Accepting request 1208166 from devel:microos

OBS-URL: https://build.opensuse.org/request/show/1208166 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/buildah?expand=0&rev=93
2024-10-16 21:45:03 +00:00 · 2024-10-16 21:45:03 +00:00 · c9cf195241
commit c9cf195241
parent 2d53e11394 c43a408c6f
3 changed files with 118 additions and 0 deletions
--- a/0001-Properly-validate-cache-IDs-and-sources.patch
+++ b/0001-Properly-validate-cache-IDs-and-sources.patch
@ -0,0 +1,111 @@
+From 37d71af79a9c2dbebe56073fa6f4bd7271b1419e Mon Sep 17 00:00:00 2001
+From: Matt Heon <mheon@redhat.com>
+Date: Wed, 9 Oct 2024 15:23:03 -0400
+Subject: [PATCH] Properly validate cache IDs and sources
+
+The `--mount type=cache` argument to the `RUN` instruction in
+Dockerfiles was using `filepath.Join` on user input, allowing
+crafted paths to be used to gain access to paths on the host,
+when the command should normally be limited only to Buildah;s own
+cache and context directories. Switch to `filepath.SecureJoin` to
+resolve the issue.
+
+Fixes CVE-2024-9675
+
+Signed-off-by: Matt Heon <mheon@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ internal/volumes/volumes.go | 19 ++++++++++++++-----
+ tests/bud.bats              | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 48 insertions(+), 5 deletions(-)
+
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index da6b768fdc21..610e9fcf11b2 100644
+--- a/internal/volumes/volumes.go
+++ b/internal/volumes/volumes.go
+@@ -23,6 +23,7 @@ import (
+ 	"github.com/containers/storage/pkg/idtools"
+ 	"github.com/containers/storage/pkg/lockfile"
+ 	"github.com/containers/storage/pkg/unshare"
+	digest "github.com/opencontainers/go-digest"
+ 	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	selinux "github.com/opencontainers/selinux/go-selinux"
+ )
+@@ -374,7 +375,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
+ 		}
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
+		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
+		if err != nil {
+			return newMount, nil, err
+		}
+		newMount.Source = evaluated
+ 	} else {
+ 		// we need to create cache on host if no image is being used
+ 
+@@ -391,11 +396,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 		}
+ 
+ 		if id != "" {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
+			// Don't let the user control where we place the directory.
+			dirID := digest.FromString(id).Encoded()[:16]
+			newMount.Source = filepath.Join(cacheParent, dirID)
+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		} else {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
+			// Don't let the user control where we place the directory.
+			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+			newMount.Source = filepath.Join(cacheParent, dirID)
+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		}
+ 		idPair := idtools.IDPair{
+ 			UID: uid,
+diff --git a/tests/bud.bats b/tests/bud.bats
+index b1ed89072ce6..79ca91b2b5e6 100644
+--- a/tests/bud.bats
+++ b/tests/bud.bats
+@@ -6917,3 +6917,37 @@ _EOF
+   run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
+   expect_output --substring "invalid mount option"
+ }
+
+@test "build-check-cve-2024-9675" {
+  _prefetch alpine
+
+  touch ${TEST_SCRATCH_DIR}/file.txt
+
+  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
+FROM alpine
+RUN --mount=type=cache,id=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
+ls -l /var/tmp && cat /var/tmp/file.txt
+EOF
+
+  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
+  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
+
+  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
+FROM alpine
+RUN --mount=type=cache,source=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
+ls -l /var/tmp && cat /var/tmp/file.txt
+EOF
+
+  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
+  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
+
+  mkdir ${TEST_SCRATCH_DIR}/cve20249675
+  cat > ${TEST_SCRATCH_DIR}/cve20249675/Containerfile <<EOF
+FROM alpine
+RUN --mount=type=cache,from=testbuild,source=../,target=/var/tmp \
+ls -l /var/tmp && cat /var/tmp/file.txt
+EOF
+
+  run_buildah 1 build --security-opt label=disable --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ --no-cache ${TEST_SCRATCH_DIR}/cve20249675/
+  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
+}
+-- 
+2.46.0
+
--- a/buildah.changes
+++ b/buildah.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct 15 06:48:18 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9675 (bsc#1231499):
+  * 0001-Properly-validate-cache-IDs-and-sources.patch
+
 -------------------------------------------------------------------
 Mon Oct 07 13:56:12 UTC 2024 - dcermak@suse.com

--- a/buildah.spec
+++ b/buildah.spec
@ -27,6 +27,7 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name}-rpmlintrc
+Patch0:         0001-Properly-validate-cache-IDs-and-sources.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes