Sync from SUSE:ALP:Source:Standard:1.0 podman revision fe147d38b08406f71da9d8814157c45b

This commit is contained in:
Adrian Schröter 2024-11-13 09:22:51 +01:00
parent 05a4227859
commit b4a13e952d
7 changed files with 19790 additions and 9 deletions

View File

@ -1,20 +1,22 @@
From 1a3445769d0a3c392487ec9480c0bfad07bde063 Mon Sep 17 00:00:00 2001 From 2fc0317f54fb2213d308983a04a90355fc035ae1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com> From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
Date: Sun, 30 Jun 2024 16:09:52 +0200 Date: Sun, 30 Jun 2024 16:09:52 +0200
Subject: [PATCH] Backport fix for CVE-2024-6104 Subject: [PATCH 1/5] Backport fix for CVE-2024-6104
This is https://github.com/hashicorp/go-retryablehttp/pull/158 only directly This is https://github.com/hashicorp/go-retryablehttp/pull/158 only directly
applied to the vendor/ source tree applied to the vendor/ source tree
See also https://github.com/advisories/GHSA-v6v8-xj6m-xwqh See also https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
--- ---
.../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++----- .../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++-----
1 file changed, 21 insertions(+), 7 deletions(-) 1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
index 12ac50bcc..efee53c40 100644 index c9edbd0595b0..1394fbc06723 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go --- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go +++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
@@ -658,9 +658,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { @@ -609,9 +609,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if logger != nil { if logger != nil {
switch v := logger.(type) { switch v := logger.(type) {
case LeveledLogger: case LeveledLogger:
@ -26,7 +28,7 @@ index 12ac50bcc..efee53c40 100644
} }
} }
@@ -715,9 +715,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { @@ -666,9 +666,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if err != nil { if err != nil {
switch v := logger.(type) { switch v := logger.(type) {
case LeveledLogger: case LeveledLogger:
@ -38,7 +40,7 @@ index 12ac50bcc..efee53c40 100644
} }
} else { } else {
// Call this here to maintain the behavior of logging all requests, // Call this here to maintain the behavior of logging all requests,
@@ -753,7 +753,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { @@ -704,7 +704,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
if logger != nil { if logger != nil {
@ -47,7 +49,7 @@ index 12ac50bcc..efee53c40 100644
if resp != nil { if resp != nil {
desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode) desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
} }
@@ -818,11 +818,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) { @@ -760,11 +760,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
// communicate why // communicate why
if err == nil { if err == nil {
return nil, fmt.Errorf("%s %s giving up after %d attempt(s)", return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
@ -61,7 +63,7 @@ index 12ac50bcc..efee53c40 100644
} }
// Try to read the response body so we can reuse this connection. // Try to read the response body so we can reuse this connection.
@@ -903,3 +903,17 @@ func (c *Client) StandardClient() *http.Client { @@ -845,3 +845,17 @@ func (c *Client) StandardClient() *http.Client {
Transport: &RoundTripper{Client: c}, Transport: &RoundTripper{Client: c},
} }
} }
@ -80,5 +82,5 @@ index 12ac50bcc..efee53c40 100644
+ return ru.String() + return ru.String()
+} +}
-- --
2.45.2 2.46.0

