Sync from SUSE:SLFO:Main buildah revision 7818a5255c6fc06ebe01d76749bd35dc

2024-10-11 09:59:39 +02:00 · 2024-10-11 09:59:39 +02:00 · 9df1ac9980
commit 9df1ac9980
parent f02f743fd5
4 changed files with 119 additions and 0 deletions
--- a/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+++ b/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
@ -0,0 +1,49 @@
+From 222f80a6a2ab4efce95bb7c8da3606b5ad4a3170 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Tue, 1 Oct 2024 11:01:45 -0400
+Subject: [PATCH 1/2] CVE-2024-9407: validate "bind-propagation" flag settings
+
+CVE-2024-9407: validate that the value for the "bind-propagation" flag
+when handling "bind" and "cache" mounts in `buildah run` or in RUN
+instructions is one of the values that we would accept without the
+"bind-propagation=" prefix.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+(cherry picked from commit 732f77064830bb91062d475407b761ade2e4fe6b)
+---
+ internal/volumes/volumes.go | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index 515f846f3..da6b768fd 100644
+--- a/internal/volumes/volumes.go
+++ b/internal/volumes/volumes.go
+@@ -105,6 +105,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 			if !hasArgValue {
+ 				return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
+ 			}
+			switch argValue {
+			default:
+				return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
+ 			newMount.Options = append(newMount.Options, argValue)
+ 		case "src", "source":
+ 			if !hasArgValue {
+@@ -277,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			if !hasArgValue {
+ 				return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
+ 			}
+			switch argValue {
+			default:
+				return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
+ 			newMount.Options = append(newMount.Options, argValue)
+ 		case "id":
+ 			if !hasArgValue {
+-- 
+2.46.2
+
--- a/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
+++ b/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
@ -0,0 +1,51 @@
+From 290dbe53fdc8c31aa51f0851c57bda0f195fc1a6 Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Wed, 2 Oct 2024 12:15:15 +0200
+Subject: [PATCH 2/2] [conmon] pkg/subscriptions: use securejoin for the
+ container path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If we join a path from the container image we must always use securejoin
+to prevent us from following a symlink onto the host.
+
+Fixes CVE-2024-9341
+
+Cherry-pick from
+https://github.com/containers/common/commit/5a550b6fe26068dd1d5d2616c8595edf10b41e28
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+Signed-off-by: Dan Čermák <dcermak@suse.com>
+---
+ .../containers/common/pkg/subscriptions/subscriptions.go   | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index 6845914aa..71ee68a59 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -10,6 +10,7 @@ import (
+ 
+ 	"github.com/containers/common/pkg/umask"
+ 	"github.com/containers/storage/pkg/idtools"
+	securejoin "github.com/cyphar/filepath-securejoin"
+ 	rspec "github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+ 	"github.com/sirupsen/logrus"
+@@ -345,7 +346,11 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+ 
+ 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ 	destDir := "/etc/crypto-policies/back-ends"
+-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
+	if err != nil {
+		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
+	}
+
+ 	if _, err := os.Stat(srcOnHost); err != nil {
+ 		if errors.Is(err, os.ErrNotExist) {
+ 			return nil
+-- 
+2.46.2
+
--- a/buildah.changes
+++ b/buildah.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Oct  2 10:24:41 UTC 2024 - Dan Čermák <dcermak@suse.com>
+
+- Add patches for CVE-2024-9407 and CVE-2024-9341:
+  * 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch (bsc#1231208
+    aka CVE-2024-9407)
+  * 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch (bsc#1231230
+    aka CVE-2024-9341)
+
 -------------------------------------------------------------------
 Fri May 10 13:56:57 UTC 2024 - danish.prakash@suse.com

@ -21,12 +30,20 @@ Tue Apr 02 12:49:59 UTC 2024 - dcermak@suse.com
  * [release-1.35] CVE-2024-24786 protobuf to 1.33
  * [release-1.35] Bump to v1.35.2-dev

+-------------------------------------------------------------------
+Tue Mar 19 11:22:35 UTC 2024 - Dan Čermák <dcermak@suse.com>
+
+- Add patch for CVE-2024-1753 / bsc#1221677:
+  0001-CVE-2024-1753-container-escape-fix.patch
+
 -------------------------------------------------------------------
 Tue Mar 19 10:23:06 UTC 2024 - dcermak@suse.com

 - Update to version 1.35.1:
  * [release-1.35] Bump to v1.35.1
  * [release-1.35] CVE-2024-1753 container escape fix (bsc#1221677)
+- Remove upstreamed patches:
+  - 0001-CVE-2024-1753-container-escape-fix.patch

 -------------------------------------------------------------------
 Mon Mar 18 11:25:51 UTC 2024 - Dan Čermák <dcermak@suse.com>
--- a/buildah.spec
+++ b/buildah.spec
@ -27,6 +27,8 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name}-rpmlintrc
+Patch0:         0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+Patch1:         0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes