Sync from SUSE:SLFO:1.1 podman revision 4f828be6b698df213801efc72f5fd350

This commit is contained in:
Adrian Schröter 2024-10-23 10:04:44 +02:00
parent d91b3a3646
commit 3525dfdcd5
6 changed files with 17958 additions and 3 deletions

View File

@ -1,7 +1,7 @@
From 76fc90dd1b33fc4e0f70277430f56d1d0ecd5e45 Mon Sep 17 00:00:00 2001 From 76fc90dd1b33fc4e0f70277430f56d1d0ecd5e45 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh> From: Danish Prakash <contact@danishpraka.sh>
Date: Mon, 7 Oct 2024 14:03:25 +0530 Date: Mon, 7 Oct 2024 14:03:25 +0530
Subject: [PATCH 1/3] pkg/subscriptions: use securejoin for the container path Subject: [PATCH 1/4] pkg/subscriptions: use securejoin for the container path
If we join a path from the container image we must always use securejoin If we join a path from the container image we must always use securejoin
to prevent us from following a symlink onto the host. to prevent us from following a symlink onto the host.

View File

@ -1,7 +1,7 @@
From 5cc8b46f5e1df5a85ed7b037d6a31219bf58374c Mon Sep 17 00:00:00 2001 From 5cc8b46f5e1df5a85ed7b037d6a31219bf58374c Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh> From: Danish Prakash <contact@danishpraka.sh>
Date: Wed, 16 Oct 2024 18:48:21 +0530 Date: Wed, 16 Oct 2024 18:48:21 +0530
Subject: [PATCH 2/3] CVE-2024-9407: validate "bind-propagation" flag settings Subject: [PATCH 2/4] CVE-2024-9407: validate "bind-propagation" flag settings
CVE-2024-9407: validate that the value for the "bind-propagation" flag CVE-2024-9407: validate that the value for the "bind-propagation" flag
when handling "bind" and "cache" mounts in `buildah run` or in RUN when handling "bind" and "cache" mounts in `buildah run` or in RUN

View File

@ -1,7 +1,7 @@
From daca228525b387598a36d7de15a816ee8146b98d Mon Sep 17 00:00:00 2001 From daca228525b387598a36d7de15a816ee8146b98d Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh> From: Danish Prakash <contact@danishpraka.sh>
Date: Tue, 15 Oct 2024 22:39:03 +0530 Date: Tue, 15 Oct 2024 22:39:03 +0530
Subject: [PATCH 3/3] Properly validate cache IDs and sources Subject: [PATCH 3/4] Properly validate cache IDs and sources
The `--mount type=cache` argument to the `RUN` instruction in The `--mount type=cache` argument to the `RUN` instruction in
Dockerfiles was using `filepath.Join` on user input, allowing Dockerfiles was using `filepath.Join` on user input, allowing

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Tue Oct 22 08:24:37 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
- Add patch for CVE-2024-9676 (bsc#1231698):
* 0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
- Rebase patches:
* 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
* 0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
* 0003-Properly-validate-cache-IDs-and-sources.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Oct 15 17:11:10 UTC 2024 - Danish Prakash <danish.prakash@suse.com> Tue Oct 15 17:11:10 UTC 2024 - Danish Prakash <danish.prakash@suse.com>

View File

@ -33,6 +33,7 @@ Source1: podman.conf
Patch0: 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch Patch0: 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
Patch1: 0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch Patch1: 0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
Patch2: 0003-Properly-validate-cache-IDs-and-sources.patch Patch2: 0003-Properly-validate-cache-IDs-and-sources.patch
Patch3: 0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
BuildRequires: bash-completion BuildRequires: bash-completion
BuildRequires: device-mapper-devel BuildRequires: device-mapper-devel
BuildRequires: fdupes BuildRequires: fdupes