Sync from SUSE:SLFO:Main buildah revision 7197c06b12fc33f8253e032f340903c7

2025-02-20 09:23:17 +01:00 · 2025-02-20 09:23:17 +01:00 · af65aa26be
commit af65aa26be
parent 4260f615f6
9 changed files with 1368 additions and 1627 deletions
--- a/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+++ b/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
@ -1,50 +0,0 @@
-From 222f80a6a2ab4efce95bb7c8da3606b5ad4a3170 Mon Sep 17 00:00:00 2001
-From: Nalin Dahyabhai <nalin@redhat.com>
-Date: Tue, 1 Oct 2024 11:01:45 -0400
-Subject: [PATCH 1/4] CVE-2024-9407: validate "bind-propagation" flag settings
-
-CVE-2024-9407: validate that the value for the "bind-propagation" flag
-when handling "bind" and "cache" mounts in `buildah run` or in RUN
-instructions is one of the values that we would accept without the
-"bind-propagation=" prefix.
-
-Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
-(cherry picked from commit 732f77064830bb91062d475407b761ade2e4fe6b)
-Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
- internal/volumes/volumes.go | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
-index 515f846f3499..da6b768fdc21 100644
--- a/internal/volumes/volumes.go
-+++ b/internal/volumes/volumes.go
-@@ -105,6 +105,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
- 			if !hasArgValue {
- 				return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
- 			}
-+			switch argValue {
-+			default:
-+				return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
-+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
-+				// this should be the relevant parts of the same list of options we accepted above
-+			}
- 			newMount.Options = append(newMount.Options, argValue)
- 		case "src", "source":
- 			if !hasArgValue {
-@@ -277,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
- 			if !hasArgValue {
- 				return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
- 			}
-+			switch argValue {
-+			default:
-+				return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
-+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
-+				// this should be the relevant parts of the same list of options we accepted above
-+			}
- 			newMount.Options = append(newMount.Options, argValue)
- 		case "id":
- 			if !hasArgValue {
-- 
-2.46.0
-
--- a/0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+++ b/0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
@ -1,8 +1,7 @@
-From 290dbe53fdc8c31aa51f0851c57bda0f195fc1a6 Mon Sep 17 00:00:00 2001
+From b91b421970fdd5510ff47d9fc44e9b412bec3cb2 Mon Sep 17 00:00:00 2001
 From: Paul Holzinger <pholzing@redhat.com>
 Date: Wed, 2 Oct 2024 12:15:15 +0200
-Subject: [PATCH 2/4] [conmon] pkg/subscriptions: use securejoin for the
- container path
+Subject: [PATCH 1/4] pkg/subscriptions: use securejoin for the container path
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -23,7 +22,7 @@ Signed-off-by: Danish Prakash <contact@danishpraka.sh>
 1 file changed, 6 insertions(+), 1 deletion(-)

 diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
-index 6845914aa285..71ee68a5909c 100644
+index 6845914aa..71ee68a59 100644
 --- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
 +++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
@@ -10,6 +10,7 @@ import (
@ -48,5 +47,5 @@ index 6845914aa285..71ee68a5909c 100644
 		if errors.Is(err, os.ErrNotExist) {
 			return nil
 -- 
-2.46.0
+2.48.1

--- a/0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+++ b/0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
--- a/0003-Properly-validate-cache-IDs-and-sources.patch
+++ b/0003-Properly-validate-cache-IDs-and-sources.patch
@ -1,115 +0,0 @@
-From b48b2e689270ee7cc8c13464cbae1b5405fcb901 Mon Sep 17 00:00:00 2001
-From: Matt Heon <mheon@redhat.com>
-Date: Wed, 9 Oct 2024 15:23:03 -0400
-Subject: [PATCH 3/4] Properly validate cache IDs and sources
-
-The `--mount type=cache` argument to the `RUN` instruction in
-Dockerfiles was using `filepath.Join` on user input, allowing
-crafted paths to be used to gain access to paths on the host,
-when the command should normally be limited only to Buildah;s own
-cache and context directories. Switch to `filepath.SecureJoin` to
-resolve the issue.
-
-Fixes CVE-2024-9675
-
-Signed-off-by: Matt Heon <mheon@redhat.com>
-Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
- internal/volumes/volumes.go | 22 +++++++++++++++-------
- tests/bud.bats              | 34 ++++++++++++++++++++++++++++++++++
- 2 files changed, 49 insertions(+), 7 deletions(-)
-
-diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
-index da6b768fdc21..2dd04d9c32a4 100644
--- a/internal/volumes/volumes.go
-+++ b/internal/volumes/volumes.go
-@@ -23,6 +23,7 @@ import (
- 	"github.com/containers/storage/pkg/idtools"
- 	"github.com/containers/storage/pkg/lockfile"
- 	"github.com/containers/storage/pkg/unshare"
-+	digest "github.com/opencontainers/go-digest"
- 	specs "github.com/opencontainers/runtime-spec/specs-go"
- 	selinux "github.com/opencontainers/selinux/go-selinux"
- )
-@@ -374,10 +375,13 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
- 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
- 		}
- 		// path should be /contextDir/specified path
-		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
-+		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
-+		if err != nil {
-+			return newMount, nil, err
-+		}
-+		newMount.Source = evaluated
- 	} else {
-		// we need to create cache on host if no image is being used
-
-+		// we need to create the cache directory on the host if no image is being used
- 		// since type is cache and cache can be reused by consecutive builds
- 		// create a common cache directory, which persists on hosts within temp lifecycle
- 		// add subdirectory if specified
-@@ -391,11 +395,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
- 		}
- 
- 		if id != "" {
-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
-+			// Don't let the user control where we place the directory.
-+			dirID := digest.FromString(id).Encoded()[:16]
-+			newMount.Source = filepath.Join(cacheParent, dirID)
-+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
- 		} else {
-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
-+			// Don't let the user control where we place the directory.
-+			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
-+			newMount.Source = filepath.Join(cacheParent, dirID)
-+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
- 		}
- 		idPair := idtools.IDPair{
- 			UID: uid,
-diff --git a/tests/bud.bats b/tests/bud.bats
-index b6982bbc0ee4..e28fc3dd8add 100644
--- a/tests/bud.bats
-+++ b/tests/bud.bats
-@@ -6659,3 +6659,37 @@ _EOF
-   assert "$status" -eq 2 "exit code from ls"
-   expect_output --substring "No such file or directory"
- }
-+
-+@test "build-check-cve-2024-9675" {
-+  _prefetch alpine
-+
-+  touch ${TEST_SCRATCH_DIR}/file.txt
-+
-+  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
-+FROM alpine
-+RUN --mount=type=cache,id=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
-+ls -l /var/tmp && cat /var/tmp/file.txt
-+EOF
-+
-+  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
-+  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
-+
-+  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
-+FROM alpine
-+RUN --mount=type=cache,source=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
-+ls -l /var/tmp && cat /var/tmp/file.txt
-+EOF
-+
-+  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
-+  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
-+
-+  mkdir ${TEST_SCRATCH_DIR}/cve20249675
-+  cat > ${TEST_SCRATCH_DIR}/cve20249675/Containerfile <<EOF
-+FROM alpine
-+RUN --mount=type=cache,from=testbuild,source=../,target=/var/tmp \
-+ls -l /var/tmp && cat /var/tmp/file.txt
-+EOF
-+
-+  run_buildah 1 build --security-opt label=disable --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ --no-cache ${TEST_SCRATCH_DIR}/cve20249675/
-+  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
-+}
-- 
-2.46.0
-
--- a/0004-http2-close-connections-when-receiving-too-many-head.patch
+++ b/0004-http2-close-connections-when-receiving-too-many-head.patch
@ -0,0 +1,80 @@
+From f8b2315b75ad8a9c8b386502504525e1816982cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
+Date: Wed, 12 Feb 2025 15:33:28 +0100
+Subject: [PATCH 4/4] http2: close connections when receiving too many headers
+ (#1)
+
+Maintaining HPACK state requires that we parse and process
+all HEADERS and CONTINUATION frames on a connection.
+When a request's headers exceed MaxHeaderBytes, we don't
+allocate memory to store the excess headers but we do
+parse them. This permits an attacker to cause an HTTP/2
+endpoint to read arbitrary amounts of data, all associated
+with a request which is going to be rejected.
+
+Set a limit on the amount of excess header frames we
+will process before closing a connection.
+
+Thanks to Bartek Nowotarski for reporting this issue.
+
+Fixes CVE-2023-45288
+Fixes bsc#1236531
+
+This is a backport of
+https://go.googlesource.com/net/+/ba872109ef2dc8f1da778651bd1fd3792d0e4587%5E%21/#F0
+---
+ vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
+index e2b298d85..a5a94411d 100644
+--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
+@@ -1564,6 +1564,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 		if size > remainSize {
+ 			hdec.SetEmitEnabled(false)
+ 			mh.Truncated = true
+			remainSize = 0
+ 			return
+ 		}
+ 		remainSize -= size
+@@ -1576,6 +1577,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 	var hc headersOrContinuation = hf
+ 	for {
+ 		frag := hc.HeaderBlockFragment()
+
+		// Avoid parsing large amounts of headers that we will then discard.
+		// If the sender exceeds the max header list size by too much,
+		// skip parsing the fragment and close the connection.
+		//
+		// "Too much" is either any CONTINUATION frame after we've already
+		// exceeded the max header list size (in which case remainSize is 0),
+		// or a frame whose encoded size is more than twice the remaining
+		// header list bytes we're willing to accept.
+		if int64(len(frag)) > int64(2*remainSize) {
+			if VerboseLogs {
+				log.Printf("http2: header list too large")
+			}
+			// It would be nice to send a RST_STREAM before sending the GOAWAY,
+			// but the struture of the server's frame writer makes this difficult.
+			return nil, ConnectionError(ErrCodeProtocol)
+		}
+
+		// Also close the connection after any CONTINUATION frame following an
+		// invalid header, since we stop tracking the size of the headers after
+		// an invalid one.
+		if invalid != nil {
+			if VerboseLogs {
+				log.Printf("http2: invalid header: %v", invalid)
+			}
+			// It would be nice to send a RST_STREAM before sending the GOAWAY,
+			// but the struture of the server's frame writer makes this difficult.
+			return nil, ConnectionError(ErrCodeProtocol)
+		}
+
+ 		if _, err := hdec.Write(frag); err != nil {
+ 			return nil, ConnectionError(ErrCodeCompression)
+ 		}
+-- 
+2.48.1
+
--- a/buildah-1.35.4.tar.xz
+++ b/buildah-1.35.4.tar.xz
--- a/buildah-1.35.5.tar.xz
+++ b/buildah-1.35.5.tar.xz
--- a/buildah.changes
+++ b/buildah.changes
@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Wed Feb 12 16:14:32 UTC 2025 - Dan Čermák <dcermak@suse.com>
+
+- Add patch for CVE-2023-45288 (bsc#1236507)
+
+  Rebase patches:
+  * 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+  * 0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+
+  Added patch:
+  * 0004-http2-close-connections-when-receiving-too-many-head.patch
+    (CVE-2023-45288 - bsc#1236531)
+
+
+-------------------------------------------------------------------
+Mon Jan 27 08:06:43 UTC 2025 - danish.prakash@suse.com
+
+- Update to version 1.35.5 (fix for CVE-2024-11218; bsc#1236272):
+  * Tag v1.35.5
+  * Fix TOCTOU error when bind and cache mounts use "src" values
+  * define.TempDirForURL(): always use an intermediate subdirectory
+  * internal/volume.GetBindMount(): discard writes in bind mounts
+  * pkg/overlay: add a MountLabel flag to Options
+  * pkg/overlay: add a ForceMount flag to Options
+  * Add internal/volumes.bindFromChroot()
+  * Add an internal/open package
+  * Properly validate cache IDs and sources
+  * CVE-2024-9407: validate "bind-propagation" flag settings
+  * Allow cache mounts to be stages or additional build contexts
+  * Integration tests: switch some base images
+  * Disable most packit copr targets
+  * Cross-build on Fedora
+- Rename patches:
+  * 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch =>
+    0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+  * 0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch =>
+    0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+- Removed patches(merged upstream):
+  * 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+  * 0003-Properly-validate-cache-IDs-and-sources.patch
+
 -------------------------------------------------------------------
 Tue Oct 22 08:30:04 UTC 2024 - Danish Prakash <danish.prakash@suse.com>

--- a/buildah.spec
+++ b/buildah.spec
@ -19,7 +19,7 @@

 %define project github.com/containers/buildah
 Name:           buildah
-Version:        1.35.4
+Version:        1.35.5
 Release:        0
 Summary:        Tool for building OCI containers
 License:        Apache-2.0
@ -27,10 +27,9 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name}-rpmlintrc
-Patch0:         0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
-Patch1:         0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
-Patch2:         0003-Properly-validate-cache-IDs-and-sources.patch
-Patch3:         0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+Patch0:         0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+Patch1:         0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+Patch3:         0004-http2-close-connections-when-receiving-too-many-head.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes