SLFO-pool/buildah
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ca1eaa3cba
buildah/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch

51 lines
2.0 KiB
Diff
Raw Blame History

From 222f80a6a2ab4efce95bb7c8da3606b5ad4a3170 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Tue, 1 Oct 2024 11:01:45 -0400
Subject: [PATCH 1/3] CVE-2024-9407: validate "bind-propagation" flag settings
CVE-2024-9407: validate that the value for the "bind-propagation" flag
when handling "bind" and "cache" mounts in `buildah run` or in RUN
instructions is one of the values that we would accept without the
"bind-propagation=" prefix.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
(cherry picked from commit 732f77064830bb91062d475407b761ade2e4fe6b)
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
internal/volumes/volumes.go | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
index 515f846f3499..da6b768fdc21 100644
--- a/internal/volumes/volumes.go
+++ b/internal/volumes/volumes.go
@@ -105,6 +105,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
if !hasArgValue {
return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
}
+ switch argValue {
+ default:
+ return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
+ case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+ // this should be the relevant parts of the same list of options we accepted above
+ }
newMount.Options = append(newMount.Options, argValue)
case "src", "source":
if !hasArgValue {
@@ -277,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
if !hasArgValue {
return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
}
+ switch argValue {
+ default:
+ return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
+ case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+ // this should be the relevant parts of the same list of options we accepted above
+ }
newMount.Options = append(newMount.Options, argValue)
case "id":
if !hasArgValue {
--
2.46.0
Reference in New Issue View Git Blame Copy Permalink