Sync from SUSE:SLFO:1.1 podman revision 57451a85acdd48d2157e826c0b0d3977

2024-10-17 13:44:37 +02:00 · 2024-10-17 13:44:37 +02:00 · d91b3a3646
commit d91b3a3646
parent 7defeac394
6 changed files with 299 additions and 1 deletions
--- a/0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+++ b/0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
@ -0,0 +1,162 @@
+From 76fc90dd1b33fc4e0f70277430f56d1d0ecd5e45 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Mon, 7 Oct 2024 14:03:25 +0530
+Subject: [PATCH 1/3] pkg/subscriptions: use securejoin for the container path
+
+If we join a path from the container image we must always use securejoin
+to prevent us from following a symlink onto the host.
+
+Fixes CVE-2024-9341
+Bugs: bsc#1231230
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ go.mod                                                   | 4 ++--
+ go.sum                                                   | 8 ++++----
+ .../containers/common/pkg/subscriptions/subscriptions.go | 6 +++++-
+ vendor/github.com/containers/common/version/version.go   | 2 +-
+ .../containers/image/v5/docker/docker_image.go           | 9 +++++++++
+ vendor/github.com/containers/image/v5/version/version.go | 2 +-
+ vendor/modules.txt                                       | 4 ++--
+ 7 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/go.mod b/go.mod
+index 6f0d7d1f5db6..88dd9876472f 100644
+--- a/go.mod
+++ b/go.mod
+@@ -11,10 +11,10 @@ require (
+ 	github.com/checkpoint-restore/go-criu/v7 v7.0.0
+ 	github.com/containernetworking/plugins v1.4.0
+ 	github.com/containers/buildah v1.35.4
+-	github.com/containers/common v0.58.3
+	github.com/containers/common v0.58.5
+ 	github.com/containers/conmon v2.0.20+incompatible
+ 	github.com/containers/gvisor-tap-vsock v0.7.3
+-	github.com/containers/image/v5 v5.30.1
+	github.com/containers/image/v5 v5.30.2
+ 	github.com/containers/libhvee v0.7.0
+ 	github.com/containers/ocicrypt v1.1.10
+ 	github.com/containers/psgo v1.9.0
+diff --git a/go.sum b/go.sum
+index b1033efba2f0..1d6b7d02370c 100644
+--- a/go.sum
+++ b/go.sum
+@@ -76,14 +76,14 @@ github.com/containernetworking/plugins v1.4.0 h1:+w22VPYgk7nQHw7KT92lsRmuToHvb7w
+ github.com/containernetworking/plugins v1.4.0/go.mod h1:UYhcOyjefnrQvKvmmyEKsUA+M9Nfn7tqULPpH0Pkcj0=
+ github.com/containers/buildah v1.35.4 h1:M/M5RJW07ZIDsngmJDb6bnWxZA2RRFulp0MW7EwPATg=
+ github.com/containers/buildah v1.35.4/go.mod h1:gh6xe/VXW7TTIDWCRtAvx0/YaNuEJWYabDKrHKj17So=
+-github.com/containers/common v0.58.3 h1:Iy/CdYjluEK926QT+ejonz7YvoRHazeW7BAiLIkmUQ4=
+-github.com/containers/common v0.58.3/go.mod h1:p4V1SNk+WOISgp01m+axuqCUxaDP3WSZPPzvnJnS/cQ=
+github.com/containers/common v0.58.5 h1:5GOyHhNPVeFEUFIxUmc0asO2X8NuErLpyrrpdDJq3v0=
+github.com/containers/common v0.58.5/go.mod h1:mlwmIzH9AOIxXpuKPmMd1N+zzoelRBddXKReRlHDSTU=
+ github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
+ github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
+ github.com/containers/gvisor-tap-vsock v0.7.3 h1:yORnf15sP+sLFhxLNLgmB5/lOhldn9dRMHx/tmYtSOQ=
+ github.com/containers/gvisor-tap-vsock v0.7.3/go.mod h1:NI1fLMtKXQZoDrrOeqryGz7x7j/XSFWRmQILva7Fu9c=
+-github.com/containers/image/v5 v5.30.1 h1:AKrQMgOKI1oKx5FW5eoU2xoNyzACajHGx1O3qxobvFM=
+-github.com/containers/image/v5 v5.30.1/go.mod h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk=
+github.com/containers/image/v5 v5.30.2 h1:1nsuEAkWtlaGaV938n5Z9eyV4Jolx4eRyOl9pLUSPC4=
+github.com/containers/image/v5 v5.30.2/go.mod h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk=
+ github.com/containers/libhvee v0.7.0 h1:TDfidZOduYk0ZW0tigzqpJOl+CeynvHxIZCuH/ak7YM=
+ github.com/containers/libhvee v0.7.0/go.mod h1:fRKB3AyIqHMvq6xaeYhTpckM2cdoq0oecolyoiuLP7M=
+ github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index 6845914aa285..04cf6deaa8b4 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -10,6 +10,7 @@ import (
+ 
+ 	"github.com/containers/common/pkg/umask"
+ 	"github.com/containers/storage/pkg/idtools"
+	securejoin "github.com/cyphar/filepath-securejoin"
+ 	rspec "github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+ 	"github.com/sirupsen/logrus"
+@@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+ 
+ 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ 	destDir := "/etc/crypto-policies/back-ends"
+-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
+	if err != nil {
+		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
+	}
+ 	if _, err := os.Stat(srcOnHost); err != nil {
+ 		if errors.Is(err, os.ErrNotExist) {
+ 			return nil
+diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
+index ddf29b94b366..1b8f07ff5659 100644
+--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
+@@ -1,4 +1,4 @@
+ package version
+ 
+ // Version is the version of the build.
+-const Version = "0.58.3"
+const Version = "0.58.5"
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go
+index 4c80bb2b5251..9741afc3f099 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image.go
+@@ -14,6 +14,7 @@ import (
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/types"
+ 	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+ )
+ 
+ // Image is a Docker-specific implementation of types.ImageCloser with a few extra methods
+@@ -90,6 +91,14 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
+ 		}
+ 		for _, tag := range tagsHolder.Tags {
+ 			if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values
+				// Per https://github.com/containers/skopeo/issues/2346 , unknown versions of JFrog Artifactory,
+				// contrary to the tag format specified in
+				// https://github.com/opencontainers/distribution-spec/blob/8a871c8234977df058f1a14e299fe0a673853da2/spec.md?plain=1#L160 ,
+				// include digests in the list.
+				if _, err := digest.Parse(tag); err == nil {
+					logrus.Debugf("Ignoring invalid tag %q matching a digest format", tag)
+					continue
+				}
+ 				return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err)
+ 			}
+ 			tags = append(tags, tag)
+diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go
+index 2be0541584da..fa31c9408f6a 100644
+--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
+@@ -8,7 +8,7 @@ const (
+ 	// VersionMinor is for functionality in a backwards-compatible manner
+ 	VersionMinor = 30
+ 	// VersionPatch is for backwards-compatible bug fixes
+-	VersionPatch = 1
+	VersionPatch = 2
+ 
+ 	// VersionDev indicates development branch. Releases will be empty string.
+ 	VersionDev = ""
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index ec7960bc9951..c4aad8b23ab0 100644
+--- a/vendor/modules.txt
+++ b/vendor/modules.txt
+@@ -171,7 +171,7 @@ github.com/containers/buildah/pkg/sshagent
+ github.com/containers/buildah/pkg/util
+ github.com/containers/buildah/pkg/volumes
+ github.com/containers/buildah/util
+-# github.com/containers/common v0.58.3
+# github.com/containers/common v0.58.5
+ ## explicit; go 1.20
+ github.com/containers/common/internal
+ github.com/containers/common/internal/attributedstring
+@@ -243,7 +243,7 @@ github.com/containers/conmon/runner/config
+ # github.com/containers/gvisor-tap-vsock v0.7.3
+ ## explicit; go 1.20
+ github.com/containers/gvisor-tap-vsock/pkg/types
+-# github.com/containers/image/v5 v5.30.1
+# github.com/containers/image/v5 v5.30.2
+ ## explicit; go 1.19
+ github.com/containers/image/v5/copy
+ github.com/containers/image/v5/directory
+-- 
+2.46.0
+
--- a/0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+++ b/0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
@ -0,0 +1,49 @@
+From 5cc8b46f5e1df5a85ed7b037d6a31219bf58374c Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Wed, 16 Oct 2024 18:48:21 +0530
+Subject: [PATCH 2/3] CVE-2024-9407: validate "bind-propagation" flag settings
+
+CVE-2024-9407: validate that the value for the "bind-propagation" flag
+when handling "bind" and "cache" mounts in `buildah run` or in RUN
+instructions is one of the values that we would accept without the
+"bind-propagation=" prefix.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ .../containers/buildah/internal/volumes/volumes.go   | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+index 515f846f3499..da6b768fdc21 100644
+--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+@@ -105,6 +105,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 			if !hasArgValue {
+ 				return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
+ 			}
+			switch argValue {
+			default:
+				return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
+ 			newMount.Options = append(newMount.Options, argValue)
+ 		case "src", "source":
+ 			if !hasArgValue {
+@@ -277,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			if !hasArgValue {
+ 				return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
+ 			}
+			switch argValue {
+			default:
+				return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
+ 			newMount.Options = append(newMount.Options, argValue)
+ 		case "id":
+ 			if !hasArgValue {
+-- 
+2.46.0
+
--- a/0003-Properly-validate-cache-IDs-and-sources.patch
+++ b/0003-Properly-validate-cache-IDs-and-sources.patch
@ -0,0 +1,68 @@
+From daca228525b387598a36d7de15a816ee8146b98d Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Tue, 15 Oct 2024 22:39:03 +0530
+Subject: [PATCH 3/3] Properly validate cache IDs and sources
+
+The `--mount type=cache` argument to the `RUN` instruction in
+Dockerfiles was using `filepath.Join` on user input, allowing
+crafted paths to be used to gain access to paths on the host,
+when the command should normally be limited only to Buildah;s own
+cache and context directories. Switch to `filepath.SecureJoin` to
+resolve the issue.
+
+Fixes CVE-2024-9675
+
+Signed-off-by: Matt Heon <mheon@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ .../buildah/internal/volumes/volumes.go       | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+index da6b768fdc21..610e9fcf11b2 100644
+--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+@@ -23,6 +23,7 @@ import (
+ 	"github.com/containers/storage/pkg/idtools"
+ 	"github.com/containers/storage/pkg/lockfile"
+ 	"github.com/containers/storage/pkg/unshare"
+	digest "github.com/opencontainers/go-digest"
+ 	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	selinux "github.com/opencontainers/selinux/go-selinux"
+ )
+@@ -374,7 +375,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
+ 		}
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
+		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
+		if err != nil {
+			return newMount, nil, err
+		}
+		newMount.Source = evaluated
+ 	} else {
+ 		// we need to create cache on host if no image is being used
+ 
+@@ -391,11 +396,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 		}
+ 
+ 		if id != "" {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
+			// Don't let the user control where we place the directory.
+			dirID := digest.FromString(id).Encoded()[:16]
+			newMount.Source = filepath.Join(cacheParent, dirID)
+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		} else {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
+			// Don't let the user control where we place the directory.
+			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+			newMount.Source = filepath.Join(cacheParent, dirID)
+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		}
+ 		idPair := idtools.IDPair{
+ 			UID: uid,
+-- 
+2.46.0
+
--- a/podman-5.0.3.obscpio
+++ b/podman-5.0.3.obscpio
--- a/podman.changes
+++ b/podman.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Oct 15 17:11:10 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9675 (bsc#1231499):
+  * 0003-Properly-validate-cache-IDs-and-sources.patch
+- Add patch for CVE-2024-9407 (bsc#1231208):
+  * 0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+- Rebase patches:
+  * 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+
+-------------------------------------------------------------------
+Mon Oct  7 08:35:58 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9341 (bsc#1231230):
+  * 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+
 -------------------------------------------------------------------
 Fri May 10 18:10:00 UTC 2024 - danish.prakash@suse.com

--- a/podman.spec
+++ b/podman.spec
@ -30,6 +30,9 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.gz
 Source1:        podman.conf
+Patch0:         0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
+Patch1:         0002-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+Patch2:         0003-Properly-validate-cache-IDs-and-sources.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes