Sync from SUSE:ALP:Source:Standard:1.0 buildah revision 6ee608f6816ae8e9ba05332f1cc79aa2

0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch

@@ -0,0 +1,50 @@
+From 47f113c0362b7fad7e1e7a630193824729525236 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Tue, 1 Oct 2024 11:01:45 -0400
+Subject: [PATCH 1/3] CVE-2024-9407: validate "bind-propagation" flag settings
+
+CVE-2024-9407: validate that the value for the "bind-propagation" flag
+when handling "bind" and "cache" mounts in `buildah run` or in RUN
+instructions is one of the values that we would accept without the
+"bind-propagation=" prefix.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+(cherry picked from commit 732f77064830bb91062d475407b761ade2e4fe6b)
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ internal/volumes/volumes.go | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index a79b8df8c5ed..ccb81b27ed46 100644
+--- a/internal/volumes/volumes.go
++++ b/internal/volumes/volumes.go
+@@ -100,6 +100,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 			if len(kv) == 1 {
+ 				return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
+ 			}
++			switch kv[1] {
++			default:
++				return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
++			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
++				// this should be the relevant parts of the same list of options we accepted above
++			}
+ 			newMount.Options = append(newMount.Options, kv[1])
+ 		case "src", "source":
+ 			if len(kv) == 1 {
+@@ -271,6 +277,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			if len(kv) == 1 {
+ 				return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
+ 			}
++			switch kv[1] {
++			default:
++				return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
++			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
++				// this should be the relevant parts of the same list of options we accepted above
++			}
+ 			newMount.Options = append(newMount.Options, kv[1])
+ 		case "id":
+ 			if len(kv) == 1 {
+-- 
+2.46.0
+

0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch

@@ -0,0 +1,52 @@
+From be63550b01f7b3a1788912d79e2866ee9cdd083b Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Wed, 2 Oct 2024 12:15:15 +0200
+Subject: [PATCH 2/3] [conmon] pkg/subscriptions: use securejoin for the
+ container path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If we join a path from the container image we must always use securejoin
+to prevent us from following a symlink onto the host.
+
+Fixes CVE-2024-9341
+
+Cherry-pick from
+https://github.com/containers/common/commit/5a550b6fe26068dd1d5d2616c8595edf10b41e28
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+Signed-off-by: Dan Čermák <dcermak@suse.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ .../containers/common/pkg/subscriptions/subscriptions.go   | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index 6ba2154a7790..b513ed0b1df9 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -10,6 +10,7 @@ import (
+ 
+ 	"github.com/containers/common/pkg/umask"
+ 	"github.com/containers/storage/pkg/idtools"
++	securejoin "github.com/cyphar/filepath-securejoin"
+ 	rspec "github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+ 	"github.com/sirupsen/logrus"
+@@ -345,7 +346,11 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+ 
+ 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ 	destDir := "/etc/crypto-policies/back-ends"
+-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
++	if err != nil {
++		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
++	}
++
+ 	if _, err := os.Stat(srcOnHost); err != nil {
+ 		if errors.Is(err, os.ErrNotExist) {
+ 			return nil
+-- 
+2.46.0
+

0003-Properly-validate-cache-IDs-and-sources.patch

@@ -0,0 +1,119 @@
+From 7efe216bed829677dd10fa960f8be2459fef752d Mon Sep 17 00:00:00 2001
+From: Matt Heon <mheon@redhat.com>
+Date: Wed, 9 Oct 2024 15:23:03 -0400
+Subject: [PATCH 3/3] Properly validate cache IDs and sources
+
+The `--mount type=cache` argument to the `RUN` instruction in
+Dockerfiles was using `filepath.Join` on user input, allowing
+crafted paths to be used to gain access to paths on the host,
+when the command should normally be limited only to Buildah;s own
+cache and context directories. Switch to `filepath.SecureJoin` to
+resolve the issue.
+
+Fixes CVE-2024-9675
+
+Signed-off-by: Matt Heon <mheon@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ internal/volumes/volumes.go | 20 +++++++++++++++-----
+ tests/bud.bats              | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 49 insertions(+), 5 deletions(-)
+
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index ccb81b27ed46..037586f704b6 100644
+--- a/internal/volumes/volumes.go
++++ b/internal/volumes/volumes.go
+@@ -11,6 +11,7 @@ import (
+ 
+ 	"errors"
+ 
++	"github.com/containers/buildah/copier"
+ 	"github.com/containers/buildah/define"
+ 	"github.com/containers/buildah/internal"
+ 	internalParse "github.com/containers/buildah/internal/parse"
+@@ -22,6 +23,7 @@ import (
+ 	"github.com/containers/storage/pkg/idtools"
+ 	"github.com/containers/storage/pkg/lockfile"
+ 	"github.com/containers/storage/pkg/unshare"
++	digest "github.com/opencontainers/go-digest"
+ 	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	selinux "github.com/opencontainers/selinux/go-selinux"
+ )
+@@ -368,7 +370,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
+ 		}
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
++		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
++		if err != nil {
++			return newMount, nil, err
++		}
++		newMount.Source = evaluated
+ 	} else {
+ 		// we need to create cache on host if no image is being used
+ 
+@@ -385,11 +391,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 		}
+ 
+ 		if id != "" {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
++			// Don't let the user control where we place the directory.
++			dirID := digest.FromString(id).Encoded()[:16]
++			newMount.Source = filepath.Join(cacheParent, dirID)
++			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		} else {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
++			// Don't let the user control where we place the directory.
++			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
++			newMount.Source = filepath.Join(cacheParent, dirID)
++			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		}
+ 		idPair := idtools.IDPair{
+ 			UID: uid,
+diff --git a/tests/bud.bats b/tests/bud.bats
+index 878a1597a0a7..c2038b0377bc 100644
+--- a/tests/bud.bats
++++ b/tests/bud.bats
+@@ -6527,3 +6527,37 @@ _EOF
+   expect_output --substring "localhost/foo/bar"
+   expect_output --substring "localhost/bar"
+ }
++
++@test "build-check-cve-2024-9675" {
++  _prefetch alpine
++
++  touch ${TEST_SCRATCH_DIR}/file.txt
++
++  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
++FROM alpine
++RUN --mount=type=cache,id=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
++ls -l /var/tmp && cat /var/tmp/file.txt
++EOF
++
++  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
++  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
++
++  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
++FROM alpine
++RUN --mount=type=cache,source=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
++ls -l /var/tmp && cat /var/tmp/file.txt
++EOF
++
++  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
++  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
++
++  mkdir ${TEST_SCRATCH_DIR}/cve20249675
++  cat > ${TEST_SCRATCH_DIR}/cve20249675/Containerfile <<EOF
++FROM alpine
++RUN --mount=type=cache,from=testbuild,source=../,target=/var/tmp \
++ls -l /var/tmp && cat /var/tmp/file.txt
++EOF
++
++  run_buildah 1 build --security-opt label=disable --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ --no-cache ${TEST_SCRATCH_DIR}/cve20249675/
++  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
++}
+-- 
+2.46.0
+

buildah.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Wed Oct 16 07:24:27 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9675 (bsc#1231499):
+  * 0003-Properly-validate-cache-IDs-and-sources.patch
+- Rebase patches:
+  * 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+  * 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
+
+-------------------------------------------------------------------
+Wed Oct  2 10:24:41 UTC 2024 - Dan Čermák <dcermak@suse.com>
+
+- Add patches for CVE-2024-9407 and CVE-2024-9341:
+  * 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch (bsc#1231208
+    aka CVE-2024-9407)
+  * 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch (bsc#1231230
+    aka CVE-2024-9341)
+
 -------------------------------------------------------------------
 Thu Feb 22 12:59:44 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 

buildah.spec

@@ -27,6 +27,9 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name}-rpmlintrc
+Patch0:         0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+Patch1:         0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
+Patch2:         0003-Properly-validate-cache-IDs-and-sources.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes