Sync from SUSE:SLFO:1.1 podman revision 4f828be6b698df213801efc72f5fd350

2024-10-23 10:04:44 +02:00 · 2024-10-23 10:04:44 +02:00 · 3525dfdcd5
commit 3525dfdcd5
parent d91b3a3646
6 changed files with 17958 additions and 3 deletions
--- a/0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+++ b/0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
@ -1,7 +1,7 @@
 From 76fc90dd1b33fc4e0f70277430f56d1d0ecd5e45 Mon Sep 17 00:00:00 2001
 From: Danish Prakash <contact@danishpraka.sh>
 Date: Mon, 7 Oct 2024 14:03:25 +0530
-Subject: [PATCH 1/3] pkg/subscriptions: use securejoin for the container path
+Subject: [PATCH 1/4] pkg/subscriptions: use securejoin for the container path

 If we join a path from the container image we must always use securejoin
 to prevent us from following a symlink onto the host.
--- a/0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+++ b/0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
@ -1,7 +1,7 @@
 From 5cc8b46f5e1df5a85ed7b037d6a31219bf58374c Mon Sep 17 00:00:00 2001
 From: Danish Prakash <contact@danishpraka.sh>
 Date: Wed, 16 Oct 2024 18:48:21 +0530
-Subject: [PATCH 2/3] CVE-2024-9407: validate "bind-propagation" flag settings
+Subject: [PATCH 2/4] CVE-2024-9407: validate "bind-propagation" flag settings

 CVE-2024-9407: validate that the value for the "bind-propagation" flag
 when handling "bind" and "cache" mounts in `buildah run` or in RUN
--- a/0003-Properly-validate-cache-IDs-and-sources.patch
+++ b/0003-Properly-validate-cache-IDs-and-sources.patch
@ -1,7 +1,7 @@
 From daca228525b387598a36d7de15a816ee8146b98d Mon Sep 17 00:00:00 2001
 From: Danish Prakash <contact@danishpraka.sh>
 Date: Tue, 15 Oct 2024 22:39:03 +0530
-Subject: [PATCH 3/3] Properly validate cache IDs and sources
+Subject: [PATCH 3/4] Properly validate cache IDs and sources

 The `--mount type=cache` argument to the `RUN` instruction in
 Dockerfiles was using `filepath.Join` on user input, allowing
--- a/0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+++ b/0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
--- a/podman.changes
+++ b/podman.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Oct 22 08:24:37 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9676 (bsc#1231698):
+  * 0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+- Rebase patches:
+  * 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+  * 0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+  * 0003-Properly-validate-cache-IDs-and-sources.patch
+
 -------------------------------------------------------------------
 Tue Oct 15 17:11:10 UTC 2024 - Danish Prakash <danish.prakash@suse.com>

--- a/podman.spec
+++ b/podman.spec
@ -33,6 +33,7 @@ Source1:        podman.conf
 Patch0:         0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
 Patch1:         0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
 Patch2:         0003-Properly-validate-cache-IDs-and-sources.patch
+Patch3:         0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes