New upstream release 1.39.1

OBS-URL: https://build.opensuse.org/package/show/devel:microos/buildah?expand=0&rev=50

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

0001-Properly-validate-cache-IDs-and-sources.patch

@@ -0,0 +1,111 @@
+From 37d71af79a9c2dbebe56073fa6f4bd7271b1419e Mon Sep 17 00:00:00 2001
+From: Matt Heon <mheon@redhat.com>
+Date: Wed, 9 Oct 2024 15:23:03 -0400
+Subject: [PATCH] Properly validate cache IDs and sources
+
+The `--mount type=cache` argument to the `RUN` instruction in
+Dockerfiles was using `filepath.Join` on user input, allowing
+crafted paths to be used to gain access to paths on the host,
+when the command should normally be limited only to Buildah;s own
+cache and context directories. Switch to `filepath.SecureJoin` to
+resolve the issue.
+
+Fixes CVE-2024-9675
+
+Signed-off-by: Matt Heon <mheon@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ internal/volumes/volumes.go | 19 ++++++++++++++-----
+ tests/bud.bats              | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 48 insertions(+), 5 deletions(-)
+
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index da6b768fdc21..610e9fcf11b2 100644
+--- a/internal/volumes/volumes.go
++++ b/internal/volumes/volumes.go
+@@ -23,6 +23,7 @@ import (
+ 	"github.com/containers/storage/pkg/idtools"
+ 	"github.com/containers/storage/pkg/lockfile"
+ 	"github.com/containers/storage/pkg/unshare"
++	digest "github.com/opencontainers/go-digest"
+ 	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	selinux "github.com/opencontainers/selinux/go-selinux"
+ )
+@@ -374,7 +375,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
+ 		}
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
++		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
++		if err != nil {
++			return newMount, nil, err
++		}
++		newMount.Source = evaluated
+ 	} else {
+ 		// we need to create cache on host if no image is being used
+ 
+@@ -391,11 +396,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 		}
+ 
+ 		if id != "" {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
++			// Don't let the user control where we place the directory.
++			dirID := digest.FromString(id).Encoded()[:16]
++			newMount.Source = filepath.Join(cacheParent, dirID)
++			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		} else {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
++			// Don't let the user control where we place the directory.
++			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
++			newMount.Source = filepath.Join(cacheParent, dirID)
++			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		}
+ 		idPair := idtools.IDPair{
+ 			UID: uid,
+diff --git a/tests/bud.bats b/tests/bud.bats
+index b1ed89072ce6..79ca91b2b5e6 100644
+--- a/tests/bud.bats
++++ b/tests/bud.bats
+@@ -6917,3 +6917,37 @@ _EOF
+   run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
+   expect_output --substring "invalid mount option"
+ }
++
++@test "build-check-cve-2024-9675" {
++  _prefetch alpine
++
++  touch ${TEST_SCRATCH_DIR}/file.txt
++
++  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
++FROM alpine
++RUN --mount=type=cache,id=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
++ls -l /var/tmp && cat /var/tmp/file.txt
++EOF
++
++  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
++  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
++
++  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
++FROM alpine
++RUN --mount=type=cache,source=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
++ls -l /var/tmp && cat /var/tmp/file.txt
++EOF
++
++  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
++  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
++
++  mkdir ${TEST_SCRATCH_DIR}/cve20249675
++  cat > ${TEST_SCRATCH_DIR}/cve20249675/Containerfile <<EOF
++FROM alpine
++RUN --mount=type=cache,from=testbuild,source=../,target=/var/tmp \
++ls -l /var/tmp && cat /var/tmp/file.txt
++EOF
++
++  run_buildah 1 build --security-opt label=disable --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ --no-cache ${TEST_SCRATCH_DIR}/cve20249675/
++  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
++}
+-- 
+2.46.0
+

_service

@@ -0,0 +1,18 @@
+<services>
+<service name="tar_scm" mode="manual">
+    <param name="url">https://github.com/containers/buildah.git</param>
+    <param name="scm">git</param>
+    <param name="filename">buildah</param>
+    <param name="versionformat">@PARENT_TAG@</param>
+    <param name="versionrewrite-pattern">v(.*)</param>
+    <param name="revision">v1.39.1</param>
+    <param name="changesgenerate">enable</param>
+</service>
+<service name="recompress" mode="manual">
+    <param name="file">*.tar</param>
+    <param name="compression">xz</param>
+</service>
+<service name="set_version" mode="manual">
+    <param name="basename">buildah</param>
+    </service>
+</services>

