From d91b3a3646ee4826b060369ac8bf46abd9a2e41c584b69f17d8b5f209ec535c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 17 Oct 2024 13:44:37 +0200 Subject: [PATCH] Sync from SUSE:SLFO:1.1 podman revision 57451a85acdd48d2157e826c0b0d3977 --- ...s-use-securejoin-for-the-container-p.patch | 162 ++++++++++++++++++ ...lidate-bind-propagation-flag-setting.patch | 49 ++++++ ...perly-validate-cache-IDs-and-sources.patch | 68 ++++++++ podman-5.0.3.obscpio | 2 +- podman.changes | 16 ++ podman.spec | 3 + 6 files changed, 299 insertions(+), 1 deletion(-) create mode 100644 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch create mode 100644 0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch create mode 100644 0003-Properly-validate-cache-IDs-and-sources.patch diff --git a/0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch b/0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch new file mode 100644 index 0000000..2c39a64 --- /dev/null +++ b/0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch @@ -0,0 +1,162 @@ +From 76fc90dd1b33fc4e0f70277430f56d1d0ecd5e45 Mon Sep 17 00:00:00 2001 +From: Danish Prakash +Date: Mon, 7 Oct 2024 14:03:25 +0530 +Subject: [PATCH 1/3] pkg/subscriptions: use securejoin for the container path + +If we join a path from the container image we must always use securejoin +to prevent us from following a symlink onto the host. + +Fixes CVE-2024-9341 +Bugs: bsc#1231230 + +Signed-off-by: Paul Holzinger +Signed-off-by: Danish Prakash +--- + go.mod | 4 ++-- + go.sum | 8 ++++---- + .../containers/common/pkg/subscriptions/subscriptions.go | 6 +++++- + vendor/github.com/containers/common/version/version.go | 2 +- + .../containers/image/v5/docker/docker_image.go | 9 +++++++++ + vendor/github.com/containers/image/v5/version/version.go | 2 +- + vendor/modules.txt | 4 ++-- + 7 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/go.mod b/go.mod +index 6f0d7d1f5db6..88dd9876472f 100644 +--- a/go.mod ++++ b/go.mod +@@ -11,10 +11,10 @@ require ( + github.com/checkpoint-restore/go-criu/v7 v7.0.0 + github.com/containernetworking/plugins v1.4.0 + github.com/containers/buildah v1.35.4 +- github.com/containers/common v0.58.3 ++ github.com/containers/common v0.58.5 + github.com/containers/conmon v2.0.20+incompatible + github.com/containers/gvisor-tap-vsock v0.7.3 +- github.com/containers/image/v5 v5.30.1 ++ github.com/containers/image/v5 v5.30.2 + github.com/containers/libhvee v0.7.0 + github.com/containers/ocicrypt v1.1.10 + github.com/containers/psgo v1.9.0 +diff --git a/go.sum b/go.sum +index b1033efba2f0..1d6b7d02370c 100644 +--- a/go.sum ++++ b/go.sum +@@ -76,14 +76,14 @@ github.com/containernetworking/plugins v1.4.0 h1:+w22VPYgk7nQHw7KT92lsRmuToHvb7w + github.com/containernetworking/plugins v1.4.0/go.mod h1:UYhcOyjefnrQvKvmmyEKsUA+M9Nfn7tqULPpH0Pkcj0= + github.com/containers/buildah v1.35.4 h1:M/M5RJW07ZIDsngmJDb6bnWxZA2RRFulp0MW7EwPATg= + github.com/containers/buildah v1.35.4/go.mod h1:gh6xe/VXW7TTIDWCRtAvx0/YaNuEJWYabDKrHKj17So= +-github.com/containers/common v0.58.3 h1:Iy/CdYjluEK926QT+ejonz7YvoRHazeW7BAiLIkmUQ4= +-github.com/containers/common v0.58.3/go.mod h1:p4V1SNk+WOISgp01m+axuqCUxaDP3WSZPPzvnJnS/cQ= ++github.com/containers/common v0.58.5 h1:5GOyHhNPVeFEUFIxUmc0asO2X8NuErLpyrrpdDJq3v0= ++github.com/containers/common v0.58.5/go.mod h1:mlwmIzH9AOIxXpuKPmMd1N+zzoelRBddXKReRlHDSTU= + github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= + github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= + github.com/containers/gvisor-tap-vsock v0.7.3 h1:yORnf15sP+sLFhxLNLgmB5/lOhldn9dRMHx/tmYtSOQ= + github.com/containers/gvisor-tap-vsock v0.7.3/go.mod h1:NI1fLMtKXQZoDrrOeqryGz7x7j/XSFWRmQILva7Fu9c= +-github.com/containers/image/v5 v5.30.1 h1:AKrQMgOKI1oKx5FW5eoU2xoNyzACajHGx1O3qxobvFM= +-github.com/containers/image/v5 v5.30.1/go.mod h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk= ++github.com/containers/image/v5 v5.30.2 h1:1nsuEAkWtlaGaV938n5Z9eyV4Jolx4eRyOl9pLUSPC4= ++github.com/containers/image/v5 v5.30.2/go.mod h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk= + github.com/containers/libhvee v0.7.0 h1:TDfidZOduYk0ZW0tigzqpJOl+CeynvHxIZCuH/ak7YM= + github.com/containers/libhvee v0.7.0/go.mod h1:fRKB3AyIqHMvq6xaeYhTpckM2cdoq0oecolyoiuLP7M= + github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= +diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +index 6845914aa285..04cf6deaa8b4 100644 +--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go ++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +@@ -10,6 +10,7 @@ import ( + + "github.com/containers/common/pkg/umask" + "github.com/containers/storage/pkg/idtools" ++ securejoin "github.com/cyphar/filepath-securejoin" + rspec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux/label" + "github.com/sirupsen/logrus" +@@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, + + srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" + destDir := "/etc/crypto-policies/back-ends" +- srcOnHost := filepath.Join(mountPoint, srcBackendDir) ++ srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir) ++ if err != nil { ++ return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err) ++ } + if _, err := os.Stat(srcOnHost); err != nil { + if errors.Is(err, os.ErrNotExist) { + return nil +diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go +index ddf29b94b366..1b8f07ff5659 100644 +--- a/vendor/github.com/containers/common/version/version.go ++++ b/vendor/github.com/containers/common/version/version.go +@@ -1,4 +1,4 @@ + package version + + // Version is the version of the build. +-const Version = "0.58.3" ++const Version = "0.58.5" +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go +index 4c80bb2b5251..9741afc3f099 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image.go +@@ -14,6 +14,7 @@ import ( + "github.com/containers/image/v5/manifest" + "github.com/containers/image/v5/types" + "github.com/opencontainers/go-digest" ++ "github.com/sirupsen/logrus" + ) + + // Image is a Docker-specific implementation of types.ImageCloser with a few extra methods +@@ -90,6 +91,14 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types. + } + for _, tag := range tagsHolder.Tags { + if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values ++ // Per https://github.com/containers/skopeo/issues/2346 , unknown versions of JFrog Artifactory, ++ // contrary to the tag format specified in ++ // https://github.com/opencontainers/distribution-spec/blob/8a871c8234977df058f1a14e299fe0a673853da2/spec.md?plain=1#L160 , ++ // include digests in the list. ++ if _, err := digest.Parse(tag); err == nil { ++ logrus.Debugf("Ignoring invalid tag %q matching a digest format", tag) ++ continue ++ } + return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err) + } + tags = append(tags, tag) +diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go +index 2be0541584da..fa31c9408f6a 100644 +--- a/vendor/github.com/containers/image/v5/version/version.go ++++ b/vendor/github.com/containers/image/v5/version/version.go +@@ -8,7 +8,7 @@ const ( + // VersionMinor is for functionality in a backwards-compatible manner + VersionMinor = 30 + // VersionPatch is for backwards-compatible bug fixes +- VersionPatch = 1 ++ VersionPatch = 2 + + // VersionDev indicates development branch. Releases will be empty string. + VersionDev = "" +diff --git a/vendor/modules.txt b/vendor/modules.txt +index ec7960bc9951..c4aad8b23ab0 100644 +--- a/vendor/modules.txt ++++ b/vendor/modules.txt +@@ -171,7 +171,7 @@ github.com/containers/buildah/pkg/sshagent + github.com/containers/buildah/pkg/util + github.com/containers/buildah/pkg/volumes + github.com/containers/buildah/util +-# github.com/containers/common v0.58.3 ++# github.com/containers/common v0.58.5 + ## explicit; go 1.20 + github.com/containers/common/internal + github.com/containers/common/internal/attributedstring +@@ -243,7 +243,7 @@ github.com/containers/conmon/runner/config + # github.com/containers/gvisor-tap-vsock v0.7.3 + ## explicit; go 1.20 + github.com/containers/gvisor-tap-vsock/pkg/types +-# github.com/containers/image/v5 v5.30.1 ++# github.com/containers/image/v5 v5.30.2 + ## explicit; go 1.19 + github.com/containers/image/v5/copy + github.com/containers/image/v5/directory +-- +2.46.0 + diff --git a/0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch b/0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch new file mode 100644 index 0000000..4bfdda9 --- /dev/null +++ b/0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch @@ -0,0 +1,49 @@ +From 5cc8b46f5e1df5a85ed7b037d6a31219bf58374c Mon Sep 17 00:00:00 2001 +From: Danish Prakash +Date: Wed, 16 Oct 2024 18:48:21 +0530 +Subject: [PATCH 2/3] CVE-2024-9407: validate "bind-propagation" flag settings + +CVE-2024-9407: validate that the value for the "bind-propagation" flag +when handling "bind" and "cache" mounts in `buildah run` or in RUN +instructions is one of the values that we would accept without the +"bind-propagation=" prefix. + +Signed-off-by: Nalin Dahyabhai +Signed-off-by: Danish Prakash +--- + .../containers/buildah/internal/volumes/volumes.go | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go +index 515f846f3499..da6b768fdc21 100644 +--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go ++++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go +@@ -105,6 +105,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st + if !hasArgValue { + return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg) + } ++ switch argValue { ++ default: ++ return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption) ++ case "shared", "rshared", "private", "rprivate", "slave", "rslave": ++ // this should be the relevant parts of the same list of options we accepted above ++ } + newMount.Options = append(newMount.Options, argValue) + case "src", "source": + if !hasArgValue { +@@ -277,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a + if !hasArgValue { + return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg) + } ++ switch argValue { ++ default: ++ return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption) ++ case "shared", "rshared", "private", "rprivate", "slave", "rslave": ++ // this should be the relevant parts of the same list of options we accepted above ++ } + newMount.Options = append(newMount.Options, argValue) + case "id": + if !hasArgValue { +-- +2.46.0 + diff --git a/0003-Properly-validate-cache-IDs-and-sources.patch b/0003-Properly-validate-cache-IDs-and-sources.patch new file mode 100644 index 0000000..c96e3f1 --- /dev/null +++ b/0003-Properly-validate-cache-IDs-and-sources.patch @@ -0,0 +1,68 @@ +From daca228525b387598a36d7de15a816ee8146b98d Mon Sep 17 00:00:00 2001 +From: Danish Prakash +Date: Tue, 15 Oct 2024 22:39:03 +0530 +Subject: [PATCH 3/3] Properly validate cache IDs and sources + +The `--mount type=cache` argument to the `RUN` instruction in +Dockerfiles was using `filepath.Join` on user input, allowing +crafted paths to be used to gain access to paths on the host, +when the command should normally be limited only to Buildah;s own +cache and context directories. Switch to `filepath.SecureJoin` to +resolve the issue. + +Fixes CVE-2024-9675 + +Signed-off-by: Matt Heon +Signed-off-by: Danish Prakash +--- + .../buildah/internal/volumes/volumes.go | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go +index da6b768fdc21..610e9fcf11b2 100644 +--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go ++++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go +@@ -23,6 +23,7 @@ import ( + "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/pkg/lockfile" + "github.com/containers/storage/pkg/unshare" ++ digest "github.com/opencontainers/go-digest" + specs "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" + ) +@@ -374,7 +375,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a + return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage) + } + // path should be /contextDir/specified path +- newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source)) ++ evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{}) ++ if err != nil { ++ return newMount, nil, err ++ } ++ newMount.Source = evaluated + } else { + // we need to create cache on host if no image is being used + +@@ -391,11 +396,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a + } + + if id != "" { +- newMount.Source = filepath.Join(cacheParent, filepath.Clean(id)) +- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id)) ++ // Don't let the user control where we place the directory. ++ dirID := digest.FromString(id).Encoded()[:16] ++ newMount.Source = filepath.Join(cacheParent, dirID) ++ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) + } else { +- newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination)) +- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination)) ++ // Don't let the user control where we place the directory. ++ dirID := digest.FromString(newMount.Destination).Encoded()[:16] ++ newMount.Source = filepath.Join(cacheParent, dirID) ++ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) + } + idPair := idtools.IDPair{ + UID: uid, +-- +2.46.0 + diff --git a/podman-5.0.3.obscpio b/podman-5.0.3.obscpio index cd04a81..0bf09c6 100644 --- a/podman-5.0.3.obscpio +++ b/podman-5.0.3.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e03fd992b687d7721fe773273c10d6d4c0be681dc42ba2df5e171651e1d139ff +oid sha256:41dcaf045042ff81d95d3be1004ed629ae9e229093b97dbe7b83c6d603b81fa5 size 109267982 diff --git a/podman.changes b/podman.changes index a882be1..3a25cce 100644 --- a/podman.changes +++ b/podman.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Tue Oct 15 17:11:10 UTC 2024 - Danish Prakash + +- Add patch for CVE-2024-9675 (bsc#1231499): + * 0003-Properly-validate-cache-IDs-and-sources.patch +- Add patch for CVE-2024-9407 (bsc#1231208): + * 0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch +- Rebase patches: + * 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch + +------------------------------------------------------------------- +Mon Oct 7 08:35:58 UTC 2024 - Danish Prakash + +- Add patch for CVE-2024-9341 (bsc#1231230): + * 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch + ------------------------------------------------------------------- Fri May 10 18:10:00 UTC 2024 - danish.prakash@suse.com diff --git a/podman.spec b/podman.spec index f7e724f..efae738 100644 --- a/podman.spec +++ b/podman.spec @@ -30,6 +30,9 @@ Group: System/Management URL: https://%{project} Source0: %{name}-%{version}.tar.gz Source1: podman.conf +Patch0: 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch +Patch1: 0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch +Patch2: 0003-Properly-validate-cache-IDs-and-sources.patch BuildRequires: bash-completion BuildRequires: device-mapper-devel BuildRequires: fdupes