Sync from SUSE:SLFO:1.1 buildah revision 858adb221ffe9de2bb659f6d512a2b7d

2024-10-23 09:56:14 +02:00 · 2024-10-23 09:56:14 +02:00 · 4260f615f6
commit 4260f615f6
parent ca1eaa3cba
6 changed files with 17958 additions and 3 deletions
--- a/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+++ b/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
@ -1,7 +1,7 @@
 From 222f80a6a2ab4efce95bb7c8da3606b5ad4a3170 Mon Sep 17 00:00:00 2001
 From: Nalin Dahyabhai <nalin@redhat.com>
 Date: Tue, 1 Oct 2024 11:01:45 -0400
-Subject: [PATCH 1/3] CVE-2024-9407: validate "bind-propagation" flag settings
+Subject: [PATCH 1/4] CVE-2024-9407: validate "bind-propagation" flag settings

 CVE-2024-9407: validate that the value for the "bind-propagation" flag
 when handling "bind" and "cache" mounts in `buildah run` or in RUN
--- a/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
+++ b/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
@ -1,7 +1,7 @@
 From 290dbe53fdc8c31aa51f0851c57bda0f195fc1a6 Mon Sep 17 00:00:00 2001
 From: Paul Holzinger <pholzing@redhat.com>
 Date: Wed, 2 Oct 2024 12:15:15 +0200
-Subject: [PATCH 2/3] [conmon] pkg/subscriptions: use securejoin for the
+Subject: [PATCH 2/4] [conmon] pkg/subscriptions: use securejoin for the
 container path
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
--- a/0003-Properly-validate-cache-IDs-and-sources.patch
+++ b/0003-Properly-validate-cache-IDs-and-sources.patch
@ -1,7 +1,7 @@
 From b48b2e689270ee7cc8c13464cbae1b5405fcb901 Mon Sep 17 00:00:00 2001
 From: Matt Heon <mheon@redhat.com>
 Date: Wed, 9 Oct 2024 15:23:03 -0400
-Subject: [PATCH 3/3] Properly validate cache IDs and sources
+Subject: [PATCH 3/4] Properly validate cache IDs and sources

 The `--mount type=cache` argument to the `RUN` instruction in
 Dockerfiles was using `filepath.Join` on user input, allowing
--- a/0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+++ b/0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
--- a/buildah.changes
+++ b/buildah.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Oct 22 08:30:04 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9676 (bsc#1231698):
+  * 0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+- Rebase patches:
+  * 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+  * 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
+  * 0003-Properly-validate-cache-IDs-and-sources.patch
+
 -------------------------------------------------------------------
 Wed Oct 16 06:53:35 UTC 2024 - Danish Prakash <danish.prakash@suse.com>

--- a/buildah.spec
+++ b/buildah.spec
@ -30,6 +30,7 @@ Source1:        %{name}-rpmlintrc
 Patch0:         0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
 Patch1:         0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
 Patch2:         0003-Properly-validate-cache-IDs-and-sources.patch
+Patch3:         0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes