Sync from SUSE:ALP:Source:Standard:1.0 podman revision fe147d38b08406f71da9d8814157c45b

0001-Backport-fix-for-CVE-2024-6104.patch

@@ -1,20 +1,22 @@
-From 1a3445769d0a3c392487ec9480c0bfad07bde063 Mon Sep 17 00:00:00 2001
+From 2fc0317f54fb2213d308983a04a90355fc035ae1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Sun, 30 Jun 2024 16:09:52 +0200
-Subject: [PATCH] Backport fix for CVE-2024-6104
+Subject: [PATCH 1/5] Backport fix for CVE-2024-6104
 
 This is https://github.com/hashicorp/go-retryablehttp/pull/158 only directly
 applied to the vendor/ source tree
 See also https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
+
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
 ---
  .../hashicorp/go-retryablehttp/client.go      | 28 ++++++++++++++-----
  1 file changed, 21 insertions(+), 7 deletions(-)
 
 diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
-index 12ac50bcc..efee53c40 100644
+index c9edbd0595b0..1394fbc06723 100644
 --- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
 +++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
-@@ -658,9 +658,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+@@ -609,9 +609,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
  	if logger != nil {
  		switch v := logger.(type) {
  		case LeveledLogger:
@@ -26,7 +28,7 @@ index 12ac50bcc..efee53c40 100644
  		}
  	}
  
-@@ -715,9 +715,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+@@ -666,9 +666,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
  		if err != nil {
  			switch v := logger.(type) {
  			case LeveledLogger:
@@ -38,7 +40,7 @@ index 12ac50bcc..efee53c40 100644
  			}
  		} else {
  			// Call this here to maintain the behavior of logging all requests,
-@@ -753,7 +753,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+@@ -704,7 +704,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
  
  		wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
  		if logger != nil {
@@ -47,7 +49,7 @@ index 12ac50bcc..efee53c40 100644
  			if resp != nil {
  				desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
  			}
-@@ -818,11 +818,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+@@ -760,11 +760,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
  	// communicate why
  	if err == nil {
  		return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
@@ -61,7 +63,7 @@ index 12ac50bcc..efee53c40 100644
  }
  
  // Try to read the response body so we can reuse this connection.
-@@ -903,3 +903,17 @@ func (c *Client) StandardClient() *http.Client {
+@@ -845,3 +845,17 @@ func (c *Client) StandardClient() *http.Client {
  		Transport: &RoundTripper{Client: c},
  	}
  }
@@ -80,5 +82,5 @@ index 12ac50bcc..efee53c40 100644
 +	return ru.String()
 +}
 -- 
-2.45.2
+2.46.0
 

