Sync from SUSE:ALP:Source:Standard:1.0 podman revision 79e92c50727ff6fc8065627b5540d621

0001-Backport-fix-for-CVE-2024-6104.patch

@@ -0,0 +1,84 @@
+From 1a3445769d0a3c392487ec9480c0bfad07bde063 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
+Date: Sun, 30 Jun 2024 16:09:52 +0200
+Subject: [PATCH] Backport fix for CVE-2024-6104
+
+This is https://github.com/hashicorp/go-retryablehttp/pull/158 only directly
+applied to the vendor/ source tree
+See also https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
+---
+ .../hashicorp/go-retryablehttp/client.go      | 28 ++++++++++++++-----
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
+index 12ac50bcc..efee53c40 100644
+--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
+@@ -658,9 +658,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 	if logger != nil {
+ 		switch v := logger.(type) {
+ 		case LeveledLogger:
+-			v.Debug("performing request", "method", req.Method, "url", req.URL)
++			v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
+ 		case Logger:
+-			v.Printf("[DEBUG] %s %s", req.Method, req.URL)
++			v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
+ 		}
+ 	}
+ 
+@@ -715,9 +715,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 		if err != nil {
+ 			switch v := logger.(type) {
+ 			case LeveledLogger:
+-				v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
++				v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
+ 			case Logger:
+-				v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
++				v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
+ 			}
+ 		} else {
+ 			// Call this here to maintain the behavior of logging all requests,
+@@ -753,7 +753,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 
+ 		wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
+ 		if logger != nil {
+-			desc := fmt.Sprintf("%s %s", req.Method, req.URL)
++			desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
+ 			if resp != nil {
+ 				desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
+ 			}
+@@ -818,11 +818,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 	// communicate why
+ 	if err == nil {
+ 		return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
+-			req.Method, req.URL, attempt)
++			req.Method, redactURL(req.URL), attempt)
+ 	}
+ 
+ 	return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
+-		req.Method, req.URL, attempt, err)
++		req.Method, redactURL(req.URL), attempt, err)
+ }
+ 
+ // Try to read the response body so we can reuse this connection.
+@@ -903,3 +903,17 @@ func (c *Client) StandardClient() *http.Client {
+ 		Transport: &RoundTripper{Client: c},
+ 	}
+ }
++
++// Taken from url.URL#Redacted() which was introduced in go 1.15.
++// We can switch to using it directly if we'll bump the minimum required go version.
++func redactURL(u *url.URL) string {
++	if u == nil {
++		return ""
++	}
++
++	ru := *u
++	if _, has := ru.User.Password(); has {
++		ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
++	}
++	return ru.String()
++}
+-- 
+2.45.2
+

_service

@@ -2,7 +2,7 @@
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/containers/podman.git</param>
     <param name="scm">git</param>
-    <param name="revision">v4.9.3</param>
+    <param name="revision">v4.9.5</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/containers/podman.git</param>
-              <param name="changesrevision">8d2b55ddde1bc81f43d018dfc1ac027c06b26a7f</param></service></servicedata>
+              <param name="changesrevision">1d51e91436c6cdf257ff26f38b5c941a51bb12d1</param></service></servicedata>

podman.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Thu Aug 29 08:49:02 UTC 2024 - danish.prakash@suse.com
+
+- Add patch to fix bsc#1227052 / CVE-2024-6104:
+  * 0001-Backport-fix-for-CVE-2024-6104.patch
+- Update to version 4.9.5:
+  * Bump to v4.9.5
+  * Update release notes for v4.9.5
+  * fix "concurrent map writes" in network ls compat endpoint
+  * [v4.9] Fix for CVE-2024-3727
+  * Disable failing bud test
+  * CI Maintenance: Disable machine tests
+  * [CI:DOCS] Allow downgrade of WiX
+  * [CI:DOCS] Force WiX 3.11
+  * [CI:DOCS] Fix windows installer action
+  * Bump to v4.9.5-dev
+  * Bump to v4.9.4
+  * Update release notes for v4.9.4
+  * [v4.9] Bump Buildah to v1.33.7, CVE-2024-1753, CVE-2024-24786
+  * Add farm command to commands list
+  * Bump to FreeBSD 13.3 (13.2 vanished)
+  * Update health-start-periods docs
+  * Don't update health check status during initialDelaySeconds
+  * image scp: don't require port for ssh URL
+  * Ignore docker's end point config when the final network mode isn't bridge.
+  * Fix running container from docker client with rootful in rootless podman.
+  * [skip-ci] Packit: remove koji and bodhi tasks for v4.9
+  * Bump to v4.9.4-dev
+  * Remove gitleaks scanning
+
 -------------------------------------------------------------------
 Thu Feb 22 13:54:00 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 

podman.spec

@@ -22,7 +22,7 @@
 %bcond_without  apparmor
 
 Name:           podman
-Version:        4.9.3
+Version:        4.9.5
 Release:        0
 Summary:        Daemon-less container engine for managing containers, pods and images
 License:        Apache-2.0
@@ -30,6 +30,7 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.xz
 Source1:        podman.conf
+Patch0:         0001-Backport-fix-for-CVE-2024-6104.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes