Sync from SUSE:SLFO:Main buildah revision f6fbf7726e04b6f8bd12a68ed0d2c668
This commit is contained in:
parent
9df1ac9980
commit
ca1eaa3cba
@ -1,7 +1,7 @@
|
||||
From 222f80a6a2ab4efce95bb7c8da3606b5ad4a3170 Mon Sep 17 00:00:00 2001
|
||||
From: Nalin Dahyabhai <nalin@redhat.com>
|
||||
Date: Tue, 1 Oct 2024 11:01:45 -0400
|
||||
Subject: [PATCH 1/2] CVE-2024-9407: validate "bind-propagation" flag settings
|
||||
Subject: [PATCH 1/3] CVE-2024-9407: validate "bind-propagation" flag settings
|
||||
|
||||
CVE-2024-9407: validate that the value for the "bind-propagation" flag
|
||||
when handling "bind" and "cache" mounts in `buildah run` or in RUN
|
||||
@ -10,12 +10,13 @@ instructions is one of the values that we would accept without the
|
||||
|
||||
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
||||
(cherry picked from commit 732f77064830bb91062d475407b761ade2e4fe6b)
|
||||
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
|
||||
---
|
||||
internal/volumes/volumes.go | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
|
||||
index 515f846f3..da6b768fd 100644
|
||||
index 515f846f3499..da6b768fdc21 100644
|
||||
--- a/internal/volumes/volumes.go
|
||||
+++ b/internal/volumes/volumes.go
|
||||
@@ -105,6 +105,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
|
||||
@ -45,5 +46,5 @@ index 515f846f3..da6b768fd 100644
|
||||
case "id":
|
||||
if !hasArgValue {
|
||||
--
|
||||
2.46.2
|
||||
2.46.0
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 290dbe53fdc8c31aa51f0851c57bda0f195fc1a6 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Holzinger <pholzing@redhat.com>
|
||||
Date: Wed, 2 Oct 2024 12:15:15 +0200
|
||||
Subject: [PATCH 2/2] [conmon] pkg/subscriptions: use securejoin for the
|
||||
Subject: [PATCH 2/3] [conmon] pkg/subscriptions: use securejoin for the
|
||||
container path
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
@ -17,12 +17,13 @@ https://github.com/containers/common/commit/5a550b6fe26068dd1d5d2616c8595edf10b4
|
||||
|
||||
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
||||
Signed-off-by: Dan Čermák <dcermak@suse.com>
|
||||
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
|
||||
---
|
||||
.../containers/common/pkg/subscriptions/subscriptions.go | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
|
||||
index 6845914aa..71ee68a59 100644
|
||||
index 6845914aa285..71ee68a5909c 100644
|
||||
--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
|
||||
+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
|
||||
@@ -10,6 +10,7 @@ import (
|
||||
@ -47,5 +48,5 @@ index 6845914aa..71ee68a59 100644
|
||||
if errors.Is(err, os.ErrNotExist) {
|
||||
return nil
|
||||
--
|
||||
2.46.2
|
||||
2.46.0
|
||||
|
||||
|
115
0003-Properly-validate-cache-IDs-and-sources.patch
Normal file
115
0003-Properly-validate-cache-IDs-and-sources.patch
Normal file
@ -0,0 +1,115 @@
|
||||
From b48b2e689270ee7cc8c13464cbae1b5405fcb901 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Heon <mheon@redhat.com>
|
||||
Date: Wed, 9 Oct 2024 15:23:03 -0400
|
||||
Subject: [PATCH 3/3] Properly validate cache IDs and sources
|
||||
|
||||
The `--mount type=cache` argument to the `RUN` instruction in
|
||||
Dockerfiles was using `filepath.Join` on user input, allowing
|
||||
crafted paths to be used to gain access to paths on the host,
|
||||
when the command should normally be limited only to Buildah;s own
|
||||
cache and context directories. Switch to `filepath.SecureJoin` to
|
||||
resolve the issue.
|
||||
|
||||
Fixes CVE-2024-9675
|
||||
|
||||
Signed-off-by: Matt Heon <mheon@redhat.com>
|
||||
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
|
||||
---
|
||||
internal/volumes/volumes.go | 22 +++++++++++++++-------
|
||||
tests/bud.bats | 34 ++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 49 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
|
||||
index da6b768fdc21..2dd04d9c32a4 100644
|
||||
--- a/internal/volumes/volumes.go
|
||||
+++ b/internal/volumes/volumes.go
|
||||
@@ -23,6 +23,7 @@ import (
|
||||
"github.com/containers/storage/pkg/idtools"
|
||||
"github.com/containers/storage/pkg/lockfile"
|
||||
"github.com/containers/storage/pkg/unshare"
|
||||
+ digest "github.com/opencontainers/go-digest"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
selinux "github.com/opencontainers/selinux/go-selinux"
|
||||
)
|
||||
@@ -374,10 +375,13 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
|
||||
return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
|
||||
}
|
||||
// path should be /contextDir/specified path
|
||||
- newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
|
||||
+ evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
|
||||
+ if err != nil {
|
||||
+ return newMount, nil, err
|
||||
+ }
|
||||
+ newMount.Source = evaluated
|
||||
} else {
|
||||
- // we need to create cache on host if no image is being used
|
||||
-
|
||||
+ // we need to create the cache directory on the host if no image is being used
|
||||
// since type is cache and cache can be reused by consecutive builds
|
||||
// create a common cache directory, which persists on hosts within temp lifecycle
|
||||
// add subdirectory if specified
|
||||
@@ -391,11 +395,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
|
||||
}
|
||||
|
||||
if id != "" {
|
||||
- newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
|
||||
- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
|
||||
+ // Don't let the user control where we place the directory.
|
||||
+ dirID := digest.FromString(id).Encoded()[:16]
|
||||
+ newMount.Source = filepath.Join(cacheParent, dirID)
|
||||
+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
|
||||
} else {
|
||||
- newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
|
||||
- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
|
||||
+ // Don't let the user control where we place the directory.
|
||||
+ dirID := digest.FromString(newMount.Destination).Encoded()[:16]
|
||||
+ newMount.Source = filepath.Join(cacheParent, dirID)
|
||||
+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
|
||||
}
|
||||
idPair := idtools.IDPair{
|
||||
UID: uid,
|
||||
diff --git a/tests/bud.bats b/tests/bud.bats
|
||||
index b6982bbc0ee4..e28fc3dd8add 100644
|
||||
--- a/tests/bud.bats
|
||||
+++ b/tests/bud.bats
|
||||
@@ -6659,3 +6659,37 @@ _EOF
|
||||
assert "$status" -eq 2 "exit code from ls"
|
||||
expect_output --substring "No such file or directory"
|
||||
}
|
||||
+
|
||||
+@test "build-check-cve-2024-9675" {
|
||||
+ _prefetch alpine
|
||||
+
|
||||
+ touch ${TEST_SCRATCH_DIR}/file.txt
|
||||
+
|
||||
+ cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
|
||||
+FROM alpine
|
||||
+RUN --mount=type=cache,id=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
|
||||
+ls -l /var/tmp && cat /var/tmp/file.txt
|
||||
+EOF
|
||||
+
|
||||
+ run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
|
||||
+ expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
|
||||
+
|
||||
+ cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
|
||||
+FROM alpine
|
||||
+RUN --mount=type=cache,source=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
|
||||
+ls -l /var/tmp && cat /var/tmp/file.txt
|
||||
+EOF
|
||||
+
|
||||
+ run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
|
||||
+ expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
|
||||
+
|
||||
+ mkdir ${TEST_SCRATCH_DIR}/cve20249675
|
||||
+ cat > ${TEST_SCRATCH_DIR}/cve20249675/Containerfile <<EOF
|
||||
+FROM alpine
|
||||
+RUN --mount=type=cache,from=testbuild,source=../,target=/var/tmp \
|
||||
+ls -l /var/tmp && cat /var/tmp/file.txt
|
||||
+EOF
|
||||
+
|
||||
+ run_buildah 1 build --security-opt label=disable --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ --no-cache ${TEST_SCRATCH_DIR}/cve20249675/
|
||||
+ expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
|
||||
+}
|
||||
--
|
||||
2.46.0
|
||||
|
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 16 06:53:35 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
|
||||
|
||||
- Add patch for CVE-2024-9675 (bsc#1231499):
|
||||
* 0003-Properly-validate-cache-IDs-and-sources.patch
|
||||
- Rebase patches:
|
||||
* 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
|
||||
* 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 2 10:24:41 UTC 2024 - Dan Čermák <dcermak@suse.com>
|
||||
|
||||
|
@ -29,6 +29,7 @@ Source0: %{name}-%{version}.tar.xz
|
||||
Source1: %{name}-rpmlintrc
|
||||
Patch0: 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
|
||||
Patch1: 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
|
||||
Patch2: 0003-Properly-validate-cache-IDs-and-sources.patch
|
||||
BuildRequires: bash-completion
|
||||
BuildRequires: device-mapper-devel
|
||||
BuildRequires: fdupes
|
||||
|
Loading…
Reference in New Issue
Block a user