diff --git a/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch b/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch new file mode 100644 index 0000000..4344209 --- /dev/null +++ b/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch @@ -0,0 +1,50 @@ +From 47f113c0362b7fad7e1e7a630193824729525236 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 1 Oct 2024 11:01:45 -0400 +Subject: [PATCH 1/3] CVE-2024-9407: validate "bind-propagation" flag settings + +CVE-2024-9407: validate that the value for the "bind-propagation" flag +when handling "bind" and "cache" mounts in `buildah run` or in RUN +instructions is one of the values that we would accept without the +"bind-propagation=" prefix. + +Signed-off-by: Nalin Dahyabhai +(cherry picked from commit 732f77064830bb91062d475407b761ade2e4fe6b) +Signed-off-by: Danish Prakash +--- + internal/volumes/volumes.go | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go +index a79b8df8c5ed..ccb81b27ed46 100644 +--- a/internal/volumes/volumes.go ++++ b/internal/volumes/volumes.go +@@ -100,6 +100,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st + if len(kv) == 1 { + return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg) + } ++ switch kv[1] { ++ default: ++ return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption) ++ case "shared", "rshared", "private", "rprivate", "slave", "rslave": ++ // this should be the relevant parts of the same list of options we accepted above ++ } + newMount.Options = append(newMount.Options, kv[1]) + case "src", "source": + if len(kv) == 1 { +@@ -271,6 +277,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a + if len(kv) == 1 { + return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg) + } ++ switch kv[1] { ++ default: ++ return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption) ++ case "shared", "rshared", "private", "rprivate", "slave", "rslave": ++ // this should be the relevant parts of the same list of options we accepted above ++ } + newMount.Options = append(newMount.Options, kv[1]) + case "id": + if len(kv) == 1 { +-- +2.46.0 + diff --git a/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch b/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch new file mode 100644 index 0000000..038ae52 --- /dev/null +++ b/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch @@ -0,0 +1,52 @@ +From be63550b01f7b3a1788912d79e2866ee9cdd083b Mon Sep 17 00:00:00 2001 +From: Paul Holzinger +Date: Wed, 2 Oct 2024 12:15:15 +0200 +Subject: [PATCH 2/3] [conmon] pkg/subscriptions: use securejoin for the + container path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If we join a path from the container image we must always use securejoin +to prevent us from following a symlink onto the host. + +Fixes CVE-2024-9341 + +Cherry-pick from +https://github.com/containers/common/commit/5a550b6fe26068dd1d5d2616c8595edf10b41e28 + +Signed-off-by: Paul Holzinger +Signed-off-by: Dan Čermák +Signed-off-by: Danish Prakash +--- + .../containers/common/pkg/subscriptions/subscriptions.go | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +index 6ba2154a7790..b513ed0b1df9 100644 +--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go ++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +@@ -10,6 +10,7 @@ import ( + + "github.com/containers/common/pkg/umask" + "github.com/containers/storage/pkg/idtools" ++ securejoin "github.com/cyphar/filepath-securejoin" + rspec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux/label" + "github.com/sirupsen/logrus" +@@ -345,7 +346,11 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, + + srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" + destDir := "/etc/crypto-policies/back-ends" +- srcOnHost := filepath.Join(mountPoint, srcBackendDir) ++ srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir) ++ if err != nil { ++ return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err) ++ } ++ + if _, err := os.Stat(srcOnHost); err != nil { + if errors.Is(err, os.ErrNotExist) { + return nil +-- +2.46.0 + diff --git a/0003-Properly-validate-cache-IDs-and-sources.patch b/0003-Properly-validate-cache-IDs-and-sources.patch new file mode 100644 index 0000000..95b50b9 --- /dev/null +++ b/0003-Properly-validate-cache-IDs-and-sources.patch @@ -0,0 +1,119 @@ +From 7efe216bed829677dd10fa960f8be2459fef752d Mon Sep 17 00:00:00 2001 +From: Matt Heon +Date: Wed, 9 Oct 2024 15:23:03 -0400 +Subject: [PATCH 3/3] Properly validate cache IDs and sources + +The `--mount type=cache` argument to the `RUN` instruction in +Dockerfiles was using `filepath.Join` on user input, allowing +crafted paths to be used to gain access to paths on the host, +when the command should normally be limited only to Buildah;s own +cache and context directories. Switch to `filepath.SecureJoin` to +resolve the issue. + +Fixes CVE-2024-9675 + +Signed-off-by: Matt Heon +Signed-off-by: Danish Prakash +--- + internal/volumes/volumes.go | 20 +++++++++++++++----- + tests/bud.bats | 34 ++++++++++++++++++++++++++++++++++ + 2 files changed, 49 insertions(+), 5 deletions(-) + +diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go +index ccb81b27ed46..037586f704b6 100644 +--- a/internal/volumes/volumes.go ++++ b/internal/volumes/volumes.go +@@ -11,6 +11,7 @@ import ( + + "errors" + ++ "github.com/containers/buildah/copier" + "github.com/containers/buildah/define" + "github.com/containers/buildah/internal" + internalParse "github.com/containers/buildah/internal/parse" +@@ -22,6 +23,7 @@ import ( + "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/pkg/lockfile" + "github.com/containers/storage/pkg/unshare" ++ digest "github.com/opencontainers/go-digest" + specs "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" + ) +@@ -368,7 +370,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a + return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage) + } + // path should be /contextDir/specified path +- newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source)) ++ evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{}) ++ if err != nil { ++ return newMount, nil, err ++ } ++ newMount.Source = evaluated + } else { + // we need to create cache on host if no image is being used + +@@ -385,11 +391,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a + } + + if id != "" { +- newMount.Source = filepath.Join(cacheParent, filepath.Clean(id)) +- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id)) ++ // Don't let the user control where we place the directory. ++ dirID := digest.FromString(id).Encoded()[:16] ++ newMount.Source = filepath.Join(cacheParent, dirID) ++ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) + } else { +- newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination)) +- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination)) ++ // Don't let the user control where we place the directory. ++ dirID := digest.FromString(newMount.Destination).Encoded()[:16] ++ newMount.Source = filepath.Join(cacheParent, dirID) ++ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) + } + idPair := idtools.IDPair{ + UID: uid, +diff --git a/tests/bud.bats b/tests/bud.bats +index 878a1597a0a7..c2038b0377bc 100644 +--- a/tests/bud.bats ++++ b/tests/bud.bats +@@ -6527,3 +6527,37 @@ _EOF + expect_output --substring "localhost/foo/bar" + expect_output --substring "localhost/bar" + } ++ ++@test "build-check-cve-2024-9675" { ++ _prefetch alpine ++ ++ touch ${TEST_SCRATCH_DIR}/file.txt ++ ++ cat > ${TEST_SCRATCH_DIR}/Containerfile < ${TEST_SCRATCH_DIR}/Containerfile < ${TEST_SCRATCH_DIR}/cve20249675/Containerfile < + +- Add patch for CVE-2024-9675 (bsc#1231499): + * 0003-Properly-validate-cache-IDs-and-sources.patch +- Rebase patches: + * 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch + * 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch + +------------------------------------------------------------------- +Wed Oct 2 10:24:41 UTC 2024 - Dan Čermák + +- Add patches for CVE-2024-9407 and CVE-2024-9341: + * 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch (bsc#1231208 + aka CVE-2024-9407) + * 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch (bsc#1231230 + aka CVE-2024-9341) + ------------------------------------------------------------------- Thu Feb 22 12:59:44 UTC 2024 - Thorsten Kukuk diff --git a/buildah.spec b/buildah.spec index 1c7cc99..e697f3d 100644 --- a/buildah.spec +++ b/buildah.spec @@ -27,6 +27,9 @@ Group: System/Management URL: https://%{project} Source0: %{name}-%{version}.tar.xz Source1: %{name}-rpmlintrc +Patch0: 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch +Patch1: 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch +Patch2: 0003-Properly-validate-cache-IDs-and-sources.patch BuildRequires: bash-completion BuildRequires: device-mapper-devel BuildRequires: fdupes