View File

@ -0,0 +1,162 @@
From ab350f9cb65411fd1d922890b35f1e51b9f06fe7 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Thu, 3 Oct 2024 12:31:04 +0530
Subject: [PATCH 2/5] pkg/subscriptions: use securejoin for the container path
If we join a path from the container image we must always use securejoin
to prevent us from following a symlink onto the host.
Fixes CVE-2024-9341
Bugs: bsc#1231230
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
go.mod | 4 ++--
go.sum | 8 ++++----
.../containers/common/pkg/subscriptions/subscriptions.go | 6 +++++-
vendor/github.com/containers/common/version/version.go | 2 +-
.../containers/image/v5/docker/docker_image.go | 9 +++++++++
vendor/github.com/containers/image/v5/version/version.go | 2 +-
vendor/modules.txt | 4 ++--
7 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/go.mod b/go.mod
index a84fbbb1b4bb..f765efa6a97f 100644
--- a/go.mod
+++ b/go.mod
@@ -12,10 +12,10 @@ require (
github.com/containernetworking/cni v1.1.2
github.com/containernetworking/plugins v1.3.0
github.com/containers/buildah v1.33.8
- github.com/containers/common v0.57.5
+ github.com/containers/common v0.57.7
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/gvisor-tap-vsock v0.7.2
- github.com/containers/image/v5 v5.29.3
+ github.com/containers/image/v5 v5.29.4
github.com/containers/libhvee v0.5.0
github.com/containers/ocicrypt v1.1.10
github.com/containers/psgo v1.8.0
diff --git a/go.sum b/go.sum
index 495035a32b6e..05578d2a5024 100644
--- a/go.sum
+++ b/go.sum
@@ -260,14 +260,14 @@ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q
github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
github.com/containers/buildah v1.33.8 h1:/IfJm5gTHwWshFdRHgLTHkoHNZY85B/xePkpOypBKUw=
github.com/containers/buildah v1.33.8/go.mod h1:aS1MZukKW39pe/yeJ7sRq9Jf2Sl04uePugPIto6ItNo=
-github.com/containers/common v0.57.5 h1:EgIahxAeYpcE0JKl4A4Z2oEUseve1jt+lMuXIqYnalE=
-github.com/containers/common v0.57.5/go.mod h1:dRw+mJGANzTOJZSs+KfJzrSVNQ4zK0u46/MhLCUfzPY=
+github.com/containers/common v0.57.7 h1:xA6/dXNbScnaytcFNQKTFGn6VDxwvDlCngJtfdGAf7g=
+github.com/containers/common v0.57.7/go.mod h1:GRtgIWNPc8zmo/vcA7VoZfLWpgQRH01/kzQbeNZH8WQ=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/gvisor-tap-vsock v0.7.2 h1:6CyU5D85C0/DciRRd7W0bPljK4FAS+DPrrHEQMHfZKY=
github.com/containers/gvisor-tap-vsock v0.7.2/go.mod h1:6NiTxh2GCVxZQLPzfuEB78/Osp2Usd9uf6nLdd6PiUY=
-github.com/containers/image/v5 v5.29.3 h1:RJHdxP+ZiC+loIFG2DTmjlVNWTS7o5jrdrRScUrY1VE=
-github.com/containers/image/v5 v5.29.3/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E=
+github.com/containers/image/v5 v5.29.4 h1:EbYrwOscTvzeCXt4149OtU74T/ZuohEottcs/hz47O4=
+github.com/containers/image/v5 v5.29.4/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E=
github.com/containers/libhvee v0.5.0 h1:rDhfG2NI8Q+VgeXht2dXezanxEdpj9pHqYX3vWfOGUw=
github.com/containers/libhvee v0.5.0/go.mod h1:yvU3Em2u1ZLl2VLd2glMIBWriBwfhWsDaRJsvixUIB0=
github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
index 6ba2154a7790..d976329f7527 100644
--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
@@ -10,6 +10,7 @@ import (
"github.com/containers/common/pkg/umask"
"github.com/containers/storage/pkg/idtools"
+ securejoin "github.com/cyphar/filepath-securejoin"
rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/sirupsen/logrus"
@@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
destDir := "/etc/crypto-policies/back-ends"
- srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+ srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
+ if err != nil {
+ return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
+ }
if _, err := os.Stat(srcOnHost); err != nil {
if errors.Is(err, os.ErrNotExist) {
return nil
diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
index 9182b589f104..131d5bb4b4a4 100644
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@@ -1,4 +1,4 @@
package version
// Version is the version of the build.
-const Version = "0.57.5"
+const Version = "0.57.7"
diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go
index 4c80bb2b5251..9741afc3f099 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image.go
@@ -14,6 +14,7 @@ import (
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/types"
"github.com/opencontainers/go-digest"
+ "github.com/sirupsen/logrus"
)
// Image is a Docker-specific implementation of types.ImageCloser with a few extra methods
@@ -90,6 +91,14 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
}
for _, tag := range tagsHolder.Tags {
if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values
+ // Per https://github.com/containers/skopeo/issues/2346 , unknown versions of JFrog Artifactory,
+ // contrary to the tag format specified in
+ // https://github.com/opencontainers/distribution-spec/blob/8a871c8234977df058f1a14e299fe0a673853da2/spec.md?plain=1#L160 ,
+ // include digests in the list.
+ if _, err := digest.Parse(tag); err == nil {
+ logrus.Debugf("Ignoring invalid tag %q matching a digest format", tag)
+ continue
+ }
return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err)
}
tags = append(tags, tag)
diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go
index 62d824b3eb20..441e46706818 100644
--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
@@ -8,7 +8,7 @@ const (
// VersionMinor is for functionality in a backwards-compatible manner
VersionMinor = 29
// VersionPatch is for backwards-compatible bug fixes
- VersionPatch = 3
+ VersionPatch = 4
// VersionDev indicates development branch. Releases will be empty string.
VersionDev = ""
diff --git a/vendor/modules.txt b/vendor/modules.txt
index d99eb4f52102..c7cfc95010df 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -176,7 +176,7 @@ github.com/containers/buildah/pkg/sshagent
github.com/containers/buildah/pkg/util
github.com/containers/buildah/pkg/volumes
github.com/containers/buildah/util
-# github.com/containers/common v0.57.5
+# github.com/containers/common v0.57.7
## explicit; go 1.18
github.com/containers/common/internal/attributedstring
github.com/containers/common/libimage
@@ -243,7 +243,7 @@ github.com/containers/conmon/runner/config
# github.com/containers/gvisor-tap-vsock v0.7.2
## explicit; go 1.20
github.com/containers/gvisor-tap-vsock/pkg/types
-# github.com/containers/image/v5 v5.29.3
+# github.com/containers/image/v5 v5.29.4
## explicit; go 1.19
github.com/containers/image/v5/copy
github.com/containers/image/v5/directory
--
2.46.0

View File

@ -0,0 +1,49 @@
From 5aebc47dcd2b90460967cea48b713a4a88f93657 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh>
Date: Wed, 16 Oct 2024 14:49:01 +0530
Subject: [PATCH 3/5] CVE-2024-9407: validate "bind-propagation" flag settings
CVE-2024-9407: validate that the value for the "bind-propagation" flag
when handling "bind" and "cache" mounts in `buildah run` or in RUN
instructions is one of the values that we would accept without the
"bind-propagation=" prefix.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
.../containers/buildah/internal/volumes/volumes.go | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
index fd1ff7f98592..554c9ac0debc 100644
--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
@@ -101,6 +101,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
if len(kv) == 1 {
return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
}
+ switch kv[1] {
+ default:
+ return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
+ case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+ // this should be the relevant parts of the same list of options we accepted above
+ }
newMount.Options = append(newMount.Options, kv[1])
case "src", "source":
if len(kv) == 1 {
@@ -276,6 +282,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
if len(kv) == 1 {
return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
}
+ switch kv[1] {
+ default:
+ return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
+ case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+ // this should be the relevant parts of the same list of options we accepted above
+ }
newMount.Options = append(newMount.Options, kv[1])
case "id":
if len(kv) == 1 {
--
2.46.0

View File

@ -0,0 +1,68 @@
From 07bc2d7e8860729723c181653e8416ee0eba4070 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh>
Date: Tue, 15 Oct 2024 22:23:52 +0530
Subject: [PATCH 4/5] Properly validate cache IDs and sources
The `--mount type=cache` argument to the `RUN` instruction in
Dockerfiles was using `filepath.Join` on user input, allowing
crafted paths to be used to gain access to paths on the host,
when the command should normally be limited only to Buildah;s own
cache and context directories. Switch to `filepath.SecureJoin` to
resolve the issue.
Fixes CVE-2024-9675
Signed-off-by: Matt Heon <mheon@redhat.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
.../buildah/internal/volumes/volumes.go | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
index 554c9ac0debc..f20b254ef7d9 100644
--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
@@ -23,6 +23,7 @@ import (
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/lockfile"
"github.com/containers/storage/pkg/unshare"
+ digest "github.com/opencontainers/go-digest"
specs "github.com/opencontainers/runtime-spec/specs-go"
selinux "github.com/opencontainers/selinux/go-selinux"
)
@@ -373,7 +374,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
}
// path should be /contextDir/specified path
- newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
+ evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
+ if err != nil {
+ return newMount, nil, err
+ }
+ newMount.Source = evaluated
} else {
// we need to create cache on host if no image is being used
@@ -390,11 +395,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
}
if id != "" {
- newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
+ // Don't let the user control where we place the directory.
+ dirID := digest.FromString(id).Encoded()[:16]
+ newMount.Source = filepath.Join(cacheParent, dirID)
+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
} else {
- newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
+ // Don't let the user control where we place the directory.
+ dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+ newMount.Source = filepath.Join(cacheParent, dirID)
+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
}
idPair := idtools.IDPair{
UID: uid,
--
2.46.0

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +1,33 @@
-------------------------------------------------------------------
Tue Oct 22 07:25:40 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
- Add patch for CVE-2024-9676 (bsc#1231698):
* 0005-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
- Rebase patches:
* 0001-Backport-fix-for-CVE-2024-6104.patch
* 0002-pkg-subscriptions-use-securejoin-for-the-container-p.patch
* 0003-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
* 0004-Properly-validate-cache-IDs-and-sources.patch
-------------------------------------------------------------------
Tue Oct 15 17:03:17 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
- Add patch for CVE-2024-9675 (bsc#1231499):
* 0004-Properly-validate-cache-IDs-and-sources.patch
- Add patch for CVE-2024-9407 (bsc#1231208):
* 0003-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
- Rebase patches:
* 0001-Backport-fix-for-CVE-2024-6104.patch
* 0002-pkg-subscriptions-use-securejoin-for-the-container-p.patch
-------------------------------------------------------------------
Thu Oct 3 08:41:14 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
- Add patch for CVE-2024-9341 (bsc#1231230):
* 0002-pkg-subscriptions-use-securejoin-for-the-container-p.patch
- Rebase patch:
* 0001-Backport-fix-for-CVE-2024-6104.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Aug 29 08:49:02 UTC 2024 - danish.prakash@suse.com Thu Aug 29 08:49:02 UTC 2024 - danish.prakash@suse.com

View File

@ -31,6 +31,10 @@ URL: https://%{project}
Source0: %{name}-%{version}.tar.xz Source0: %{name}-%{version}.tar.xz
Source1: podman.conf Source1: podman.conf
Patch0: 0001-Backport-fix-for-CVE-2024-6104.patch Patch0: 0001-Backport-fix-for-CVE-2024-6104.patch
Patch1: 0002-pkg-subscriptions-use-securejoin-for-the-container-p.patch
Patch2: 0003-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
Patch3: 0004-Properly-validate-cache-IDs-and-sources.patch
Patch4: 0005-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
BuildRequires: bash-completion BuildRequires: bash-completion
BuildRequires: device-mapper-devel BuildRequires: device-mapper-devel
BuildRequires: fdupes BuildRequires: fdupes