pool/buildah
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
...
pull from: pool:slfo-main
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

3 Commits
factory ... slfo-main

Author SHA256 Message Date
Danish Prakash
f345bbb2b2 Add patch for CVE-2025-47914 (bsc#1254054), CVE-2025-47913 (bsc#1253598) 
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
 2025-12-23 13:27:20 +05:30
Danish Prakash
683962bb89 Add patch for CVE-2025-52881 (bsc#1253096) 
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
 2025-11-14 20:37:24 +05:30
Adrian Schröter
251765ad93 Sync changes to SLFO-1.2 branch 2025-08-20 09:05:12 +02:00
10 changed files with 928 additions and 257 deletions
Expand all files Collapse all files

145
0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch Normal file
View File

@@ -0,0 +1,145 @@
From 71adcd0546fa3becd9a95ebbfc21bb15610ed44e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
Date: Mon, 17 Mar 2025 10:37:21 +0100
Subject: [PATCH 1/4] CVE-2025-22869: vendor/ssh: limit the size of the
internal packet queue while waiting for KEX (#7)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In the SSH protocol, clients and servers execute the key exchange to
generate one-time session keys used for encryption and authentication.
The key exchange is performed initially after the connection is
established and then periodically after a configurable amount of data.
While a key exchange is in progress, we add the received packets to an
internal queue until we receive SSH_MSG_KEXINIT from the other side.
This can result in high memory usage if the other party is slow to
respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a
malicious client never responds to an SSH_MSG_KEXINIT packet during a
large file transfer.
We now limit the internal queue to 64 packets: this means 2MB with the
typical 32KB packet size.
When the internal queue is full we block further writes until the
pending key exchange is completed or there is a read or write error.
Thanks to Yuichi Watanabe for reporting this issue.
Fixes: CVE-2025-22869
Bugs: bsc#1239339
Change-Id: I1ce2214cc16e08b838d4bc346c74c72addafaeec
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/652135
Reviewed-by: Neal Patel <nealpatel@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Signed-off-by: Dan Čermák <dcermak@suse.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
1 file changed, 37 insertions(+), 10 deletions(-)
diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
index 56cdc7c21c3b..a68d20f7f396 100644
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
@@ -25,6 +25,11 @@ const debugHandshake = false
// quickly.
const chanSize = 16
+// maxPendingPackets sets the maximum number of packets to queue while waiting
+// for KEX to complete. This limits the total pending data to maxPendingPackets
+// * maxPacket bytes, which is ~16.8MB.
+const maxPendingPackets = 64
+
// keyingTransport is a packet based transport that supports key
// changes. It need not be thread-safe. It should pass through
// msgNewKeys in both directions.
@@ -73,11 +78,19 @@ type handshakeTransport struct {
incoming chan []byte
readError error
- mu sync.Mutex
- writeError error
- sentInitPacket []byte
- sentInitMsg *kexInitMsg
- pendingPackets [][]byte // Used when a key exchange is in progress.
+ mu sync.Mutex
+ // Condition for the above mutex. It is used to notify a completed key
+ // exchange or a write failure. Writes can wait for this condition while a
+ // key exchange is in progress.
+ writeCond *sync.Cond
+ writeError error
+ sentInitPacket []byte
+ sentInitMsg *kexInitMsg
+ // Used to queue writes when a key exchange is in progress. The length is
+ // limited by pendingPacketsSize. Once full, writes will block until the key
+ // exchange is completed or an error occurs. If not empty, it is emptied
+ // all at once when the key exchange is completed in kexLoop.
+ pendingPackets [][]byte
writePacketsLeft uint32
writeBytesLeft int64
@@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
config: config,
}
+ t.writeCond = sync.NewCond(&t.mu)
t.resetReadThresholds()
t.resetWriteThresholds()
@@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
defer t.mu.Unlock()
if t.writeError == nil && err != nil {
t.writeError = err
+ t.writeCond.Broadcast()
}
}
@@ -362,6 +377,8 @@ write:
}
}
t.pendingPackets = t.pendingPackets[:0]
+ // Unblock writePacket if waiting for KEX.
+ t.writeCond.Broadcast()
t.mu.Unlock()
}
@@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
}
if t.sentInitMsg != nil {
- // Copy the packet so the writer can reuse the buffer.
- cp := make([]byte, len(p))
- copy(cp, p)
- t.pendingPackets = append(t.pendingPackets, cp)
- return nil
+ if len(t.pendingPackets) < maxPendingPackets {
+ // Copy the packet so the writer can reuse the buffer.
+ cp := make([]byte, len(p))
+ copy(cp, p)
+ t.pendingPackets = append(t.pendingPackets, cp)
+ return nil
+ }
+ for t.sentInitMsg != nil {
+ // Block and wait for KEX to complete or an error.
+ t.writeCond.Wait()
+ if t.writeError != nil {
+ return t.writeError
+ }
+ }
}
if t.writeBytesLeft > 0 {
@@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
if err := t.pushPacket(p); err != nil {
t.writeError = err
+ t.writeCond.Broadcast()
}
return nil
--
2.51.1

77
0002-run-handle-relabeling-bind-mounts-ourselves.patch Normal file
View File

@@ -0,0 +1,77 @@
From 60431f798b04472409feb826d311ecd41ee22d85 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Wed, 11 Jun 2025 20:42:30 +0530
Subject: [PATCH 2/4] run: handle relabeling bind mounts ourselves
Handle requested relabeling of bind mounts (i.e., the "z" and "Z" flags)
directly, instead of letting the runtime handle the relabeling.
Bugs: bsc#1242445
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
run_linux.go | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/run_linux.go b/run_linux.go
index 5d040cbb9997..e3e65102bc35 100644
--- a/run_linux.go
+++ b/run_linux.go
@@ -542,6 +542,33 @@ rootless=%d
defer b.cleanupTempVolumes()
+ // Handle mount flags that request that the source locations for "bind" mountpoints be
+ // relabeled, and filter those flags out of the list of mount options we pass to the
+ // runtime.
+ for i := range spec.Mounts {
+ switch spec.Mounts[i].Type {
+ default:
+ continue
+ case "bind", "rbind":
+ // all good, keep going
+ }
+ zflag := ""
+ for _, opt := range spec.Mounts[i].Options {
+ if opt == "z" || opt == "Z" {
+ zflag = opt
+ }
+ }
+ if zflag == "" {
+ continue
+ }
+ spec.Mounts[i].Options = slices.DeleteFunc(spec.Mounts[i].Options, func(opt string) bool {
+ return opt == "z" || opt == "Z"
+ })
+ if err := relabel(spec.Mounts[i].Source, b.MountLabel, zflag == "z"); err != nil {
+ return fmt.Errorf("setting file label %q on %q: %w", b.MountLabel, spec.Mounts[i].Source, err)
+ }
+ }
+
switch isolation {
case define.IsolationOCI:
var moreCreateArgs []string
@@ -1130,16 +1157,19 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string,
if err := relabel(host, mountLabel, true); err != nil {
return specs.Mount{}, err
}
+ options = slices.DeleteFunc(options, func(o string) bool { return o == "z" })
}
if foundZ {
if err := relabel(host, mountLabel, false); err != nil {
return specs.Mount{}, err
}
+ options = slices.DeleteFunc(options, func(o string) bool { return o == "Z" })
}
if foundU {
if err := chown.ChangeHostPathOwnership(host, true, idMaps.processUID, idMaps.processGID); err != nil {
return specs.Mount{}, err
}
+ options = slices.DeleteFunc(options, func(o string) bool { return o == "U" })
}
if foundO {
if (upperDir != "" && workDir == "") || (workDir != "" && upperDir == "") {
--
2.51.1

64
0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch Normal file
View File

@@ -0,0 +1,64 @@
From 0277a37699cc0930e40f8ab24ec5caa68bbe2de9 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh>
Date: Fri, 14 Nov 2025 13:08:55 +0530
Subject: [PATCH 3/4] CVE-2025-52881: backport subset of patch from runc
buildah imports libcontainer/apparmor for the chroot isolation engine,
so we need to patch it directly. None of the other vulnerable codepaths
from CVE-2025-52881 are relevant.
Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1253096
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
.../libcontainer/apparmor/apparmor_linux.go | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
index a3a8e93258e7..3453a5a16712 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
@@ -6,9 +6,10 @@ import (
"os"
"sync"
+ "github.com/cyphar/filepath-securejoin/pathrs-lite"
+ "github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
"golang.org/x/sys/unix"
- "github.com/opencontainers/runc/internal/pathrs"
"github.com/opencontainers/runc/libcontainer/utils"
)
@@ -36,14 +37,26 @@ func setProcAttr(attr, value string) error {
attrSubPath = "attr/" + attr
}
+ proc, err := procfs.OpenProcRoot()
+ if err != nil {
+ return err
+ }
+ defer proc.Close()
+
// Under AppArmor you can only change your own attr, so there's no reason
// to not use /proc/thread-self/ (instead of /proc/<tid>/, like libapparmor
// does).
- f, closer, err := pathrs.ProcThreadSelfOpen(attrSubPath, unix.O_WRONLY|unix.O_CLOEXEC)
+ handle, closer, err := proc.OpenThreadSelf(attrSubPath)
if err != nil {
return err
}
defer closer()
+ defer handle.Close()
+
+ f, err := pathrs.Reopen(handle, unix.O_WRONLY|unix.O_CLOEXEC)
+ if err != nil {
+ return err
+ }
defer f.Close()
_, err = f.WriteString(value)
--
2.51.1

86
0004-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch Normal file
View File

@@ -0,0 +1,86 @@
From 254d7a74914ece920f48d36d0fcab084fa2e6663 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh>
Date: Mon, 17 Nov 2025 14:57:51 +0530
Subject: [PATCH 4/4] CVE-2025-47913, CVE-2025-47914: ssh/agent fixes
--
CVE-2025-47913: ssh/agent: return an error for unexpected message types
Previously, receiving an unexpected message type in response to a key
listing or a signing request could cause a panic due to a failed type
assertion.
This change adds a default case to the type switch in order to detect
and explicitly handle unknown or invalid message types, returning a
descriptive error instead of crashing.
Fixes CVE-2025-47913
Fixes golang/go#75178
Fixes bsc#1253598
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
--
CVE-2025-47914: ssh/agent: prevent panic on malformed constraint
An attacker could supply a malformed Constraint that
would trigger a panic in a serving agent, effectively
causing denial of service.
Thank you to Jakub Ciolek for reporting this issue.
Fixes CVE-2025-47914
Fixes golang/go#76364
Fixes bsc#1254054
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++--
vendor/golang.org/x/crypto/ssh/agent/server.go | 3 +++
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
index 106708d289eb..410e21b065ce 100644
--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
+++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
return keys, nil
case *failureAgentMsg:
return nil, errors.New("agent: failed to list keys")
+ default:
+ return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
}
- panic("unreachable")
}
// Sign has the agent sign the data using a protocol 2 key as defined
@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
return &sig, nil
case *failureAgentMsg:
return nil, errors.New("agent: failed to sign challenge")
+ default:
+ return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
}
- panic("unreachable")
}
// unmarshal parses an agent message in packet, returning the parsed
diff --git a/vendor/golang.org/x/crypto/ssh/agent/server.go b/vendor/golang.org/x/crypto/ssh/agent/server.go
index e35ca7ce3182..6c05994928ba 100644
--- a/vendor/golang.org/x/crypto/ssh/agent/server.go
+++ b/vendor/golang.org/x/crypto/ssh/agent/server.go
@@ -203,6 +203,9 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse
for len(constraints) != 0 {
switch constraints[0] {
case agentConstrainLifetime:
+ if len(constraints) < 5 {
+ return 0, false, nil, io.ErrUnexpectedEOF
+ }
lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5])
constraints = constraints[5:]
case agentConstrainConfirm:
--
2.51.1

2
_service
View File

@@ -5,7 +5,7 @@
<param name="filename">buildah</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="revision">v1.40.1</param>
<param name="revision">v1.39.5</param>
<param name="changesgenerate">enable</param>
</service>
<service name="recompress" mode="manual">

2
_servicedata
View File

@@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/containers/buildah.git</param>
<param name="changesrevision">b013f3474f3a2819e9106640d4918c10a37fa341</param></service></servicedata>
<param name="changesrevision">61d416a95863c2bde9e49efdd9a65562c039e106</param></service></servicedata>

BIN
buildah-1.39.5.tar.xz LFS Normal file
View File

Binary file not shown.

3
buildah-1.40.1.tar.xz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3287ef7040b00a784b53ac30f4556b4b8b9e3b3656c8f8c9e9072f08faf27158
size 7705368

797
buildah.changes
View File

@@ -1,184 +1,39 @@
-------------------------------------------------------------------
Mon Jun 09 07:09:39 UTC 2025 - Madhankumar Chellamuthu <madhankumar.chellamuthu@suse.com>
Tue Dec 23 07:55:59 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
- Update to version 1.40.1:
* Tag v1.40.1
* vendor: update c/common to v0.63.1
* CI: run integration tests on Fedora with both crun and runc
* buildah-build(1): clarify that --cgroup-parent affects RUN instructions
* runUsingRuntime: use named constants for runtime states
* Add a dummy "runtime" that just dumps its config file
* run: handle relabeling bind mounts ourselves
* Tweak our handling of variant values, again
- Add patch for CVE-2025-47914 (bsc#1254054), CVE-2025-47913 (bsc#1253598):
* 0004-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch
- Rebase patches:
* 0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
* 0002-run-handle-relabeling-bind-mounts-ourselves.patch
* 0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
-------------------------------------------------------------------
Tue Apr 22 04:53:45 UTC 2025 - Madhankumar Chellamuthu <madhankumar.chellamuthu@suse.com>
Thu Nov 6 11:38:26 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
- Update to version 1.40.0:
* Bump Buildah to v1.40.0
* Bump c/storage to v1.58.0, c/image v5.35.0, c/common v0.63.0
* fix(deps): update module github.com/docker/docker to v28.1.0+incompatible
* fix(deps): update module github.com/containers/storage to v1.58.0
* cirrus: make Total Success wait for rootless integration
* chroot: use symbolic names when complaining about mount() errors
* cli: hide the `completion` command instead of disabling it outright
* Document rw and src options for --mount flag in buildah-run(1)
* fix(deps): update module github.com/moby/buildkit to v0.21.0
* build: add support for inherit-labels
* chore(deps): update dependency golangci/golangci-lint to v2.1.0
* .github: check_cirrus_cron work around github bug
* stage_executor,getCreatedBy: expand buildArgs for sources correctly
* Add a link to project governance and MAINTAINERS file
* fix(deps): update github.com/containers/storage digest to b1d1b45
* generateHostname: simplify
* Use maps.Copy
* Use slices.Concat
* Use slices.Clone
* Use slices.Contains
* Use for range over integers
* tests/testreport: don't copy os.Environ
* Use any instead of interface{}
* ci: add golangci-lint run with --tests=false
* ci: add nolintlint, fix found issues
* copier: rm nolint:unparam annotation
* .golangci.yml: add unused linter
* chroot: fix unused warnings
* copier: fix unused warnings
* tests/conformance: fix unused warning
* ci: switch to golangci-lint v2
* internal/mkcw: disable ST1003 warnings
* tests/conformance: do not double import (fix ST1019)
* cmd/buildah: don't double import (fix ST1019)
* Do not capitalize error strings
* cmd/buildah: do not capitalize error strings
* tests/conformance: fix QF1012 warnings
* tests/serve: fix QF1012 warning
* Use strings.ReplaceAll to fix QF1004 warnings
* Use switch to fix QF1003 warnings
* Apply De Morgan's law to fix QF1001 warnings
* Fix QF1007 staticcheck warnings
* imagebuildah: fix revive warning
* Rename max variable
* tests/tools: install lint from binary, use renovate
* fix(deps): update module github.com/containernetworking/cni to v1.3.0
* Update Buildah issue template to new version and support podman build
* fix(deps): update module golang.org/x/crypto to v0.37.0
* stage_executor: reset platform in systemcontext for stages
* fix(deps): update github.com/opencontainers/runtime-tools digest to 260e151
* cmd/buildah: rm unused containerOutputUsingTemplate
* cmd/buildah: rm unused getDateAndDigestAndSize
* build: return ExecErrorCodeGeneric when git operation fails
* add: report error while creating dir for URL source.
* createPlatformContainer: drop MS_REMOUNT|MS_BIND
* fix(deps): update module github.com/docker/docker to v28.0.3+incompatible
* fix: bats won't fail on ! without cleverness
* feat: use HistoryTimestamp, if set, for oci-archive entries
* Allow extendedGlob to work with Windows paths
* fix(deps): update module github.com/moby/buildkit to v0.20.2
* fix(deps): update github.com/openshift/imagebuilder digest to e87e4e1
* fix(deps): update module github.com/docker/docker to v28.0.2+incompatible
* fix(deps): update module tags.cncf.io/container-device-interface to v1.0.1
* chore(deps): update dependency containers/automation_images to v20250324
* vendor: update github.com/opencontainers/selinux to v1.12.0
* replace deprecated selinux/label calls
* vendor: bump c/common to dbeb17e40c80
* Use builtin arg defaults from imagebuilder
* linux: accept unmask paths as glob values
* vendor: update containers/common
* Add --parents option for COPY in Dockerfiles
* fix(deps): update module github.com/opencontainers/runc to v1.2.6
* update go.sum from the previous commit
* fix(deps): update module tags.cncf.io/container-device-interface to v1
* chore(deps): update module golang.org/x/net to v0.36.0 [security]
* packit: remove f40 from copr builds
* cirrus: update to go 1.23 image
* vendor bump to golang.org/x/crypto v0.36.0
* cirrus: update PRIOR_FEDORA comment
* github: remove cirrus rerun action
* fix(deps): update module github.com/containers/common to v0.62.2
* fix(deps): update module github.com/containers/image/v5 to v5.34.2
* fix: close files properly when BuildDockerfiles exits
* fix(deps): update module github.com/containers/storage to v1.57.2
* stage_executor: history should include heredoc summary correctly
* fix(deps): update module github.com/containers/common to v0.62.1
* github: disable cron rerun action
* fix(deps): update module github.com/moby/buildkit to v0.20.1
* internal/mkcw.Archive(): use github.com/containers/storage/pkg/ioutils
* [skip-ci] TMT: system tests
* buildah-build.1.md: secret examples
* fix(deps): update github.com/containers/luksy digest to 40bd943
* fix(deps): update module github.com/opencontainers/image-spec to v1.1.1
* fix(deps): update module github.com/containers/image/v5 to v5.34.1
* Use UnparsedInstance.Manifest instead of ImageSource.GetManifest
* fix(deps): update module github.com/opencontainers/runtime-spec to v1.2.1
* tests/conformance/testdata/Dockerfile.add: update some URLs
* Vendor imagebuilder
* Fix source of OS, architecture and variant
* chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security]
* fix(deps): update module tags.cncf.io/container-device-interface to v0.8.1
* fix(deps): update module github.com/moby/buildkit to v0.20.0
* chroot createPlatformContainer: use MS_REMOUNT
* conformance: make TestCommit and TestConformance parallel
* cirrus: reduce task timeout
* mkcw: mkcw_check_image use bats run_with_log
* test: use /tmp as TMPDIR
* heredoc: create temp subdirs for each build
* test: heredoc remove python dependency from test
* Support the containers.conf container_name_as_hostname option
* fix(deps): update module github.com/opencontainers/runc to v1.2.5
* fix(deps): update module github.com/spf13/cobra to v1.9.0
* .cirrus: use more cores for smoke
* Switch to the CNCF Code of Conduct
* .cirrus: bump ci resources
* fix(deps): update module golang.org/x/crypto to v0.33.0
* Distinguish --mount=type=cache locations by ownership, too
* fix(deps): update module golang.org/x/term to v0.29.0
* .cirrus: run -race only on non-PR branch
* unit: deparallize some tests
* .cirrus: use multiple cpu for unit tests
* Makefile: use -parallel for go test
* unit_test: use Parallel test where possible
* Update module golang.org/x/sys to v0.30.0
* Update module golang.org/x/sync to v0.11.0
* Update dependency containers/automation_images to v20250131
* Bump to Buildah v1.40.0-dev
-------------------------------------------------------------------
Sun Mar 30 09:10:37 UTC 2025 - dcermak@suse.com
- Update to version 1.39.4:
- Add patch for CVE-2025-52881 (bsc#1253096):
* 0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
- Rebase patches:
* 0002-run-handle-relabeling-bind-mounts-ourselves.patch
* 0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to version 1.39.5:
* [release-1.39] Bump to Buildah v1.39.5
* [release-1.39] Bump x/tools to v0.26.0
* [release-1.39] replace deprecated selinux/label calls
* [release-1.39] Bump runc to v1.2.8 - CVE-2025-52881
* Builder.sbomScan(): don't break non-root scanners
* [release-1.39] Bump to Buildah v1.39.4
* [release-1.39] Bump c/image to v5.34.3, c/common v0.62.3
* createPlatformContainer: drop MS_REMOUNT|MS_BIND
-------------------------------------------------------------------
Mon Mar 17 07:53:08 UTC 2025 - dcermak@suse.com
- Update to version 1.39.3:
* [release-1.39] Bump to Buildah v1.39.3
* [release-1.39] Bump c/storage to v1.57.2, c/image v5.34.2,...
-------------------------------------------------------------------
Thu Mar 06 09:01:43 UTC 2025 - dcermak@suse.com
- Update to version 1.39.2:
* [release-1.39] Bump to Buildah v1.39.2
* [release-1.39] tests/conformance/testdata/Dockerfile.add:...
* [release-1.39] Bump c/image to v5.34.1, c/common v0.62.1
-------------------------------------------------------------------
Thu Feb 27 14:37:20 UTC 2025 - dcermak@suse.com
- Update to version 1.39.1:
* Tag v1.39.1
* CI config: post-branch update
* chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security]
* chroot createPlatformContainer: use MS_REMOUNT
-------------------------------------------------------------------
Tue Feb 04 06:04:06 UTC 2025 - madhankumar.chellamuthu@suse.com
- Update to version 1.39.0:
* Bump to Buildah v1.39.0
* Bump c/storage v1.57.1, c/image 5.34.0, c/common v0.62.0
* Update module github.com/containers/storage to v1.57.0
@@ -266,29 +121,6 @@ Tue Feb 04 06:04:06 UTC 2025 - madhankumar.chellamuthu@suse.com
* Finish updating to go 1.22
* CI VMs: bump again
* Bump to Buidah v1.39.0-dev
* stage_executor: set avoidLookingCache only if mounting stage
* imagebuildah: additionalContext is not a local built stage
-------------------------------------------------------------------
Mon Jan 27 09:43:31 UTC 2025 - madhankumar.chellamuthu@suse.com
- Update to version 1.38.1:
* Tag v1.38.1
* [release-1.38][CI:DOCS] Touch up changelogs
* [release-1.38] Bump c/storage v1.56.1, c/image v5.33.1, c/common v0.61.1
* Fix TOCTOU error when bind and cache mounts use "src" values
* define.TempDirForURL(): always use an intermediate subdirectory
* internal/volume.GetBindMount(): discard writes in bind mounts
* pkg/overlay: add a MountLabel flag to Options
* pkg/overlay: add a ForceMount flag to Options
* Add internal/volumes.bindFromChroot()
* Add an internal/open package
* Allow cache mounts to be stages or additional build contexts
-------------------------------------------------------------------
Mon Nov 18 05:34:39 UTC 2024 - madhankumar.chellamuthu@suse.com
- Update to version 1.38.0:
* Bump to Buildah v1.38.0
* Bump to c/common v0.61.0, c/image v5.33.0, c/storage v1.56.0
* fix(deps): update module golang.org/x/crypto to v0.29.0
@@ -367,6 +199,8 @@ Mon Nov 18 05:34:39 UTC 2024 - madhankumar.chellamuthu@suse.com
* Update some godocs, use 0o to prefix an octal in a comment
* buildah-build.1.md: expand the --layer-label description
* fix(deps): update module github.com/containers/common to v0.60.2
* stage_executor: set avoidLookingCache only if mounting stage
* imagebuildah: additionalContext is not a local built stage
* run: fix a nil pointer dereference on FreeBSD
* CI: enable the whitespace linter
* Fix some govet linter warnings
@@ -405,67 +239,11 @@ Mon Nov 18 05:34:39 UTC 2024 - madhankumar.chellamuthu@suse.com
* fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.2
* Use Epoch: 2 and respect the epoch in dependencies.
* Bump to Buildah v1.38.0-dev
* Buildah v1.37.0
* Bump c/storage, c/image, c/common for v1.37.0
* AddAndCopyOptions: add CertPath, InsecureSkipTLSVerify, Retry fields
* Add PrependedLinkedLayers/AppendedLinkedLayers to CommitOptions
* integration tests: teach starthttpd() about TLS and pid files
-------------------------------------------------------------------
Mon Oct 21 06:45:12 UTC 2024 - danish.prakash@suse.com
- Update to version 1.37.5:
* [release-1.37] Bump Buildah to v1.37.5
* Bump the containers/storage library to v1.55.1 (CVE-2024-9676, bsc#1231698)
* Properly validate cache IDs and sources
* Packit: constrain koji job to fedora package to avoid dupes
- Removed patch:
* 0001-Properly-validate-cache-IDs-and-sources.patch (merged upstream)
-------------------------------------------------------------------
Tue Oct 15 06:48:18 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
- Add patch for CVE-2024-9675 (bsc#1231499):
* 0001-Properly-validate-cache-IDs-and-sources.patch
-------------------------------------------------------------------
Mon Oct 07 13:56:12 UTC 2024 - dcermak@suse.com
- Update to version 1.37.4:
* CVE-2024-9407: validate "bind-propagation" flag settings
fixes bsc#1231208
* Update c/common to fix CVE-2024-9341 aka bsc#1231230
-------------------------------------------------------------------
Tue Sep 24 05:42:35 UTC 2024 - madhankumar.chellamuthu@suse.com
- Update to version 1.37.3:
* [release-1.37] Bump to Buildah v1.37.3
* Do not error on trying to write IMA xattr as rootless
* imagebuildah.StageExecutor: clean up volumes/volumeCache
* `manifest add --artifact`: handle multiple values
* Packit: split out ELN jobs and reuse fedora downstream targets
* Packit: Enable sidetags for bodhi updates
* Use Epoch: 2 and respect the epoch in dependencies.
-------------------------------------------------------------------
Thu Aug 22 08:03:41 UTC 2024 - dcermak@suse.com
- Update to version 1.37.2:
* [release-1.37] Bump Buildah to v1.37.2
* [release-1.37] Bump c/common to v0.60.2, c/image to v5.32.2
-------------------------------------------------------------------
Wed Aug 14 09:18:52 UTC 2024 - dcermak@suse.com
- Update to version 1.37.1:
* [release-1.37] Bump to Buildah v1.37.1
* [release-1.37] Bump c/common v0.60.1, c/image v5.32.1
-------------------------------------------------------------------
Mon Jul 29 06:38:57 UTC 2024 - danish.prakash@suse.com
- Update to version 1.37.0:
* Buildah v1.37.0
* Bump c/storage, c/image, c/common for v1.37.0
* "build with basename resolving user arg" tests: correct ARG use
* bud-multiple-platform-no-run test: correct ARG use
* imagebuildah: always have default values for $TARGET... args ready
@@ -533,18 +311,13 @@ Mon Jul 29 06:38:57 UTC 2024 - danish.prakash@suse.com
* imagebuildah: Support custom image reference lookup for cache push/pull
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.0
* Bump to v1.37.0-dev
* CI: Clarify Debian use for conformance tests
-------------------------------------------------------------------
Fri May 24 06:36:06 UTC 2024 - dcermak@suse.com
- Update to version 1.36.0:
* Bump to v1.36.0
* build: be more selective about specifying the default OS
* Bump to c/common v0.59.0
* Fix buildah prune --help showing the same example twice
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.18.0
* fix(deps): update module github.com/containers/image/v5 to v5.31.0
* CI: Clarify Debian use for conformance tests
* bud tests: fix breakage when vendoring into podman
* Integration tests: fake up a replacement for nixery.dev/shell
* copierWithSubprocess(): try to capture stderr on io.ErrClosedPipe
@@ -624,6 +397,520 @@ Fri May 24 06:36:06 UTC 2024 - dcermak@suse.com
* Update .gitignore
* Bump to v1.36.0-dev
-------------------------------------------------------------------
Thu Jun 12 07:43:39 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
- Add patch to fix bsc#1242445 (https://github.com/containers/buildah/issues/6071)
* 0002-run-handle-relabeling-bind-mounts-ourselves.patch
- Rebase patch:
* 0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
-------------------------------------------------------------------
Wed May 14 10:25:04 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
- Rebase patch:
* 0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Removed patch:
* 0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
* 0002-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to version 1.39.4:
* [release-1.39] Bump to Buildah v1.39.4
* [release-1.39] Bump c/image to v5.34.3, c/common v0.62.3
* createPlatformContainer: drop MS_REMOUNT|MS_BIND
* [release-1.39] Bump to Buildah v1.39.3
* [release-1.39] Bump c/storage to v1.57.2, c/image v5.34.2,...
* [release-1.39] Bump to Buildah v1.39.2
* [release-1.39] tests/conformance/testdata/Dockerfile.add:...
* [release-1.39] Bump c/image to v5.34.1, c/common v0.62.1
* Tag v1.39.1
* CI config: post-branch update
* chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security]
* chroot createPlatformContainer: use MS_REMOUNT
* Bump to Buildah v1.39.0
* Bump c/storage v1.57.1, c/image 5.34.0, c/common v0.62.0
* Update module github.com/containers/storage to v1.57.0
* CI, .cirrus: parallelize containerized integration
* ed's comment: cleanup
* use seperate blobinfocache for flaky test
* bump CI VMs to 4 CPUs (was: 2) for integration tests
* cleanup, debug, and disable parallel in blobcache tests
* bats tests - parallelize
* pkg/overlay: cleanups
* RPM: include check section to silence rpmlint
* RPM: use default gobuild macro on RHEL
* tests: remove masked /sys/dev/block check
* vendor to latest c/{common,image,storage}
* build, run: record hash or digest in image history
* Accept image names as sources for cache mounts
* Run(): always clean up options.ExternalImageMounts
* refactor: replace golang.org/x/exp with stdlib
* Update to c/image @main
* fix broken doc link
* run_freebsd.go: only import runtime-spec once
* fix(deps): update module github.com/docker/docker to v27.5.1+incompatible
* bump github.com/vbatts/tar-split
* Add more checks to the --mount flag parsing logic
* chroot mount flags integration test: copy binaries
* fix(deps): update module github.com/moby/buildkit to v0.19.0
* relabel(): correct a misleading parameter name
* Fix TOCTOU error when bind and cache mounts use "src" values
* define.TempDirForURL(): always use an intermediate subdirectory
* internal/volume.GetBindMount(): discard writes in bind mounts
* pkg/overlay: add a MountLabel flag to Options
* pkg/overlay: add a ForceMount flag to Options
* Add internal/volumes.bindFromChroot()
* Add an internal/open package
* fix(deps): update module github.com/containers/common to v0.61.1
* fix(deps): update module github.com/containers/image/v5 to v5.33.1
* [CI:DOCS] Touch up changelogs
* fix(deps): update module github.com/docker/docker to v27.5.0+incompatible
* copy-preserving-extended-attributes: use a different base image
* fix(deps): update github.com/containers/luksy digest to a3a812d
* chore(deps): update module golang.org/x/net to v0.33.0 [security]
* fix(deps): update module golang.org/x/crypto to v0.32.0
* New VM Images
* fix(deps): update module github.com/opencontainers/runc to v1.2.4
* fix(deps): update module github.com/docker/docker to v27.4.1+incompatible
* fix(deps): update module github.com/containers/ocicrypt to v1.2.1
* Add support for --security-opt mask and unmask
* Allow cache mounts to be stages or additional build contexts
* [skip-ci] RPM: cleanup changelog conditionals
* fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.6
* fix(deps): update module github.com/moby/buildkit to v0.18.2
* Fix an error message in the chroot unit test
* copier: use .PAXRecords instead of .Xattrs
* chroot: on Linux, try to pivot_root before falling back to chroot
* manifest add: add --artifact-annotation
* Add context to an error message
* Update module golang.org/x/crypto to v0.31.0
* Update module github.com/opencontainers/runc to v1.2.3
* Update module github.com/docker/docker to v27.4.0+incompatible
* Update module github.com/cyphar/filepath-securejoin to v0.3.5
* CI: don't build a binary in the unit tests task
* CI: use /tmp for $GOCACHE
* CI: remove dependencies on the cross-build task
* CI: run cross-compile task with make -j
* Update module github.com/docker/docker to v27.4.0-rc.4+incompatible
* Update module github.com/moby/buildkit to v0.18.1
* Update module golang.org/x/crypto to v0.30.0
* Update golang.org/x/exp digest to 2d47ceb
* Update github.com/opencontainers/runtime-tools digest to f7e3563
* [skip-ci] Packit: remove rhel copr build jobs
* [skip-ci] Packit: switch to fedora-all for copr
* Update module github.com/stretchr/testify to v1.10.0
* Update module github.com/moby/buildkit to v0.17.2
* Makefile: use `find` to detect source files
* Tests: make _prefetch() parallel-safe
* Update module github.com/opencontainers/runc to v1.2.2
* executor: allow to specify --no-pivot-root
* Update module github.com/moby/sys/capability to v0.4.0
* Makefile: mv codespell config to .codespellrc
* Fix some codespell errors
* Makefile,install.md: rm gopath stuff
* Makefile: rm targets working on ..
* build: rm exclude_graphdriver_devicemapper tag
* Makefile: rm unused var
* Finish updating to go 1.22
* CI VMs: bump again
* Bump to Buidah v1.39.0-dev
* Bump to Buildah v1.38.0
* Bump to c/common v0.61.0, c/image v5.33.0, c/storage v1.56.0
* fix(deps): update module golang.org/x/crypto to v0.29.0
* fix(deps): update module github.com/moby/buildkit to v0.17.1
* fix(deps): update module github.com/containers/storage to v1.56.0
* tests: skip two ulimit tests
* CI VMs: bump f40 -> f41
* tests/tools: rebuild tools when we change versions
* tests/tools: update golangci-lint to v1.61.0
* fix(deps): update module github.com/moby/buildkit to v0.17.0
* Handle RUN --mount with relative targets and no configured workdir
* tests: bud: make parallel-safe
* fix(deps): update module github.com/opencontainers/runc to v1.2.1
* fix(deps): update golang.org/x/exp digest to f66d83c
* fix(deps): update github.com/opencontainers/runtime-tools digest to 6c9570a
* tests: blobcache: use unique image name
* tests: sbom: never write to cwd
* tests: mkcw: bug fixes, refactor
* deps: bump runc to v1.2.0
* deps: switch to moby/sys/userns
* tests/test_runner.sh: remove some redundancies
* Integration tests: run git daemon on a random-but-bind()able port
* fix(deps): update module github.com/opencontainers/selinux to v1.11.1
* go.mod: remove unnecessary replace
* Document more buildah build --secret options
* Add support for COPY --exclude and ADD --exclude options
* fix(deps): update github.com/containers/luksy digest to e2530d6
* chore(deps): update dependency containers/automation_images to v20241010
* fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4
* Properly validate cache IDs and sources
* [skip-ci] Packit: constrain koji job to fedora package to avoid dupes
* Audit and tidy OWNERS
* fix(deps): update module golang.org/x/crypto to v0.28.0
* tests: add quotes to names
* vendor: update c/common to latest
* CVE-2024-9407: validate "bind-propagation" flag settings
* vendor: switch to moby/sys/capability
* Don't set ambient capabilities
* Document that zstd:chunked is downgraded to zstd when encrypting
* fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3
* buildah-manifest-create.1: Fix manpage section
* chore(deps): update dependency ubuntu to v24
* Make `buildah manifest push --all` true by default
* chroot: add newlines at the end of printed error messages
* Do not error on trying to write IMA xattr as rootless
* fix: remove duplicate conditions
* fix(deps): update module github.com/moby/buildkit to v0.16.0
* fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2
* Document how entrypoint is configured in buildah config
* In a container, try to register binfmt_misc
* imagebuildah.StageExecutor: clean up volumes/volumeCache
* build: fall back to parsing a TARGETPLATFORM build-arg
* `manifest add --artifact`: handle multiple values
* Packit: split out ELN jobs and reuse fedora downstream targets
* Packit: Enable sidetags for bodhi updates
* fix(deps): update module github.com/docker/docker to v27.2.1+incompatible
* tests/bud.bats: add git source
* add: add support for git source
* Add support for the new c/common pasta options
* vendor latest c/common
* fix(deps): update module golang.org/x/term to v0.24.0
* fix(deps): update module github.com/fsouza/go-dockerclient to v1.12.0
* packit: update fedora and epel targets
* cirrus: disable f39 testing
* cirrus: fix fedora names
* update to go 1.22
* Vendor c/common:9d025e4cb348
* copier: handle globbing with "**" path components
* fix(deps): update golang.org/x/exp digest to 9b4947d
* fix(deps): update github.com/containers/luksy digest to 2e7307c
* imagebuildah: make scratch config handling toggleable
* fix(deps): update module github.com/docker/docker to v27.2.0+incompatible
* Add a validation script for Makefile $(SOURCES)
* fix(deps): update module github.com/openshift/imagebuilder to v1.2.15
* New VMs
* Update some godocs, use 0o to prefix an octal in a comment
* buildah-build.1.md: expand the --layer-label description
* fix(deps): update module github.com/containers/common to v0.60.2
* stage_executor: set avoidLookingCache only if mounting stage
* imagebuildah: additionalContext is not a local built stage
* run: fix a nil pointer dereference on FreeBSD
* CI: enable the whitespace linter
* Fix some govet linter warnings
* Commit(): retry committing to local storage on storage.LayerUnknown
* CI: enable the gofumpt linter
* conformance: move weirdly-named files out of the repository
* fix(deps): update module github.com/docker/docker to v27.1.2+incompatible
* fix(deps): update module github.com/containers/common to v0.60.1
* *: use gofmt -s, add gofmt linter
* *: fix build tags
* fix(deps): update module github.com/containers/image/v5 to v5.32.1
* Add(): re-escape any globbed items that included escapes
* conformance tests: use mirror.gcr.io for most images
* unit tests: use test-specific policy.json and registries.conf
* fix(deps): update module golang.org/x/sys to v0.24.0
* Update to spun-out "github.com/containerd/platforms"
* Bump github.com/containerd/containerd
* test/tools/Makefile: duplicate the vendor-in-container target
* linters: unchecked error
* linters: don't end loop iterations with "else" when "then" would
* linters: unused arguments shouldn't have names
* linters: rename checkIdsGreaterThan5() to checkIDsGreaterThan5()
* linters: don't name variables "cap"
* `make lint`: use --timeout instead of --deadline
* Drop the e2e test suite
* fix(deps): update module golang.org/x/crypto to v0.26.0
* fix(deps): update module github.com/onsi/gomega to v1.34.1
* `make vendor-in-container`: use the caller's Go cache if it exists
* fix(deps): fix test/tools ginkgo typo
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1
* Update to keep up with API changes in storage
* fix(deps): update github.com/containers/luksy digest to 1f482a9
* install: On Debian/Ubuntu, add installation of libbtrfs-dev
* fix(deps): update module golang.org/x/sys to v0.23.0
* fix(deps): update golang.org/x/exp digest to 8a7402a
* fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.2
* Use Epoch: 2 and respect the epoch in dependencies.
* Bump to Buildah v1.38.0-dev
* AddAndCopyOptions: add CertPath, InsecureSkipTLSVerify, Retry fields
* Add PrependedLinkedLayers/AppendedLinkedLayers to CommitOptions
* integration tests: teach starthttpd() about TLS and pid files
-------------------------------------------------------------------
Mon Mar 24 11:04:14 UTC 2025 - Dan Čermák <dcermak@suse.com>
- Add patch for CVE-2025-22869 - bsc#1239339
Add patch:
* 0002-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
(CVE-2025-22869 - bsc#1239339)
Rebase patch:
* 0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
-------------------------------------------------------------------
Thu Mar 06 06:28:17 UTC 2025 - danish.prakash@suse.com
- Add patch for CVE-2025-27144 (bsc#1237681):
* 0001-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
- Removed patches(merged upstream):
* 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
* 0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
* 0004-http2-close-connections-when-receiving-too-many-head.patch
- Update to version 1.37.6:
* Tag v1.37.6
* Fix TOCTOU error when bind and cache mounts use "src" values
* define.TempDirForURL(): always use an intermediate subdirectory
* internal/volume.GetBindMount(): discard writes in bind mounts
* pkg/overlay: add a MountLabel flag to Options
* pkg/overlay: add a ForceMount flag to Options
* Add internal/volumes.bindFromChroot()
* Add an internal/open package
* Allow cache mounts to be stages or additional build contexts
* [release-1.37][CI:DOCS] Touch up changelogs
* [release-1.37][CI:DOCS] touchup changelog
* Update CHANGELOG.md
* [release-1.37] Bump Buildah to v1.37.5
* Bump the containers/storage library to v1.55.1
* Properly validate cache IDs and sources
* Packit: constrain koji job to fedora package to avoid dupes
* Tag v1.37.4
* vendor: update c/common to v0.60.4
* CVE-2024-9407: validate "bind-propagation" flag settings
* [release-1.37] Bump to Buildah v1.37.3
* Do not error on trying to write IMA xattr as rootless
* imagebuildah.StageExecutor: clean up volumes/volumeCache
* `manifest add --artifact`: handle multiple values
* Packit: split out ELN jobs and reuse fedora downstream targets
* Packit: Enable sidetags for bodhi updates
* Use Epoch: 2 and respect the epoch in dependencies.
* [release-1.37] Bump Buildah to v1.37.2
* [release-1.37] Bump c/common to v0.60.2, c/image to v5.32.2
* [release-1.37] Bump to Buildah v1.37.1
* [release-1.37] Bump c/common v0.60.1, c/image v5.32.1
* Buildah v1.37.0
* Bump c/storage, c/image, c/common for v1.37.0
* "build with basename resolving user arg" tests: correct ARG use
* bud-multiple-platform-no-run test: correct ARG use
* imagebuildah: always have default values for $TARGET... args ready
* bump github.com/openshift/imagebuilder to v1.2.14
* fix(deps): update module github.com/docker/docker to v27.1.1+incompatible
* fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.1
* fix(deps): update module github.com/docker/docker to v27.1.0+incompatible
* CI: use local registry, part 2 of 2
* CI: use local registry, part 1 of 2
* fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.1
* Revert "fix(deps): update github.com/containers/image/v5 to v5.31.1"
* Replace libimage.LookupReferenceFunc with the manifests version
* conformance tests: enable testing CompatVolumes
* conformance tests: add a test that tries to chown a volume
* imagebuildah: make traditional volume handling not the default
* StageExecutor.prepare(): mark base image volumes for preservation
* fix(deps): update module github.com/containers/image/v5 to v5.31.1
* Vendor in latest containers/(common, storage, image)
* fix(deps): update module golang.org/x/term to v0.22.0
* fix(deps): update module golang.org/x/sys to v0.22.0
* fix(deps): update golang.org/x/exp digest to 7f521ea
* fix(deps): update github.com/containers/luksy digest to a8846e2
* imagebuildah.StageExecutor.Copy(): reject new flags for now
* bump github.com/openshift/imagebuilder to v1.2.11
* Rework parsing of --pull flags
* fix(deps): update module github.com/containers/image/v5 to v5.31.1
* imagebuildah.StageExecutor.prepare(): log the --platform flag
* CI VMs: bump
* buildah copy: preserve owner info with --from= a container or image
* conformance tests: enable testing CompatSetParent
* containerImageRef.NewImageSource(): move the FROM comment to first
* commit: set "parent" for docker format only when requested
* Update godoc for Builder.EnsureContainerPathAs
* fix(deps): update module github.com/spf13/cobra to v1.8.1
* fix(deps): update module github.com/containernetworking/cni to v1.2.0
* fix(deps): update module github.com/opencontainers/runc to v1.1.13
* Change default for podman build to --pull missing
* fix(deps): update module github.com/containers/common to v0.59.1
* Clarify definition of --pull options
* buildah: fix a nil pointer reference on FreeBSD
* Use /var/tmp for $TMPDIR for vfs conformance jobs
* Cirrus: run `df` during job setup
* conformance: use quay.io/libpod/centos:7 instead of centos:8
* Stop setting "parent" in docker format
* conformance: check if workdir trims path separator suffixes
* push integration test: pass password to docker login via stdin
* Re-enable the "copy with chown" conformance test
* healthcheck: Add support for `--start-interval`
* fix(deps): update module github.com/docker/docker to v26.1.4+incompatible
* fix(deps): update module github.com/containerd/containerd to v1.7.18
* tests: set _CONTAINERS_USERNS_CONFIGURED=done for libnetwork
* Cross-build on Fedora
* Drop copyStringSlice() and copyStringStringMap()
* fix(deps): update module golang.org/x/crypto to v0.24.0
* fix(deps): update module github.com/openshift/imagebuilder to v1.2.10
* Provide an uptime_netbsd.go
* Spell unix as "!windows"
* Add netbsd to lists-of-OSes
* fix(deps): update golang.org/x/exp digest to fd00a4e
* [skip-ci] Packit: enable c10s downstream sync
* CI VMs: bump, to debian with cgroups v2
* Document when BlobDirectory is overridden
* fix secret mounts for env vars when using chroot isolation
* Change to take a types.ImageReference arg
* imagebuildah: Support custom image reference lookup for cache push/pull
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.0
* Bump to v1.37.0-dev
* Bump to v1.36.0
* build: be more selective about specifying the default OS
* Bump to c/common v0.59.0
* Fix buildah prune --help showing the same example twice
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.18.0
* fix(deps): update module github.com/containers/image/v5 to v5.31.0
* CI: Clarify Debian use for conformance tests
* bud tests: fix breakage when vendoring into podman
* Integration tests: fake up a replacement for nixery.dev/shell
* copierWithSubprocess(): try to capture stderr on io.ErrClosedPipe
* Don't expand RUN heredocs ourselves, let the shell do it
* Don't leak temp files on failures
* Add release note template to split dependency chores
* fix CentOS/RHEL build - no BATS there
* fix(deps): update module github.com/containers/luksy to v0.0.0-20240506205542-84b50f50f3ee
* Address CVE-2024-3727
* chore(deps): update module github.com/opencontainers/runtime-spec to v1.2.0
* Builder.cdiSetupDevicesInSpecdefConfig(): use configured CDI dirs
* Setting --arch should set the TARGETARCH build arg
* fix(deps): update module golang.org/x/exp to v0.0.0-20240416160154-fe59bbe5cc7f
* [CI:DOCS] Add link to Buildah image page to README.md
* Don't set GOTOOLCHAIN=local
* fix(deps): update module github.com/cyphar/filepath-securejoin to v0.2.5
* Makefile: set GOTOOLCHAIN=local
* Integration tests: switch some base images
* containerImageRef.NewImageSource: merge the tar filters
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.2
* fix(deps): update module github.com/containers/luksy to v0.0.0-20240408185936-afd8e7619947
* Disable packit builds for centos-stream+epel-next-8
* Makefile: add missing files to $(SOURCES)
* CI VMs: bump to new versions with tmpfs /tmp
* chore(deps): update module golang.org/x/net to v0.23.0 [security]
* integration test: handle new labels in "bud and test --unsetlabel"
* Switch packit configuration to use epel-9-$arch ...
* Give unit tests a bit more time
* Integration tests: remove a couple of duplicated tests
* Integration tests: whitespace tweaks
* Integration tests: don't remove images at start or end of test
* Integration tests: use cached images more
* Integration tests _prefetch: use registry configs
* internal: use fileutils.(Le|E)xists
* pkg/parse: use fileutils.(Le|E)xists
* buildah: use fileutils.(Le|E)xists
* chroot: use fileutils.(Le|E)xists
* vendor: update containers/(common|storage)
* Fix issue/pr lock workflow
* [CI:DOCS] Add golang 1.21 update warning
* heredoc: honor inline COPY irrespective of ignorefiles
* Update install.md
* source-push: add support for --digestfile
* Fix caching when mounting a cached stage with COPY/ADD
* fix(deps): update github.com/containers/luksy digest to 3d2cf0e
* Makefile: softcode `strip`, use it from env var
* Man page updates
* Add support for passing CDI specs to --device
* Update comments on some API objects
* pkg/parse.DeviceFromPath(): dereference src symlinks
* Makefile - instead of calling `as` directly, use it from env var
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.1
* CI: bump VMs
* fix(deps): update module github.com/docker/docker to v25.0.5+incompatible
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.0
* Change RUN to comment in bud.bats
* Stop rebasing renovate PRs automatically
* Update renovate validation image
* CVE-2024-1753 container escape fix
* correctly configure /etc/hosts and resolv.conf when using network
* buildah: refactor resolv/hosts setup.
* rename the hostFile var to reflect the value better
* vendor latest c/common
* [skip-ci] rpm: use go-rpm-macros supported vendoring
* Update docs/buildah-add.1.md
* fix(deps): update module github.com/onsi/ginkgo/v2 to v2.16.0
* fix(deps): update module github.com/docker/docker to v25.0.4+incompatible
* fix(deps): update module github.com/containers/ocicrypt to v1.1.10
* chore(deps): update module gopkg.in/go-jose/go-jose.v2 to v2.6.3 [security]
* chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.3 [security]
* Bump google.golang.org/protobuf to v1.33.0
* fix links to containerignore doc
* [skip-ci] Makefile: update rpm target
* pr-should-include-tests: use GitHub label, not commit text
* tests: enable pasta tests
* [CI:DOCS] Migrate buildah container image
* Update .gitignore
* Bump to v1.36.0-dev
-------------------------------------------------------------------
Wed Feb 12 16:14:32 UTC 2025 - Dan Čermák <dcermak@suse.com>
- Add patch for CVE-2023-45288 (bsc#1236507)
Rebase patches:
* 0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
* 0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
Added patch:
* 0004-http2-close-connections-when-receiving-too-many-head.patch
(CVE-2023-45288 - bsc#1236531)
-------------------------------------------------------------------
Mon Jan 27 08:06:43 UTC 2025 - danish.prakash@suse.com
- Update to version 1.35.5 (fix for CVE-2024-11218; bsc#1236272):
* Tag v1.35.5
* Fix TOCTOU error when bind and cache mounts use "src" values
* define.TempDirForURL(): always use an intermediate subdirectory
* internal/volume.GetBindMount(): discard writes in bind mounts
* pkg/overlay: add a MountLabel flag to Options
* pkg/overlay: add a ForceMount flag to Options
* Add internal/volumes.bindFromChroot()
* Add an internal/open package
* Properly validate cache IDs and sources
* CVE-2024-9407: validate "bind-propagation" flag settings
* Allow cache mounts to be stages or additional build contexts
* Integration tests: switch some base images
* Disable most packit copr targets
* Cross-build on Fedora
- Rename patches:
* 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch =>
0001-pkg-subscriptions-use-securejoin-for-the-container-p.patch
* 0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch =>
0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
- Removed patches(merged upstream):
* 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
* 0003-Properly-validate-cache-IDs-and-sources.patch
-------------------------------------------------------------------
Tue Oct 22 08:30:04 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
- Add patch for CVE-2024-9676 (bsc#1231698):
* 0004-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
- Rebase patches:
* 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
* 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
* 0003-Properly-validate-cache-IDs-and-sources.patch
-------------------------------------------------------------------
Wed Oct 16 06:53:35 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
- Add patch for CVE-2024-9675 (bsc#1231499):
* 0003-Properly-validate-cache-IDs-and-sources.patch
- Rebase patches:
* 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
* 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
-------------------------------------------------------------------
Wed Oct 2 10:24:41 UTC 2024 - Dan Čermák <dcermak@suse.com>
- Add patches for CVE-2024-9407 and CVE-2024-9341:
* 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch (bsc#1231208
aka CVE-2024-9407)
* 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch (bsc#1231230
aka CVE-2024-9341)
-------------------------------------------------------------------
Fri May 10 13:56:57 UTC 2024 - danish.prakash@suse.com
@@ -647,12 +934,20 @@ Tue Apr 02 12:49:59 UTC 2024 - dcermak@suse.com
* [release-1.35] CVE-2024-24786 protobuf to 1.33
* [release-1.35] Bump to v1.35.2-dev
-------------------------------------------------------------------
Tue Mar 19 11:22:35 UTC 2024 - Dan Čermák <dcermak@suse.com>
- Add patch for CVE-2024-1753 / bsc#1221677:
0001-CVE-2024-1753-container-escape-fix.patch
-------------------------------------------------------------------
Tue Mar 19 10:23:06 UTC 2024 - dcermak@suse.com
- Update to version 1.35.1:
* [release-1.35] Bump to v1.35.1
* [release-1.35] CVE-2024-1753 container escape fix (bsc#1221677)
- Remove upstreamed patches:
- 0001-CVE-2024-1753-container-escape-fix.patch
-------------------------------------------------------------------
Mon Mar 18 11:25:51 UTC 2024 - Dan Čermák <dcermak@suse.com>

6
buildah.spec
View File

@@ -19,7 +19,7 @@
%define project github.com/containers/buildah
Name: buildah
Version: 1.40.1
Version: 1.39.5
Release: 0
Summary: Tool for building OCI containers
License: Apache-2.0
@@ -27,6 +27,10 @@ Group: System/Management
URL: https://%{project}
Source0: %{name}-%{version}.tar.xz
Source1: %{name}-rpmlintrc
Patch0: 0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
Patch1: 0002-run-handle-relabeling-bind-mounts-ourselves.patch
Patch2: 0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
Patch3: 0004-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch
BuildRequires: bash-completion
BuildRequires: device-mapper-devel
BuildRequires: fdupes