Add patch for CVE-2025-47914 (bsc#1254054), CVE-2025-47913 (bsc#1253598)

Signed-off-by: Danish Prakash <contact@danishpraka.sh>

0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch

@@ -1,7 +1,7 @@
-From ab95d15e0df73dd533aa48e67ddb984d1ab4b60f Mon Sep 17 00:00:00 2001
+From 71adcd0546fa3becd9a95ebbfc21bb15610ed44e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Mon, 17 Mar 2025 10:37:21 +0100
-Subject: [PATCH 1/2] CVE-2025-22869: vendor/ssh: limit the size of the
+Subject: [PATCH 1/4] CVE-2025-22869: vendor/ssh: limit the size of the
  internal packet queue while waiting for KEX (#7)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -141,5 +141,5 @@ index 56cdc7c21c3b..a68d20f7f396 100644
  
  	return nil
 -- 
-2.49.0
+2.51.1
 

0002-run-handle-relabeling-bind-mounts-ourselves.patch

@@ -1,7 +1,7 @@
-From 294b376928c2bb702e1c16e6a2b309ff3d8e9d6f Mon Sep 17 00:00:00 2001
+From 60431f798b04472409feb826d311ecd41ee22d85 Mon Sep 17 00:00:00 2001
 From: Nalin Dahyabhai <nalin@redhat.com>
 Date: Wed, 11 Jun 2025 20:42:30 +0530
-Subject: [PATCH 2/2] run: handle relabeling bind mounts ourselves
+Subject: [PATCH 2/4] run: handle relabeling bind mounts ourselves
 
 Handle requested relabeling of bind mounts (i.e., the "z" and "Z" flags)
 directly, instead of letting the runtime handle the relabeling.
@@ -73,5 +73,5 @@ index 5d040cbb9997..e3e65102bc35 100644
  		if foundO {
  			if (upperDir != "" && workDir == "") || (workDir != "" && upperDir == "") {
 -- 
-2.49.0
+2.51.1
 

0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch

@@ -0,0 +1,64 @@
+From 0277a37699cc0930e40f8ab24ec5caa68bbe2de9 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Fri, 14 Nov 2025 13:08:55 +0530
+Subject: [PATCH 3/4] CVE-2025-52881: backport subset of patch from runc
+
+buildah imports libcontainer/apparmor for the chroot isolation engine,
+so we need to patch it directly. None of the other vulnerable codepaths
+from CVE-2025-52881 are relevant.
+
+Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1253096
+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ .../libcontainer/apparmor/apparmor_linux.go     | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
+index a3a8e93258e7..3453a5a16712 100644
+--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
++++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
+@@ -6,9 +6,10 @@ import (
+ 	"os"
+ 	"sync"
+ 
++	"github.com/cyphar/filepath-securejoin/pathrs-lite"
++	"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
+ 	"golang.org/x/sys/unix"
+ 
+-	"github.com/opencontainers/runc/internal/pathrs"
+ 	"github.com/opencontainers/runc/libcontainer/utils"
+ )
+ 
+@@ -36,14 +37,26 @@ func setProcAttr(attr, value string) error {
+ 		attrSubPath = "attr/" + attr
+ 	}
+ 
++	proc, err := procfs.OpenProcRoot()
++	if err != nil {
++		return err
++	}
++	defer proc.Close()
++
+ 	// Under AppArmor you can only change your own attr, so there's no reason
+ 	// to not use /proc/thread-self/ (instead of /proc/<tid>/, like libapparmor
+ 	// does).
+-	f, closer, err := pathrs.ProcThreadSelfOpen(attrSubPath, unix.O_WRONLY|unix.O_CLOEXEC)
++	handle, closer, err := proc.OpenThreadSelf(attrSubPath)
+ 	if err != nil {
+ 		return err
+ 	}
+ 	defer closer()
++	defer handle.Close()
++
++	f, err := pathrs.Reopen(handle, unix.O_WRONLY|unix.O_CLOEXEC)
++	if err != nil {
++		return err
++	}
+ 	defer f.Close()
+ 
+ 	_, err = f.WriteString(value)
+-- 
+2.51.1
+

0004-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch

@@ -0,0 +1,86 @@
+From 254d7a74914ece920f48d36d0fcab084fa2e6663 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Mon, 17 Nov 2025 14:57:51 +0530
+Subject: [PATCH 4/4] CVE-2025-47913, CVE-2025-47914: ssh/agent fixes
+
+--
+
+CVE-2025-47913: ssh/agent: return an error for unexpected message types
+
+Previously, receiving an unexpected message type in response to a key
+listing or a signing request could cause a panic due to a failed type
+assertion.
+
+This change adds a default case to the type switch in order to detect
+and explicitly handle unknown or invalid message types, returning a
+descriptive error instead of crashing.
+
+Fixes CVE-2025-47913
+Fixes golang/go#75178
+Fixes bsc#1253598
+
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+
+--
+
+CVE-2025-47914: ssh/agent: prevent panic on malformed constraint
+
+An attacker could supply a malformed Constraint that
+would trigger a panic in a serving agent, effectively
+causing denial of service.
+
+Thank you to Jakub Ciolek for reporting this issue.
+
+Fixes CVE-2025-47914
+Fixes golang/go#76364
+Fixes bsc#1254054
+
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++--
+ vendor/golang.org/x/crypto/ssh/agent/server.go | 3 +++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
+index 106708d289eb..410e21b065ce 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
++++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
+@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
+ 		return keys, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to list keys")
++	default:
++		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // Sign has the agent sign the data using a protocol 2 key as defined
+@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
+ 		return &sig, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to sign challenge")
++	default:
++		return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // unmarshal parses an agent message in packet, returning the parsed
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/server.go b/vendor/golang.org/x/crypto/ssh/agent/server.go
+index e35ca7ce3182..6c05994928ba 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/server.go
++++ b/vendor/golang.org/x/crypto/ssh/agent/server.go
+@@ -203,6 +203,9 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse
+ 	for len(constraints) != 0 {
+ 		switch constraints[0] {
+ 		case agentConstrainLifetime:
++			if len(constraints) < 5 {
++				return 0, false, nil, io.ErrUnexpectedEOF
++			}
+ 			lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5])
+ 			constraints = constraints[5:]
+ 		case agentConstrainConfirm:
+-- 
+2.51.1
+

_service

@@ -5,7 +5,7 @@
     <param name="filename">buildah</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
-    <param name="revision">v1.39.4</param>
+    <param name="revision">v1.39.5</param>
     <param name="changesgenerate">enable</param>
 </service>
 <service name="recompress" mode="manual">

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/containers/buildah.git</param>
-              <param name="changesrevision">5b7b7ca328733fafa9b82810bf919c14cb924549</param></service></servicedata>
+              <param name="changesrevision">61d416a95863c2bde9e49efdd9a65562c039e106</param></service></servicedata>

buildah.changes

@@ -1,3 +1,402 @@
+-------------------------------------------------------------------
+Tue Dec 23 08:01:46 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2025-47914 (bsc#1254054), CVE-2025-47913 (bsc#1253598):
+  * 0004-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch
+- Rebase patches:
+  * 0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+  * 0002-run-handle-relabeling-bind-mounts-ourselves.patch
+  * 0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
+
+-------------------------------------------------------------------
+Thu Nov  6 11:38:26 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2025-52881 (bsc#1253096):
+  * 0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
+- Rebase patches:
+  * 0002-run-handle-relabeling-bind-mounts-ourselves.patch
+  * 0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+- Update to version 1.39.5:
+  * [release-1.39] Bump to Buildah v1.39.5
+  * [release-1.39] Bump x/tools to v0.26.0
+  * [release-1.39] replace deprecated selinux/label calls
+  * [release-1.39] Bump runc to v1.2.8 - CVE-2025-52881
+  * Builder.sbomScan(): don't break non-root scanners
+  * [release-1.39] Bump to Buildah v1.39.4
+  * [release-1.39] Bump c/image to v5.34.3, c/common v0.62.3
+  * createPlatformContainer: drop MS_REMOUNT|MS_BIND
+  * [release-1.39] Bump to Buildah v1.39.3
+  * [release-1.39] Bump c/storage to v1.57.2, c/image v5.34.2,...
+  * [release-1.39] Bump to Buildah v1.39.2
+  * [release-1.39] tests/conformance/testdata/Dockerfile.add:...
+  * [release-1.39] Bump c/image to v5.34.1, c/common v0.62.1
+  * Tag v1.39.1
+  * CI config: post-branch update
+  * chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security]
+  * chroot createPlatformContainer: use MS_REMOUNT
+  * Bump to Buildah v1.39.0
+  * Bump c/storage v1.57.1, c/image 5.34.0,  c/common v0.62.0
+  * Update module github.com/containers/storage to v1.57.0
+  * CI, .cirrus: parallelize containerized integration
+  * ed's comment: cleanup
+  * use seperate blobinfocache for flaky test
+  * bump CI VMs to 4 CPUs (was: 2) for integration tests
+  * cleanup, debug, and disable parallel in blobcache tests
+  * bats tests - parallelize
+  * pkg/overlay: cleanups
+  * RPM: include check section to silence rpmlint
+  * RPM: use default gobuild macro on RHEL
+  * tests: remove masked /sys/dev/block check
+  * vendor to latest c/{common,image,storage}
+  * build, run: record hash or digest in image history
+  * Accept image names as sources for cache mounts
+  * Run(): always clean up options.ExternalImageMounts
+  * refactor: replace golang.org/x/exp with stdlib
+  * Update to c/image @main
+  * fix broken doc link
+  * run_freebsd.go: only import runtime-spec once
+  * fix(deps): update module github.com/docker/docker to v27.5.1+incompatible
+  * bump github.com/vbatts/tar-split
+  * Add more checks to the --mount flag parsing logic
+  * chroot mount flags integration test: copy binaries
+  * fix(deps): update module github.com/moby/buildkit to v0.19.0
+  * relabel(): correct a misleading parameter name
+  * Fix TOCTOU error when bind and cache mounts use "src" values
+  * define.TempDirForURL(): always use an intermediate subdirectory
+  * internal/volume.GetBindMount(): discard writes in bind mounts
+  * pkg/overlay: add a MountLabel flag to Options
+  * pkg/overlay: add a ForceMount flag to Options
+  * Add internal/volumes.bindFromChroot()
+  * Add an internal/open package
+  * fix(deps): update module github.com/containers/common to v0.61.1
+  * fix(deps): update module github.com/containers/image/v5 to v5.33.1
+  * [CI:DOCS] Touch up changelogs
+  * fix(deps): update module github.com/docker/docker to v27.5.0+incompatible
+  * copy-preserving-extended-attributes: use a different base image
+  * fix(deps): update github.com/containers/luksy digest to a3a812d
+  * chore(deps): update module golang.org/x/net to v0.33.0 [security]
+  * fix(deps): update module golang.org/x/crypto to v0.32.0
+  * New VM Images
+  * fix(deps): update module github.com/opencontainers/runc to v1.2.4
+  * fix(deps): update module github.com/docker/docker to v27.4.1+incompatible
+  * fix(deps): update module github.com/containers/ocicrypt to v1.2.1
+  * Add support for --security-opt mask and unmask
+  * Allow cache mounts to be stages or additional build contexts
+  * [skip-ci] RPM: cleanup changelog conditionals
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.6
+  * fix(deps): update module github.com/moby/buildkit to v0.18.2
+  * Fix an error message in the chroot unit test
+  * copier: use .PAXRecords instead of .Xattrs
+  * chroot: on Linux, try to pivot_root before falling back to chroot
+  * manifest add: add --artifact-annotation
+  * Add context to an error message
+  * Update module golang.org/x/crypto to v0.31.0
+  * Update module github.com/opencontainers/runc to v1.2.3
+  * Update module github.com/docker/docker to v27.4.0+incompatible
+  * Update module github.com/cyphar/filepath-securejoin to v0.3.5
+  * CI: don't build a binary in the unit tests task
+  * CI: use /tmp for $GOCACHE
+  * CI: remove dependencies on the cross-build task
+  * CI: run cross-compile task with make -j
+  * Update module github.com/docker/docker to v27.4.0-rc.4+incompatible
+  * Update module github.com/moby/buildkit to v0.18.1
+  * Update module golang.org/x/crypto to v0.30.0
+  * Update golang.org/x/exp digest to 2d47ceb
+  * Update github.com/opencontainers/runtime-tools digest to f7e3563
+  * [skip-ci] Packit: remove rhel copr build jobs
+  * [skip-ci] Packit: switch to fedora-all for copr
+  * Update module github.com/stretchr/testify to v1.10.0
+  * Update module github.com/moby/buildkit to v0.17.2
+  * Makefile: use `find` to detect source files
+  * Tests: make _prefetch() parallel-safe
+  * Update module github.com/opencontainers/runc to v1.2.2
+  * executor: allow to specify --no-pivot-root
+  * Update module github.com/moby/sys/capability to v0.4.0
+  * Makefile: mv codespell config to .codespellrc
+  * Fix some codespell errors
+  * Makefile,install.md: rm gopath stuff
+  * Makefile: rm targets working on ..
+  * build: rm exclude_graphdriver_devicemapper tag
+  * Makefile: rm unused var
+  * Finish updating to go 1.22
+  * CI VMs: bump again
+  * Bump to Buidah v1.39.0-dev
+  * Bump to Buildah v1.38.0
+  * Bump to c/common v0.61.0, c/image v5.33.0, c/storage v1.56.0
+  * fix(deps): update module golang.org/x/crypto to v0.29.0
+  * fix(deps): update module github.com/moby/buildkit to v0.17.1
+  * fix(deps): update module github.com/containers/storage to v1.56.0
+  * tests: skip two ulimit tests
+  * CI VMs: bump f40 -> f41
+  * tests/tools: rebuild tools when we change versions
+  * tests/tools: update golangci-lint to v1.61.0
+  * fix(deps): update module github.com/moby/buildkit to v0.17.0
+  * Handle RUN --mount with relative targets and no configured workdir
+  * tests: bud: make parallel-safe
+  * fix(deps): update module github.com/opencontainers/runc to v1.2.1
+  * fix(deps): update golang.org/x/exp digest to f66d83c
+  * fix(deps): update github.com/opencontainers/runtime-tools digest to 6c9570a
+  * tests: blobcache: use unique image name
+  * tests: sbom: never write to cwd
+  * tests: mkcw: bug fixes, refactor
+  * deps: bump runc to v1.2.0
+  * deps: switch to moby/sys/userns
+  * tests/test_runner.sh: remove some redundancies
+  * Integration tests: run git daemon on a random-but-bind()able port
+  * fix(deps): update module github.com/opencontainers/selinux to v1.11.1
+  * go.mod: remove unnecessary replace
+  * Document more buildah build --secret options
+  * Add support for COPY --exclude and ADD --exclude options
+  * fix(deps): update github.com/containers/luksy digest to e2530d6
+  * chore(deps): update dependency containers/automation_images to v20241010
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4
+  * Properly validate cache IDs and sources
+  * [skip-ci] Packit: constrain koji job to fedora package to avoid dupes
+  * Audit and tidy OWNERS
+  * fix(deps): update module golang.org/x/crypto to v0.28.0
+  * tests: add quotes to names
+  * vendor: update c/common to latest
+  * CVE-2024-9407: validate "bind-propagation" flag settings
+  * vendor: switch to moby/sys/capability
+  * Don't set ambient capabilities
+  * Document that zstd:chunked is downgraded to zstd when encrypting
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3
+  * buildah-manifest-create.1: Fix manpage section
+  * chore(deps): update dependency ubuntu to v24
+  * Make `buildah manifest push --all` true by default
+  * chroot: add newlines at the end of printed error messages
+  * Do not error on trying to write IMA xattr as rootless
+  * fix: remove duplicate conditions
+  * fix(deps): update module github.com/moby/buildkit to v0.16.0
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2
