Sync from SUSE:SLFO:Main buildah revision 61396733da96e7ea213842c2253001b0

0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch

@@ -1,8 +1,8 @@
-From 0c98c1c3dbb5c9fbea086a9e93ebcb3bc6e98726 Mon Sep 17 00:00:00 2001
+From 4e9ff02947ac041376a5f55125221a2d85f0d930 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Mon, 17 Mar 2025 10:37:21 +0100
-Subject: [PATCH 2/2] CVE-2025-22869: vendor/ssh: limit the size of the
- internal packet queue while waiting for KEX (#7)
+Subject: [PATCH] CVE-2025-22869: vendor/ssh: limit the size of the internal
+ packet queue while waiting for KEX (#7)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -35,12 +35,13 @@ Reviewed-by: Roland Shoemaker <roland@golang.org>
 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 
 Signed-off-by: Dan Čermák <dcermak@suse.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
 ---
  vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
  1 file changed, 37 insertions(+), 10 deletions(-)
 
 diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
-index 56cdc7c21..a68d20f7f 100644
+index 56cdc7c21c3b..a68d20f7f396 100644
 --- a/vendor/golang.org/x/crypto/ssh/handshake.go
 +++ b/vendor/golang.org/x/crypto/ssh/handshake.go
 @@ -25,6 +25,11 @@ const debugHandshake = false

0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch

@@ -1,60 +0,0 @@
-From a506ec542384c4fd73a6a5d9910ba9a37dd6082b Mon Sep 17 00:00:00 2001
-From: Danish Prakash <contact@danishpraka.sh>
-Date: Wed, 5 Mar 2025 15:05:51 +0530
-Subject: [PATCH 1/2] CVE-2025-27144: vendor: don't allow unbounded amounts of
- splits (#4)
-
-In compact JWS/JWE, don't allow unbounded number of splits.
-Count to make sure there's the right number, then use SplitN.
-
-Fixes CVE-2025-27144
-Bugs: bsc#1237681
-
-Cherry-picked from go-jose/go-jose@99b346c
-
-Signed-off-by: Danish Prakash <contact@danishpraka.sh>
-Co-authored-by: Matthew McPherrin <git@mcpherrin.ca>
----
- vendor/github.com/go-jose/go-jose/v4/jwe.go | 5 +++--
- vendor/github.com/go-jose/go-jose/v4/jws.go | 5 +++--
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
-index 89f03ee3e..9f1322dcc 100644
---- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
-+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
-@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
- 	keyAlgorithms []KeyAlgorithm,
- 	contentEncryption []ContentEncryption,
- ) (*JSONWebEncryption, error) {
--	parts := strings.Split(input, ".")
--	if len(parts) != 5 {
-+	// Five parts is four separators
-+	if strings.Count(input, ".") != 4 {
- 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
- 	}
-+	parts := strings.SplitN(input, ".", 5)
- 
- 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
- 	if err != nil {
-diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
-index 3a912301a..d09d8ba50 100644
---- a/vendor/github.com/go-jose/go-jose/v4/jws.go
-+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
-@@ -327,10 +327,11 @@ func parseSignedCompact(
- 	payload []byte,
- 	signatureAlgorithms []SignatureAlgorithm,
- ) (*JSONWebSignature, error) {
--	parts := strings.Split(input, ".")
--	if len(parts) != 3 {
-+	// Three parts is two separators
-+	if strings.Count(input, ".") != 2 {
- 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
- 	}
-+	parts := strings.SplitN(input, ".", 3)
- 
- 	if parts[1] != "" && payload != nil {
- 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
--- 
-2.49.0
-

_service

@@ -5,7 +5,7 @@
     <param name="filename">buildah</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
-    <param name="revision">v1.37.6</param>
+    <param name="revision">v1.39.4</param>
     <param name="changesgenerate">enable</param>
 </service>
 <service name="recompress" mode="manual">

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/containers/buildah.git</param>
-              <param name="changesrevision">fd39521492e60607ce8b2867bd44182e15059858</param></service></servicedata>
+              <param name="changesrevision">5b7b7ca328733fafa9b82810bf919c14cb924549</param></service></servicedata>

buildah.changes

@@ -1,3 +1,233 @@
+-------------------------------------------------------------------
+Wed May 14 10:25:04 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
+
+- Rebase patch:
+  * 0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+- Removed patch:
+  * 0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
+  * 0002-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+- Update to version 1.39.4:
+  * [release-1.39] Bump to Buildah v1.39.4
+  * [release-1.39] Bump c/image to v5.34.3, c/common v0.62.3
+  * createPlatformContainer: drop MS_REMOUNT|MS_BIND
+  * [release-1.39] Bump to Buildah v1.39.3
+  * [release-1.39] Bump c/storage to v1.57.2, c/image v5.34.2,...
+  * [release-1.39] Bump to Buildah v1.39.2
+  * [release-1.39] tests/conformance/testdata/Dockerfile.add:...
+  * [release-1.39] Bump c/image to v5.34.1, c/common v0.62.1
+  * Tag v1.39.1
+  * CI config: post-branch update
+  * chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security]
+  * chroot createPlatformContainer: use MS_REMOUNT
+  * Bump to Buildah v1.39.0
+  * Bump c/storage v1.57.1, c/image 5.34.0,  c/common v0.62.0
+  * Update module github.com/containers/storage to v1.57.0
+  * CI, .cirrus: parallelize containerized integration
+  * ed's comment: cleanup
+  * use seperate blobinfocache for flaky test
+  * bump CI VMs to 4 CPUs (was: 2) for integration tests
+  * cleanup, debug, and disable parallel in blobcache tests
+  * bats tests - parallelize
+  * pkg/overlay: cleanups
+  * RPM: include check section to silence rpmlint
+  * RPM: use default gobuild macro on RHEL
+  * tests: remove masked /sys/dev/block check
+  * vendor to latest c/{common,image,storage}
+  * build, run: record hash or digest in image history
+  * Accept image names as sources for cache mounts
+  * Run(): always clean up options.ExternalImageMounts
+  * refactor: replace golang.org/x/exp with stdlib
+  * Update to c/image @main
+  * fix broken doc link
+  * run_freebsd.go: only import runtime-spec once
+  * fix(deps): update module github.com/docker/docker to v27.5.1+incompatible
+  * bump github.com/vbatts/tar-split
+  * Add more checks to the --mount flag parsing logic
+  * chroot mount flags integration test: copy binaries
+  * fix(deps): update module github.com/moby/buildkit to v0.19.0
+  * relabel(): correct a misleading parameter name
+  * Fix TOCTOU error when bind and cache mounts use "src" values
+  * define.TempDirForURL(): always use an intermediate subdirectory
+  * internal/volume.GetBindMount(): discard writes in bind mounts
+  * pkg/overlay: add a MountLabel flag to Options
+  * pkg/overlay: add a ForceMount flag to Options
+  * Add internal/volumes.bindFromChroot()
+  * Add an internal/open package
+  * fix(deps): update module github.com/containers/common to v0.61.1
+  * fix(deps): update module github.com/containers/image/v5 to v5.33.1
+  * [CI:DOCS] Touch up changelogs
+  * fix(deps): update module github.com/docker/docker to v27.5.0+incompatible
+  * copy-preserving-extended-attributes: use a different base image
+  * fix(deps): update github.com/containers/luksy digest to a3a812d
+  * chore(deps): update module golang.org/x/net to v0.33.0 [security]
+  * fix(deps): update module golang.org/x/crypto to v0.32.0
+  * New VM Images
+  * fix(deps): update module github.com/opencontainers/runc to v1.2.4
+  * fix(deps): update module github.com/docker/docker to v27.4.1+incompatible
+  * fix(deps): update module github.com/containers/ocicrypt to v1.2.1
+  * Add support for --security-opt mask and unmask
+  * Allow cache mounts to be stages or additional build contexts
+  * [skip-ci] RPM: cleanup changelog conditionals
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.6
+  * fix(deps): update module github.com/moby/buildkit to v0.18.2
+  * Fix an error message in the chroot unit test
+  * copier: use .PAXRecords instead of .Xattrs
+  * chroot: on Linux, try to pivot_root before falling back to chroot
+  * manifest add: add --artifact-annotation
+  * Add context to an error message
+  * Update module golang.org/x/crypto to v0.31.0
+  * Update module github.com/opencontainers/runc to v1.2.3
+  * Update module github.com/docker/docker to v27.4.0+incompatible
+  * Update module github.com/cyphar/filepath-securejoin to v0.3.5
+  * CI: don't build a binary in the unit tests task
+  * CI: use /tmp for $GOCACHE
+  * CI: remove dependencies on the cross-build task
+  * CI: run cross-compile task with make -j
+  * Update module github.com/docker/docker to v27.4.0-rc.4+incompatible
+  * Update module github.com/moby/buildkit to v0.18.1
+  * Update module golang.org/x/crypto to v0.30.0
+  * Update golang.org/x/exp digest to 2d47ceb
+  * Update github.com/opencontainers/runtime-tools digest to f7e3563
+  * [skip-ci] Packit: remove rhel copr build jobs
+  * [skip-ci] Packit: switch to fedora-all for copr
+  * Update module github.com/stretchr/testify to v1.10.0
+  * Update module github.com/moby/buildkit to v0.17.2
+  * Makefile: use `find` to detect source files
+  * Tests: make _prefetch() parallel-safe
+  * Update module github.com/opencontainers/runc to v1.2.2
+  * executor: allow to specify --no-pivot-root
+  * Update module github.com/moby/sys/capability to v0.4.0
+  * Makefile: mv codespell config to .codespellrc
+  * Fix some codespell errors
+  * Makefile,install.md: rm gopath stuff
+  * Makefile: rm targets working on ..
+  * build: rm exclude_graphdriver_devicemapper tag
+  * Makefile: rm unused var
+  * Finish updating to go 1.22
+  * CI VMs: bump again
+  * Bump to Buidah v1.39.0-dev
+  * Bump to Buildah v1.38.0
+  * Bump to c/common v0.61.0, c/image v5.33.0, c/storage v1.56.0
+  * fix(deps): update module golang.org/x/crypto to v0.29.0
+  * fix(deps): update module github.com/moby/buildkit to v0.17.1
+  * fix(deps): update module github.com/containers/storage to v1.56.0
+  * tests: skip two ulimit tests
+  * CI VMs: bump f40 -> f41
+  * tests/tools: rebuild tools when we change versions
+  * tests/tools: update golangci-lint to v1.61.0
+  * fix(deps): update module github.com/moby/buildkit to v0.17.0
+  * Handle RUN --mount with relative targets and no configured workdir
+  * tests: bud: make parallel-safe
+  * fix(deps): update module github.com/opencontainers/runc to v1.2.1
+  * fix(deps): update golang.org/x/exp digest to f66d83c
+  * fix(deps): update github.com/opencontainers/runtime-tools digest to 6c9570a
+  * tests: blobcache: use unique image name
+  * tests: sbom: never write to cwd
+  * tests: mkcw: bug fixes, refactor
+  * deps: bump runc to v1.2.0
+  * deps: switch to moby/sys/userns
+  * tests/test_runner.sh: remove some redundancies
+  * Integration tests: run git daemon on a random-but-bind()able port
+  * fix(deps): update module github.com/opencontainers/selinux to v1.11.1
+  * go.mod: remove unnecessary replace
+  * Document more buildah build --secret options
+  * Add support for COPY --exclude and ADD --exclude options
+  * fix(deps): update github.com/containers/luksy digest to e2530d6
+  * chore(deps): update dependency containers/automation_images to v20241010
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4
+  * Properly validate cache IDs and sources
+  * [skip-ci] Packit: constrain koji job to fedora package to avoid dupes
+  * Audit and tidy OWNERS
+  * fix(deps): update module golang.org/x/crypto to v0.28.0
+  * tests: add quotes to names
+  * vendor: update c/common to latest
+  * CVE-2024-9407: validate "bind-propagation" flag settings
+  * vendor: switch to moby/sys/capability
+  * Don't set ambient capabilities
+  * Document that zstd:chunked is downgraded to zstd when encrypting
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3
+  * buildah-manifest-create.1: Fix manpage section
+  * chore(deps): update dependency ubuntu to v24
+  * Make `buildah manifest push --all` true by default
+  * chroot: add newlines at the end of printed error messages
+  * Do not error on trying to write IMA xattr as rootless
+  * fix: remove duplicate conditions
+  * fix(deps): update module github.com/moby/buildkit to v0.16.0
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2
+  * Document how entrypoint is configured in buildah config
+  * In a container, try to register binfmt_misc
+  * imagebuildah.StageExecutor: clean up volumes/volumeCache
+  * build: fall back to parsing a TARGETPLATFORM build-arg
+  * `manifest add --artifact`: handle multiple values
+  * Packit: split out ELN jobs and reuse fedora downstream targets
+  * Packit: Enable sidetags for bodhi updates
+  * fix(deps): update module github.com/docker/docker to v27.2.1+incompatible
+  * tests/bud.bats: add git source
+  * add: add support for git source
+  * Add support for the new c/common pasta options
+  * vendor latest c/common
+  * fix(deps): update module golang.org/x/term to v0.24.0
+  * fix(deps): update module github.com/fsouza/go-dockerclient to v1.12.0
+  * packit: update fedora and epel targets
+  * cirrus: disable f39 testing
+  * cirrus: fix fedora names
+  * update to go 1.22
+  * Vendor c/common:9d025e4cb348
+  * copier: handle globbing with "**" path components
+  * fix(deps): update golang.org/x/exp digest to 9b4947d
+  * fix(deps): update github.com/containers/luksy digest to 2e7307c
+  * imagebuildah: make scratch config handling toggleable
+  * fix(deps): update module github.com/docker/docker to v27.2.0+incompatible
+  * Add a validation script for Makefile $(SOURCES)
+  * fix(deps): update module github.com/openshift/imagebuilder to v1.2.15
+  * New VMs
+  * Update some godocs, use 0o to prefix an octal in a comment
+  * buildah-build.1.md: expand the --layer-label description
+  * fix(deps): update module github.com/containers/common to v0.60.2
+  * stage_executor: set avoidLookingCache only if mounting stage
+  * imagebuildah: additionalContext is not a local built stage
+  * run: fix a nil pointer dereference on FreeBSD
+  * CI: enable the whitespace linter
+  * Fix some govet linter warnings
+  * Commit(): retry committing to local storage on storage.LayerUnknown
+  * CI: enable the gofumpt linter
+  * conformance: move weirdly-named files out of the repository
+  * fix(deps): update module github.com/docker/docker to v27.1.2+incompatible
+  * fix(deps): update module github.com/containers/common to v0.60.1
+  * *: use gofmt -s, add gofmt linter
+  * *: fix build tags
+  * fix(deps): update module github.com/containers/image/v5 to v5.32.1
+  * Add(): re-escape any globbed items that included escapes
+  * conformance tests: use mirror.gcr.io for most images
+  * unit tests: use test-specific policy.json and registries.conf
+  * fix(deps): update module golang.org/x/sys to v0.24.0
+  * Update to spun-out "github.com/containerd/platforms"
+  * Bump github.com/containerd/containerd
+  * test/tools/Makefile: duplicate the vendor-in-container target
+  * linters: unchecked error
+  * linters: don't end loop iterations with "else" when "then" would
+  * linters: unused arguments shouldn't have names
+  * linters: rename checkIdsGreaterThan5() to checkIDsGreaterThan5()
+  * linters: don't name variables "cap"
+  * `make lint`: use --timeout instead of --deadline
+  * Drop the e2e test suite
+  * fix(deps): update module golang.org/x/crypto to v0.26.0
+  * fix(deps): update module github.com/onsi/gomega to v1.34.1
+  * `make vendor-in-container`: use the caller's Go cache if it exists
+  * fix(deps): fix test/tools ginkgo typo
+  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1
+  * Update to keep up with API changes in storage
+  * fix(deps): update github.com/containers/luksy digest to 1f482a9
+  * install: On Debian/Ubuntu, add installation of libbtrfs-dev
+  * fix(deps): update module golang.org/x/sys to v0.23.0
+  * fix(deps): update golang.org/x/exp digest to 8a7402a
+  * fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.2
+  * Use Epoch: 2 and respect the epoch in dependencies.
+  * Bump to Buildah v1.38.0-dev
+  * AddAndCopyOptions: add CertPath, InsecureSkipTLSVerify, Retry fields
+  * Add PrependedLinkedLayers/AppendedLinkedLayers to CommitOptions
+  * integration tests: teach starthttpd() about TLS and pid files
+
 -------------------------------------------------------------------
 Mon Mar 24 11:04:14 UTC 2025 - Dan Čermák <dcermak@suse.com>
 

buildah.spec

@@ -19,7 +19,7 @@
 
 %define project github.com/containers/buildah
 Name:           buildah
-Version:        1.37.6
+Version:        1.39.4
 Release:        0
 Summary:        Tool for building OCI containers
 License:        Apache-2.0
@@ -27,8 +27,7 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name}-rpmlintrc
-Patch0:         0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
-Patch1:         0002-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+Patch0:         0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes