From 5cc8b46f5e1df5a85ed7b037d6a31219bf58374c Mon Sep 17 00:00:00 2001 From: Danish Prakash Date: Wed, 16 Oct 2024 18:48:21 +0530 Subject: [PATCH 2/4] CVE-2024-9407: validate "bind-propagation" flag settings CVE-2024-9407: validate that the value for the "bind-propagation" flag when handling "bind" and "cache" mounts in `buildah run` or in RUN instructions is one of the values that we would accept without the "bind-propagation=" prefix. Signed-off-by: Nalin Dahyabhai Signed-off-by: Danish Prakash --- .../containers/buildah/internal/volumes/volumes.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go index 515f846f3499..da6b768fdc21 100644 --- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go +++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go @@ -105,6 +105,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st if !hasArgValue { return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg) } + switch argValue { + default: + return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption) + case "shared", "rshared", "private", "rprivate", "slave", "rslave": + // this should be the relevant parts of the same list of options we accepted above + } newMount.Options = append(newMount.Options, argValue) case "src", "source": if !hasArgValue { @@ -277,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a if !hasArgValue { return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg) } + switch argValue { + default: + return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption) + case "shared", "rshared", "private", "rprivate", "slave", "rslave": + // this should be the relevant parts of the same list of options we accepted above + } newMount.Options = append(newMount.Options, argValue) case "id": if !hasArgValue { -- 2.46.0