96a6a944d1f3b7d3627ae059eae21ca Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 25 Jan 2022 13:51:14 -0500
+Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups
+ (CVE-2022-0358)
+
+At the start, drop membership of all supplementary groups. This is
+not required.
+
+If we have membership of "root" supplementary group and when we switch
+uid/gid using setresuid/setsgid, we still retain membership of existing
+supplemntary groups. And that can allow some operations which are not
+normally allowed.
+
+For example, if root in guest creates a dir as follows.
+
+$ mkdir -m 03777 test_dir
+
+This sets SGID on dir as well as allows unprivileged users to write into
+this dir.
+
+And now as unprivileged user open file as follows.
+
+$ su test
+$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
+
+This will create SGID set executable in test_dir/.
+
+And that's a problem because now an unpriviliged user can execute it,
+get egid=0 and get access to resources owned by "root" group. This is
+privilege escalation.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
+Fixes: CVE-2022-0358
+Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
+Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Message-Id: <YfBGoriS38eBQrAb@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+ dgilbert: Fixed missing {}'s style nit
+---
+ tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 64b5b4fbb1..b3d0674f6d 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -54,6 +54,7 @@
+ #include <sys/wait.h>
+ #include <sys/xattr.h>
+ #include <syslog.h>
++#include <grp.h>
+
+ #include "qemu/cutils.h"
+ #include "passthrough_helpers.h"
+@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
+ #define OURSYS_setresuid SYS_setresuid
+ #endif
+
++static void drop_supplementary_groups(void)
++{
++ int ret;
++
++ ret = getgroups(0, NULL);
++ if (ret == -1) {
++ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
++ errno, strerror(errno));
++ exit(1);
++ }
++
++ if (!ret) {
++ return;
++ }
++
++ /* Drop all supplementary groups. We should not need it */
++ ret = setgroups(0, NULL);
++ if (ret == -1) {
++ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
++ errno, strerror(errno));
++ exit(1);
++ }
++}
++
+ /*
+ * Change to uid/gid of caller so that file is created with
+ * ownership of caller.
+@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])
+
+ qemu_init_exec_dir(argv[0]);
+
++ drop_supplementary_groups();
++
+ pthread_mutex_init(&lo.mutex, NULL);
+ lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
+ lo.root.fd = -1;
+--
+GitLab
+
diff --git a/qemu.spec b/qemu.spec
index 68bdcf8..4acd339 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -308,6 +308,10 @@ Source36: README.tests
Patch0001: 0001-sgx-stub-fix.patch
+# CVE-2022-0358
+# https://bugzilla.redhat.com/show_bug.cgi?id=2046202
+Patch0002: 0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch
+
BuildRequires: meson >= %{meson_version}
BuildRequires: zlib-devel
BuildRequires: glib2-devel
@@ -2261,6 +2265,8 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
* Thu Feb 10 2022 Cole Robinson <crobinso@redhat.com> - 6.2.0-4
+- virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)
+ Resolves: rhbz#2044863
- Split out qemu-virtiofsd subpackage
* Wed Feb 2 2022 Paolo Bonzini <pbonzini@redhat.com> - 2:6.2.0-3