_servicedata

@@ -0,0 +1,4 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://github.com/containers/buildah.git</param>
+              <param name="changesrevision">9347a39c2712ad071eeaf15e27c03fa05e271221</param></service></servicedata>

buildah-1.36.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5eabd74b1a142d86ca4c8edfa209b97c6430a8e318474af2881ad57e105887cd
+size 11791160

buildah-1.37.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:46243bbc9cc8829f7daccbaeaf5bef59d89c992eca56d663860c6a565a07a2c1
+size 11765204

buildah-1.37.2.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:93ac30d0db8975756081ed2fa7370ace7860613f99725201a5167a451954b4b6
+size 11775556

buildah-1.37.3.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:777bcde6a4db37289e4c238c2694d98a4866d1c1b44f487993cdbe288fc6788f
+size 11778444

buildah-1.37.4.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5189a2b518d7249f9f322b9506278c2245e184d50dddb4ae7dac589d4e8ce090
+size 11768780

buildah-1.37.5.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5fbb41b906a26deb5db84eb7850fa61436d77b427d805471f19908e8d048a684
+size 11777240

buildah-1.38.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f64339fbd63d7c7c699dee10c2131ad548843127d029ae5c4f9b84d043896e3e
+size 11364040

buildah-1.38.1.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aaf43367bc60a9d108a89d2062ded0586b397ef07ec583842ea06422689b6a32
+size 11369556

buildah-1.39.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:79168554e287567917e1b73c6dcce5cb93a31ea53d918dcc2cf1ed5a18904b1e
+size 11439160

buildah-1.39.1.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4bd3cdd5a46558ab7b4d0789bfde74845f28fda650336526f3349cc7876f7198
+size 11438952

buildah-rpmlintrc

@@ -0,0 +1,3 @@
+addFilter (".* E: explicit-lib-dependency libcontainers-common")
+# intentionally disabled
+addFilter (".* W: unstripped-binary-or-object /usr/bin/buildah")

buildah.spec

@@ -0,0 +1,104 @@
+#
+# spec file for package buildah
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+#
+
+%bcond_without  apparmor
+
+%define project github.com/containers/buildah
+Name:           buildah
+Version:        1.39.1
+Release:        0
+Summary:        Tool for building OCI containers
+License:        Apache-2.0
+Group:          System/Management
+URL:            https://%{project}
+Source0:        %{name}-%{version}.tar.xz
+Source1:        %{name}-rpmlintrc
+BuildRequires:  bash-completion
+BuildRequires:  device-mapper-devel
+BuildRequires:  fdupes
+BuildRequires:  git
+BuildRequires:  glib2-devel-static
+BuildRequires:  glibc-devel-static
+BuildRequires:  golang-packaging
+%if %{with apparmor}
+BuildRequires:  libapparmor-devel
+%endif
+BuildRequires:  libassuan-devel >= 2.5.2
+BuildRequires:  libbtrfs-devel
+BuildRequires:  libgpgme-devel
+BuildRequires:  libseccomp-devel
+BuildRequires:  golang(API) >= 1.21
+Requires:       netavark
+Requires:       libcontainers-common
+Requires:       passt
+Requires:       runc >= 1.0.2
+Requires:       slirp4netns
+%{go_nostrip}
+BuildRequires:  libostree-devel
+# Not supported by libseccomp-golang
+ExcludeArch:    ppc64
+
+
+%description
+Buildah provides a command line tool which can be used to:
+- Create a working container, either from scratch or using an image as a
+  starting point
+- Create an image, either from a working container or via the instructions in a
+  Dockerfile
+- Build images in either the OCI image format or the traditional
+  upstream docker image format
+- Mount a working container's root filesystem for manipulation
+- Unmount a working container's root filesystem
+- Update the contents of a container's root filesystem
+- Delete a working container or an image
+
+%prep
+%autosetup -p1
+
+%build
+# We can't use symlinks here because go-list gets confused by symlinks, so we
+# have to copy the source to $HOME/go and then use that as the GOPATH.
+export GOPATH=$HOME/go
+mkdir -pv $HOME/go/src/%{project}
+rm -rf $HOME/go/src/%{project}/*
+cp -avr * $HOME/go/src/%{project}
+cd $HOME/go/src/%{project}
+
+# Build buildah
+GOFLAGS=-buildmode=pie %make_build GIT_COMMIT=unknown buildah docs
+
+%check
+# Too many tests fail due to the restricted permissions in the build enviroment.
+# Updates must be tested manually.
+
+%install
+cd $HOME/go/src/%{project}
+
+install -D -m 0755 bin/buildah %{buildroot}/%{_bindir}/buildah
+install -d %{buildroot}/%{_mandir}/man1
+install -m 0644 docs/buildah*.1 %{buildroot}/%{_mandir}/man1
+install -D -m 0644 contrib/completions/bash/buildah %{buildroot}/%{_datadir}/bash-completion/completions/buildah
+
+%fdupes %{buildroot}/%{_prefix}
+
+%files
+%{_bindir}/buildah
+%{_mandir}/man1/buildah*
+%{_datadir}/bash-completion/completions/buildah
+%license LICENSE
+
+%changelog