+  * Document how entrypoint is configured in buildah config
+  * In a container, try to register binfmt_misc
+  * imagebuildah.StageExecutor: clean up volumes/volumeCache
+  * build: fall back to parsing a TARGETPLATFORM build-arg
+  * `manifest add --artifact`: handle multiple values
+  * Packit: split out ELN jobs and reuse fedora downstream targets
+  * Packit: Enable sidetags for bodhi updates
+  * fix(deps): update module github.com/docker/docker to v27.2.1+incompatible
+  * tests/bud.bats: add git source
+  * add: add support for git source
+  * Add support for the new c/common pasta options
+  * vendor latest c/common
+  * fix(deps): update module golang.org/x/term to v0.24.0
+  * fix(deps): update module github.com/fsouza/go-dockerclient to v1.12.0
+  * packit: update fedora and epel targets
+  * cirrus: disable f39 testing
+  * cirrus: fix fedora names
+  * update to go 1.22
+  * Vendor c/common:9d025e4cb348
+  * copier: handle globbing with "**" path components
+  * fix(deps): update golang.org/x/exp digest to 9b4947d
+  * fix(deps): update github.com/containers/luksy digest to 2e7307c
+  * imagebuildah: make scratch config handling toggleable
+  * fix(deps): update module github.com/docker/docker to v27.2.0+incompatible
+  * Add a validation script for Makefile $(SOURCES)
+  * fix(deps): update module github.com/openshift/imagebuilder to v1.2.15
+  * New VMs
+  * Update some godocs, use 0o to prefix an octal in a comment
+  * buildah-build.1.md: expand the --layer-label description
+  * fix(deps): update module github.com/containers/common to v0.60.2
+  * stage_executor: set avoidLookingCache only if mounting stage
+  * imagebuildah: additionalContext is not a local built stage
+  * run: fix a nil pointer dereference on FreeBSD
+  * CI: enable the whitespace linter
+  * Fix some govet linter warnings
+  * Commit(): retry committing to local storage on storage.LayerUnknown
+  * CI: enable the gofumpt linter
+  * conformance: move weirdly-named files out of the repository
+  * fix(deps): update module github.com/docker/docker to v27.1.2+incompatible
+  * fix(deps): update module github.com/containers/common to v0.60.1
+  * *: use gofmt -s, add gofmt linter
+  * *: fix build tags
+  * fix(deps): update module github.com/containers/image/v5 to v5.32.1
+  * Add(): re-escape any globbed items that included escapes
+  * conformance tests: use mirror.gcr.io for most images
+  * unit tests: use test-specific policy.json and registries.conf
+  * fix(deps): update module golang.org/x/sys to v0.24.0
+  * Update to spun-out "github.com/containerd/platforms"
+  * Bump github.com/containerd/containerd
+  * test/tools/Makefile: duplicate the vendor-in-container target
+  * linters: unchecked error
+  * linters: don't end loop iterations with "else" when "then" would
+  * linters: unused arguments shouldn't have names
+  * linters: rename checkIdsGreaterThan5() to checkIDsGreaterThan5()
+  * linters: don't name variables "cap"
+  * `make lint`: use --timeout instead of --deadline
+  * Drop the e2e test suite
+  * fix(deps): update module golang.org/x/crypto to v0.26.0
+  * fix(deps): update module github.com/onsi/gomega to v1.34.1
+  * `make vendor-in-container`: use the caller's Go cache if it exists
+  * fix(deps): fix test/tools ginkgo typo
+  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1
+  * Update to keep up with API changes in storage
+  * fix(deps): update github.com/containers/luksy digest to 1f482a9
+  * install: On Debian/Ubuntu, add installation of libbtrfs-dev
+  * fix(deps): update module golang.org/x/sys to v0.23.0
+  * fix(deps): update golang.org/x/exp digest to 8a7402a
+  * fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.2
+  * Use Epoch: 2 and respect the epoch in dependencies.
+  * Bump to Buildah v1.38.0-dev
+  * Buildah v1.37.0
+  * Bump c/storage, c/image, c/common for v1.37.0
+  * AddAndCopyOptions: add CertPath, InsecureSkipTLSVerify, Retry fields
+  * Add PrependedLinkedLayers/AppendedLinkedLayers to CommitOptions
+  * integration tests: teach starthttpd() about TLS and pid files
+  * "build with basename resolving user arg" tests: correct ARG use
+  * bud-multiple-platform-no-run test: correct ARG use
+  * imagebuildah: always have default values for $TARGET... args ready
+  * bump github.com/openshift/imagebuilder to v1.2.14
+  * fix(deps): update module github.com/docker/docker to v27.1.1+incompatible
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.1
+  * fix(deps): update module github.com/docker/docker to v27.1.0+incompatible
+  * CI: use local registry, part 2 of 2
+  * CI: use local registry, part 1 of 2
+  * fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.1
+  * Revert "fix(deps): update github.com/containers/image/v5 to v5.31.1"
+  * Replace libimage.LookupReferenceFunc with the manifests version
+  * conformance tests: enable testing CompatVolumes
+  * conformance tests: add a test that tries to chown a volume
+  * imagebuildah: make traditional volume handling not the default
+  * StageExecutor.prepare(): mark base image volumes for preservation
+  * fix(deps): update module github.com/containers/image/v5 to v5.31.1
+  * Vendor in latest containers/(common, storage, image)
+  * fix(deps): update module golang.org/x/term to v0.22.0
+  * fix(deps): update module golang.org/x/sys to v0.22.0
+  * fix(deps): update golang.org/x/exp digest to 7f521ea
+  * fix(deps): update github.com/containers/luksy digest to a8846e2
+  * imagebuildah.StageExecutor.Copy(): reject new flags for now
+  * bump github.com/openshift/imagebuilder to v1.2.11
+  * Rework parsing of --pull flags
+  * fix(deps): update module github.com/containers/image/v5 to v5.31.1
+  * imagebuildah.StageExecutor.prepare(): log the --platform flag
+  * CI VMs: bump
+  * buildah copy: preserve owner info with --from= a container or image
+  * conformance tests: enable testing CompatSetParent
+  * containerImageRef.NewImageSource(): move the FROM comment to first
+  * commit: set "parent" for docker format only when requested
+  * Update godoc for Builder.EnsureContainerPathAs
+  * fix(deps): update module github.com/spf13/cobra to v1.8.1
+  * fix(deps): update module github.com/containernetworking/cni to v1.2.0
+  * fix(deps): update module github.com/opencontainers/runc to v1.1.13
+  * Change default for podman build to --pull missing
+  * fix(deps): update module github.com/containers/common to v0.59.1
+  * Clarify definition of --pull options
+  * buildah: fix a nil pointer reference on FreeBSD
+  * Use /var/tmp for $TMPDIR for vfs conformance jobs
+  * Cirrus: run `df` during job setup
+  * conformance: use quay.io/libpod/centos:7 instead of centos:8
+  * Stop setting "parent" in docker format
+  * conformance: check if workdir trims path separator suffixes
+  * push integration test: pass password to docker login via stdin
+  * Re-enable the "copy with chown" conformance test
+  * healthcheck: Add support for `--start-interval`
+  * fix(deps): update module github.com/docker/docker to v26.1.4+incompatible
+  * fix(deps): update module github.com/containerd/containerd to v1.7.18
+  * tests: set _CONTAINERS_USERNS_CONFIGURED=done for libnetwork
+  * Cross-build on Fedora
+  * Drop copyStringSlice() and copyStringStringMap()
+  * fix(deps): update module golang.org/x/crypto to v0.24.0
+  * fix(deps): update module github.com/openshift/imagebuilder to v1.2.10
+  * Provide an uptime_netbsd.go
+  * Spell unix as "!windows"
+  * Add netbsd to lists-of-OSes
+  * fix(deps): update golang.org/x/exp digest to fd00a4e
+  * [skip-ci] Packit: enable c10s downstream sync
+  * CI VMs: bump, to debian with cgroups v2
+  * Document when BlobDirectory is overridden
+  * fix secret mounts for env vars when using chroot isolation
+  * Change to take a types.ImageReference arg
+  * imagebuildah: Support custom image reference lookup for cache push/pull
+  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.0
+  * Bump to v1.37.0-dev
+  * Bump to v1.36.0
+  * build: be more selective about specifying the default OS
+  * Bump to c/common v0.59.0
+  * Fix buildah prune --help showing the same example twice
+  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.18.0
+  * fix(deps): update module github.com/containers/image/v5 to v5.31.0
+  * CI: Clarify Debian use for conformance tests
+  * bud tests: fix breakage when vendoring into podman
+  * Integration tests: fake up a replacement for nixery.dev/shell
+  * copierWithSubprocess(): try to capture stderr on io.ErrClosedPipe
+  * Don't expand RUN heredocs ourselves, let the shell do it
+  * Don't leak temp files on failures
+  * Add release note template to split dependency chores
+  * fix CentOS/RHEL build - no BATS there
+  * fix(deps): update module github.com/containers/luksy to v0.0.0-20240506205542-84b50f50f3ee