0002-pkg-subscriptions-use-securejoin-for-the-container-p.patch

@@ -0,0 +1,162 @@
+From ab350f9cb65411fd1d922890b35f1e51b9f06fe7 Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Thu, 3 Oct 2024 12:31:04 +0530
+Subject: [PATCH 2/5] pkg/subscriptions: use securejoin for the container path
+
+If we join a path from the container image we must always use securejoin
+to prevent us from following a symlink onto the host.
+
+Fixes CVE-2024-9341
+Bugs: bsc#1231230
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ go.mod                                                   | 4 ++--
+ go.sum                                                   | 8 ++++----
+ .../containers/common/pkg/subscriptions/subscriptions.go | 6 +++++-
+ vendor/github.com/containers/common/version/version.go   | 2 +-
+ .../containers/image/v5/docker/docker_image.go           | 9 +++++++++
+ vendor/github.com/containers/image/v5/version/version.go | 2 +-
+ vendor/modules.txt                                       | 4 ++--
+ 7 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/go.mod b/go.mod
+index a84fbbb1b4bb..f765efa6a97f 100644
+--- a/go.mod
++++ b/go.mod
+@@ -12,10 +12,10 @@ require (
+ 	github.com/containernetworking/cni v1.1.2
+ 	github.com/containernetworking/plugins v1.3.0
+ 	github.com/containers/buildah v1.33.8
+-	github.com/containers/common v0.57.5
++	github.com/containers/common v0.57.7
+ 	github.com/containers/conmon v2.0.20+incompatible
+ 	github.com/containers/gvisor-tap-vsock v0.7.2
+-	github.com/containers/image/v5 v5.29.3
++	github.com/containers/image/v5 v5.29.4
+ 	github.com/containers/libhvee v0.5.0
+ 	github.com/containers/ocicrypt v1.1.10
+ 	github.com/containers/psgo v1.8.0
+diff --git a/go.sum b/go.sum
+index 495035a32b6e..05578d2a5024 100644
+--- a/go.sum
++++ b/go.sum
+@@ -260,14 +260,14 @@ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q
+ github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
+ github.com/containers/buildah v1.33.8 h1:/IfJm5gTHwWshFdRHgLTHkoHNZY85B/xePkpOypBKUw=
+ github.com/containers/buildah v1.33.8/go.mod h1:aS1MZukKW39pe/yeJ7sRq9Jf2Sl04uePugPIto6ItNo=
+-github.com/containers/common v0.57.5 h1:EgIahxAeYpcE0JKl4A4Z2oEUseve1jt+lMuXIqYnalE=
+-github.com/containers/common v0.57.5/go.mod h1:dRw+mJGANzTOJZSs+KfJzrSVNQ4zK0u46/MhLCUfzPY=
++github.com/containers/common v0.57.7 h1:xA6/dXNbScnaytcFNQKTFGn6VDxwvDlCngJtfdGAf7g=
++github.com/containers/common v0.57.7/go.mod h1:GRtgIWNPc8zmo/vcA7VoZfLWpgQRH01/kzQbeNZH8WQ=
+ github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
+ github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
+ github.com/containers/gvisor-tap-vsock v0.7.2 h1:6CyU5D85C0/DciRRd7W0bPljK4FAS+DPrrHEQMHfZKY=
+ github.com/containers/gvisor-tap-vsock v0.7.2/go.mod h1:6NiTxh2GCVxZQLPzfuEB78/Osp2Usd9uf6nLdd6PiUY=
+-github.com/containers/image/v5 v5.29.3 h1:RJHdxP+ZiC+loIFG2DTmjlVNWTS7o5jrdrRScUrY1VE=
+-github.com/containers/image/v5 v5.29.3/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E=
++github.com/containers/image/v5 v5.29.4 h1:EbYrwOscTvzeCXt4149OtU74T/ZuohEottcs/hz47O4=
++github.com/containers/image/v5 v5.29.4/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E=
+ github.com/containers/libhvee v0.5.0 h1:rDhfG2NI8Q+VgeXht2dXezanxEdpj9pHqYX3vWfOGUw=
+ github.com/containers/libhvee v0.5.0/go.mod h1:yvU3Em2u1ZLl2VLd2glMIBWriBwfhWsDaRJsvixUIB0=
+ github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index 6ba2154a7790..d976329f7527 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -10,6 +10,7 @@ import (
+ 
+ 	"github.com/containers/common/pkg/umask"
+ 	"github.com/containers/storage/pkg/idtools"
++	securejoin "github.com/cyphar/filepath-securejoin"
+ 	rspec "github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+ 	"github.com/sirupsen/logrus"
+@@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+ 
+ 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ 	destDir := "/etc/crypto-policies/back-ends"
+-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
++	if err != nil {
++		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
++	}
+ 	if _, err := os.Stat(srcOnHost); err != nil {
+ 		if errors.Is(err, os.ErrNotExist) {
+ 			return nil
+diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
+index 9182b589f104..131d5bb4b4a4 100644
+--- a/vendor/github.com/containers/common/version/version.go
++++ b/vendor/github.com/containers/common/version/version.go
+@@ -1,4 +1,4 @@
+ package version
+ 
+ // Version is the version of the build.
+-const Version = "0.57.5"
++const Version = "0.57.7"
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go
+index 4c80bb2b5251..9741afc3f099 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image.go
+@@ -14,6 +14,7 @@ import (
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/types"
+ 	"github.com/opencontainers/go-digest"
++	"github.com/sirupsen/logrus"
+ )
+ 
+ // Image is a Docker-specific implementation of types.ImageCloser with a few extra methods
+@@ -90,6 +91,14 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
+ 		}
+ 		for _, tag := range tagsHolder.Tags {
+ 			if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values
++				// Per https://github.com/containers/skopeo/issues/2346 , unknown versions of JFrog Artifactory,
++				// contrary to the tag format specified in
++				// https://github.com/opencontainers/distribution-spec/blob/8a871c8234977df058f1a14e299fe0a673853da2/spec.md?plain=1#L160 ,
++				// include digests in the list.
++				if _, err := digest.Parse(tag); err == nil {
++					logrus.Debugf("Ignoring invalid tag %q matching a digest format", tag)
++					continue
++				}
+ 				return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err)
+ 			}
+ 			tags = append(tags, tag)
+diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go
+index 62d824b3eb20..441e46706818 100644
+--- a/vendor/github.com/containers/image/v5/version/version.go
++++ b/vendor/github.com/containers/image/v5/version/version.go
+@@ -8,7 +8,7 @@ const (
+ 	// VersionMinor is for functionality in a backwards-compatible manner
+ 	VersionMinor = 29
+ 	// VersionPatch is for backwards-compatible bug fixes
+-	VersionPatch = 3
++	VersionPatch = 4
+ 
+ 	// VersionDev indicates development branch. Releases will be empty string.
+ 	VersionDev = ""
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index d99eb4f52102..c7cfc95010df 100644
+--- a/vendor/modules.txt
++++ b/vendor/modules.txt
+@@ -176,7 +176,7 @@ github.com/containers/buildah/pkg/sshagent
+ github.com/containers/buildah/pkg/util
+ github.com/containers/buildah/pkg/volumes
+ github.com/containers/buildah/util
+-# github.com/containers/common v0.57.5
++# github.com/containers/common v0.57.7
+ ## explicit; go 1.18
+ github.com/containers/common/internal/attributedstring
+ github.com/containers/common/libimage
+@@ -243,7 +243,7 @@ github.com/containers/conmon/runner/config
+ # github.com/containers/gvisor-tap-vsock v0.7.2
+ ## explicit; go 1.20
+ github.com/containers/gvisor-tap-vsock/pkg/types
+-# github.com/containers/image/v5 v5.29.3
++# github.com/containers/image/v5 v5.29.4
+ ## explicit; go 1.19
+ github.com/containers/image/v5/copy
+ github.com/containers/image/v5/directory
+-- 
+2.46.0
+

0003-CVE-2024-9407-validate-bind-propagation-flag-setting.patch

@@ -0,0 +1,49 @@
+From 5aebc47dcd2b90460967cea48b713a4a88f93657 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Wed, 16 Oct 2024 14:49:01 +0530
+Subject: [PATCH 3/5] CVE-2024-9407: validate "bind-propagation" flag settings
+
+CVE-2024-9407: validate that the value for the "bind-propagation" flag
+when handling "bind" and "cache" mounts in `buildah run` or in RUN
+instructions is one of the values that we would accept without the
+"bind-propagation=" prefix.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ .../containers/buildah/internal/volumes/volumes.go   | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+index fd1ff7f98592..554c9ac0debc 100644
+--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
++++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+@@ -101,6 +101,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 			if len(kv) == 1 {
+ 				return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
+ 			}
++			switch kv[1] {
++			default:
++				return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
++			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
++				// this should be the relevant parts of the same list of options we accepted above
++			}
+ 			newMount.Options = append(newMount.Options, kv[1])
+ 		case "src", "source":
+ 			if len(kv) == 1 {
+@@ -276,6 +282,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			if len(kv) == 1 {
+ 				return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
+ 			}
++			switch kv[1] {
++			default:
++				return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
++			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
++				// this should be the relevant parts of the same list of options we accepted above
++			}
+ 			newMount.Options = append(newMount.Options, kv[1])
+ 		case "id":
+ 			if len(kv) == 1 {
+-- 
+2.46.0
+

0004-Properly-validate-cache-IDs-and-sources.patch

@@ -0,0 +1,68 @@
+From 07bc2d7e8860729723c181653e8416ee0eba4070 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Tue, 15 Oct 2024 22:23:52 +0530
+Subject: [PATCH 4/5] Properly validate cache IDs and sources
+
+The `--mount type=cache` argument to the `RUN` instruction in
+Dockerfiles was using `filepath.Join` on user input, allowing
+crafted paths to be used to gain access to paths on the host,
+when the command should normally be limited only to Buildah;s own
+cache and context directories. Switch to `filepath.SecureJoin` to
+resolve the issue.
+
+Fixes CVE-2024-9675
+
+Signed-off-by: Matt Heon <mheon@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ .../buildah/internal/volumes/volumes.go       | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+index 554c9ac0debc..f20b254ef7d9 100644
+--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
++++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+@@ -23,6 +23,7 @@ import (
+ 	"github.com/containers/storage/pkg/idtools"
+ 	"github.com/containers/storage/pkg/lockfile"
+ 	"github.com/containers/storage/pkg/unshare"
++	digest "github.com/opencontainers/go-digest"
+ 	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	selinux "github.com/opencontainers/selinux/go-selinux"
+ )
+@@ -373,7 +374,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
+ 		}
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
++		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
++		if err != nil {
++			return newMount, nil, err
++		}
++		newMount.Source = evaluated
+ 	} else {
+ 		// we need to create cache on host if no image is being used
+ 
+@@ -390,11 +395,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 		}
+ 
+ 		if id != "" {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
++			// Don't let the user control where we place the directory.
++			dirID := digest.FromString(id).Encoded()[:16]
++			newMount.Source = filepath.Join(cacheParent, dirID)
++			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		} else {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
++			// Don't let the user control where we place the directory.
++			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
++			newMount.Source = filepath.Join(cacheParent, dirID)
++			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		}
+ 		idPair := idtools.IDPair{
+ 			UID: uid,
+-- 
+2.46.0
+

podman.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Tue Oct 22 07:25:40 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9676 (bsc#1231698):
+  * 0005-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+- Rebase patches:
+  * 0001-Backport-fix-for-CVE-2024-6104.patch
+  * 0002-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+  * 0003-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+  * 0004-Properly-validate-cache-IDs-and-sources.patch
+
+-------------------------------------------------------------------
+Tue Oct 15 17:03:17 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9675 (bsc#1231499):
+  * 0004-Properly-validate-cache-IDs-and-sources.patch
+- Add patch for CVE-2024-9407 (bsc#1231208):
+  * 0003-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+- Rebase patches:
+  * 0001-Backport-fix-for-CVE-2024-6104.patch
+  * 0002-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+
+-------------------------------------------------------------------
+Thu Oct  3 08:41:14 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9341 (bsc#1231230):
+  * 0002-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+- Rebase patch:
+  * 0001-Backport-fix-for-CVE-2024-6104.patch
+
 -------------------------------------------------------------------
 Thu Aug 29 08:49:02 UTC 2024 - danish.prakash@suse.com
 

podman.spec

@@ -31,6 +31,10 @@ URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.xz
 Source1:        podman.conf
 Patch0:         0001-Backport-fix-for-CVE-2024-6104.patch
+Patch1:         0002-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+Patch2:         0003-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+Patch3:         0004-Properly-validate-cache-IDs-and-sources.patch
+Patch4:         0005-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes