2024-10-17 13:44:37 +02:00
|
|
|
From 5cc8b46f5e1df5a85ed7b037d6a31219bf58374c Mon Sep 17 00:00:00 2001
|
|
|
|
From: Danish Prakash <contact@danishpraka.sh>
|
|
|
|
Date: Wed, 16 Oct 2024 18:48:21 +0530
|
2024-10-23 10:04:44 +02:00
|
|
|
Subject: [PATCH 2/4] CVE-2024-9407: validate "bind-propagation" flag settings
|
2024-10-17 13:44:37 +02:00
|
|
|
|
|
|
|
CVE-2024-9407: validate that the value for the "bind-propagation" flag
|
|
|
|
when handling "bind" and "cache" mounts in `buildah run` or in RUN
|
|
|
|
instructions is one of the values that we would accept without the
|
|
|
|
"bind-propagation=" prefix.
|
|
|
|
|
|
|
|
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|
|
|
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
|
|
|
|
---
|
|
|
|
.../containers/buildah/internal/volumes/volumes.go | 12 ++++++++++++
|
|
|
|
1 file changed, 12 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
|
|
|
|
index 515f846f3499..da6b768fdc21 100644
|
|
|
|
--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
|
|
|
|
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
|
|
|
|
@@ -105,6 +105,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
|
|
|
|
if !hasArgValue {
|
|
|
|
return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
|
|
|
|
}
|
|
|
|
+ switch argValue {
|
|
|
|
+ default:
|
|
|
|
+ return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
|
|
|
|
+ case "shared", "rshared", "private", "rprivate", "slave", "rslave":
|
|
|
|
+ // this should be the relevant parts of the same list of options we accepted above
|
|
|
|
+ }
|
|
|
|
newMount.Options = append(newMount.Options, argValue)
|
|
|
|
case "src", "source":
|
|
|
|
if !hasArgValue {
|
|
|
|
@@ -277,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
|
|
|
|
if !hasArgValue {
|
|
|
|
return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
|
|
|
|
}
|
|
|
|
+ switch argValue {
|
|
|
|
+ default:
|
|
|
|
+ return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
|
|
|
|
+ case "shared", "rshared", "private", "rprivate", "slave", "rslave":
|
|
|
|
+ // this should be the relevant parts of the same list of options we accepted above
|
|
|
|
+ }
|
|
|
|
newMount.Options = append(newMount.Options, argValue)
|
|
|
|
case "id":
|
|
|
|
if !hasArgValue {
|
|
|
|
--
|
|
|
|
2.46.0
|
|
|
|
|