+  * Address CVE-2024-3727
+  * chore(deps): update module github.com/opencontainers/runtime-spec to v1.2.0
+  * Builder.cdiSetupDevicesInSpecdefConfig(): use configured CDI dirs
+  * Setting --arch should set the TARGETARCH build arg
+  * fix(deps): update module golang.org/x/exp to v0.0.0-20240416160154-fe59bbe5cc7f
+  * [CI:DOCS] Add link to Buildah image page to README.md
+  * Don't set GOTOOLCHAIN=local
+  * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.2.5
+  * Makefile: set GOTOOLCHAIN=local
+  * Integration tests: switch some base images
+  * containerImageRef.NewImageSource: merge the tar filters
+  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.2
+  * fix(deps): update module github.com/containers/luksy to v0.0.0-20240408185936-afd8e7619947
+  * Disable packit builds for centos-stream+epel-next-8
+  * Makefile: add missing files to $(SOURCES)
+  * CI VMs: bump to new versions with tmpfs /tmp
+  * chore(deps): update module golang.org/x/net to v0.23.0 [security]
+  * integration test: handle new labels in "bud and test --unsetlabel"
+  * Switch packit configuration to use epel-9-$arch ...
+  * Give unit tests a bit more time
+  * Integration tests: remove a couple of duplicated tests
+  * Integration tests: whitespace tweaks
+  * Integration tests: don't remove images at start or end of test
+  * Integration tests: use cached images more
+  * Integration tests _prefetch: use registry configs
+  * internal: use fileutils.(Le|E)xists
+  * pkg/parse: use fileutils.(Le|E)xists
+  * buildah: use fileutils.(Le|E)xists
+  * chroot: use fileutils.(Le|E)xists
+  * vendor: update containers/(common|storage)
+  * Fix issue/pr lock workflow
+  * [CI:DOCS] Add golang 1.21 update warning
+  * heredoc: honor inline COPY irrespective of ignorefiles
+  * Update install.md
+  * source-push: add support for --digestfile
+  * Fix caching when mounting a cached stage with COPY/ADD
+  * fix(deps): update github.com/containers/luksy digest to 3d2cf0e
+  * Makefile: softcode `strip`, use it from env var
+  * Man page updates
+  * Add support for passing CDI specs to --device
+  * Update comments on some API objects
+  * pkg/parse.DeviceFromPath(): dereference src symlinks
+  * Makefile - instead of calling `as` directly, use it from env var
+  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.1
+  * CI: bump VMs
+  * fix(deps): update module github.com/docker/docker to v25.0.5+incompatible
+  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.0
+  * Change RUN to comment in bud.bats
+  * Stop rebasing renovate PRs automatically
+  * Update renovate validation image
+  * CVE-2024-1753 container escape fix
+  * correctly configure /etc/hosts and resolv.conf when using network
+  * buildah: refactor resolv/hosts setup.
+  * rename the hostFile var to reflect the value better
+  * vendor latest c/common
+  * [skip-ci] rpm: use go-rpm-macros supported vendoring
+  * Update docs/buildah-add.1.md
+  * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.16.0
+  * fix(deps): update module github.com/docker/docker to v25.0.4+incompatible
+  * fix(deps): update module github.com/containers/ocicrypt to v1.1.10
+  * chore(deps): update module gopkg.in/go-jose/go-jose.v2 to v2.6.3 [security]
+  * chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.3 [security]
+  * Bump google.golang.org/protobuf to v1.33.0
+  * fix links to containerignore doc
+  * [skip-ci] Makefile: update rpm target
+  * pr-should-include-tests: use GitHub label, not commit text
+  * tests: enable pasta tests
+  * [CI:DOCS] Migrate buildah container image
+  * Update .gitignore
+  * Bump to v1.36.0-dev
+
 -------------------------------------------------------------------
 Thu Jun 12 07:43:39 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
 

buildah.spec

@@ -19,7 +19,7 @@
 
 %define project github.com/containers/buildah
 Name:           buildah
-Version:        1.39.4
+Version:        1.39.5
 Release:        0
 Summary:        Tool for building OCI containers
 License:        Apache-2.0
@@ -29,6 +29,8 @@ Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name}-rpmlintrc
 Patch0:         0001-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
 Patch1:         0002-run-handle-relabeling-bind-mounts-ourselves.patch
+Patch2:         0003-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
+Patch3:         0004-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes