From ab350f9cb65411fd1d922890b35f1e51b9f06fe7 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Thu, 3 Oct 2024 12:31:04 +0530 Subject: [PATCH 2/5] pkg/subscriptions: use securejoin for the container path If we join a path from the container image we must always use securejoin to prevent us from following a symlink onto the host. Fixes CVE-2024-9341 Bugs: bsc#1231230 Signed-off-by: Paul Holzinger Signed-off-by: Danish Prakash --- go.mod | 4 ++-- go.sum | 8 ++++---- .../containers/common/pkg/subscriptions/subscriptions.go | 6 +++++- vendor/github.com/containers/common/version/version.go | 2 +- .../containers/image/v5/docker/docker_image.go | 9 +++++++++ vendor/github.com/containers/image/v5/version/version.go | 2 +- vendor/modules.txt | 4 ++-- 7 files changed, 24 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index a84fbbb1b4bb..f765efa6a97f 100644 --- a/go.mod +++ b/go.mod @@ -12,10 +12,10 @@ require ( github.com/containernetworking/cni v1.1.2 github.com/containernetworking/plugins v1.3.0 github.com/containers/buildah v1.33.8 - github.com/containers/common v0.57.5 + github.com/containers/common v0.57.7 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.7.2 - github.com/containers/image/v5 v5.29.3 + github.com/containers/image/v5 v5.29.4 github.com/containers/libhvee v0.5.0 github.com/containers/ocicrypt v1.1.10 github.com/containers/psgo v1.8.0 diff --git a/go.sum b/go.sum index 495035a32b6e..05578d2a5024 100644 --- a/go.sum +++ b/go.sum @@ -260,14 +260,14 @@ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0= github.com/containers/buildah v1.33.8 h1:/IfJm5gTHwWshFdRHgLTHkoHNZY85B/xePkpOypBKUw= github.com/containers/buildah v1.33.8/go.mod h1:aS1MZukKW39pe/yeJ7sRq9Jf2Sl04uePugPIto6ItNo= -github.com/containers/common v0.57.5 h1:EgIahxAeYpcE0JKl4A4Z2oEUseve1jt+lMuXIqYnalE= -github.com/containers/common v0.57.5/go.mod h1:dRw+mJGANzTOJZSs+KfJzrSVNQ4zK0u46/MhLCUfzPY= +github.com/containers/common v0.57.7 h1:xA6/dXNbScnaytcFNQKTFGn6VDxwvDlCngJtfdGAf7g= +github.com/containers/common v0.57.7/go.mod h1:GRtgIWNPc8zmo/vcA7VoZfLWpgQRH01/kzQbeNZH8WQ= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/gvisor-tap-vsock v0.7.2 h1:6CyU5D85C0/DciRRd7W0bPljK4FAS+DPrrHEQMHfZKY= github.com/containers/gvisor-tap-vsock v0.7.2/go.mod h1:6NiTxh2GCVxZQLPzfuEB78/Osp2Usd9uf6nLdd6PiUY= -github.com/containers/image/v5 v5.29.3 h1:RJHdxP+ZiC+loIFG2DTmjlVNWTS7o5jrdrRScUrY1VE= -github.com/containers/image/v5 v5.29.3/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E= +github.com/containers/image/v5 v5.29.4 h1:EbYrwOscTvzeCXt4149OtU74T/ZuohEottcs/hz47O4= +github.com/containers/image/v5 v5.29.4/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E= github.com/containers/libhvee v0.5.0 h1:rDhfG2NI8Q+VgeXht2dXezanxEdpj9pHqYX3vWfOGUw= github.com/containers/libhvee v0.5.0/go.mod h1:yvU3Em2u1ZLl2VLd2glMIBWriBwfhWsDaRJsvixUIB0= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go index 6ba2154a7790..d976329f7527 100644 --- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go @@ -10,6 +10,7 @@ import ( "github.com/containers/common/pkg/umask" "github.com/containers/storage/pkg/idtools" + securejoin "github.com/cyphar/filepath-securejoin" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/sirupsen/logrus" @@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" destDir := "/etc/crypto-policies/back-ends" - srcOnHost := filepath.Join(mountPoint, srcBackendDir) + srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir) + if err != nil { + return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err) + } if _, err := os.Stat(srcOnHost); err != nil { if errors.Is(err, os.ErrNotExist) { return nil diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 9182b589f104..131d5bb4b4a4 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.57.5" +const Version = "0.57.7" diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go index 4c80bb2b5251..9741afc3f099 100644 --- a/vendor/github.com/containers/image/v5/docker/docker_image.go +++ b/vendor/github.com/containers/image/v5/docker/docker_image.go @@ -14,6 +14,7 @@ import ( "github.com/containers/image/v5/manifest" "github.com/containers/image/v5/types" "github.com/opencontainers/go-digest" + "github.com/sirupsen/logrus" ) // Image is a Docker-specific implementation of types.ImageCloser with a few extra methods @@ -90,6 +91,14 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types. } for _, tag := range tagsHolder.Tags { if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values + // Per https://github.com/containers/skopeo/issues/2346 , unknown versions of JFrog Artifactory, + // contrary to the tag format specified in + // https://github.com/opencontainers/distribution-spec/blob/8a871c8234977df058f1a14e299fe0a673853da2/spec.md?plain=1#L160 , + // include digests in the list. + if _, err := digest.Parse(tag); err == nil { + logrus.Debugf("Ignoring invalid tag %q matching a digest format", tag) + continue + } return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err) } tags = append(tags, tag) diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go index 62d824b3eb20..441e46706818 100644 --- a/vendor/github.com/containers/image/v5/version/version.go +++ b/vendor/github.com/containers/image/v5/version/version.go @@ -8,7 +8,7 @@ const ( // VersionMinor is for functionality in a backwards-compatible manner VersionMinor = 29 // VersionPatch is for backwards-compatible bug fixes - VersionPatch = 3 + VersionPatch = 4 // VersionDev indicates development branch. Releases will be empty string. VersionDev = "" diff --git a/vendor/modules.txt b/vendor/modules.txt index d99eb4f52102..c7cfc95010df 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -176,7 +176,7 @@ github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/pkg/volumes github.com/containers/buildah/util -# github.com/containers/common v0.57.5 +# github.com/containers/common v0.57.7 ## explicit; go 1.18 github.com/containers/common/internal/attributedstring github.com/containers/common/libimage @@ -243,7 +243,7 @@ github.com/containers/conmon/runner/config # github.com/containers/gvisor-tap-vsock v0.7.2 ## explicit; go 1.20 github.com/containers/gvisor-tap-vsock/pkg/types -# github.com/containers/image/v5 v5.29.3 +# github.com/containers/image/v5 v5.29.4 ## explicit; go 1.19 github.com/containers/image/v5/copy github.com/containers/image/v5/directory -- 2.46.0