Add patch for CVE-2024-9341 (bsc#1231230)

OBS-URL: https://build.opensuse.org/package/show/devel:microos/podman?expand=0&rev=67
2024-10-07 10:01:04 +00:00 · 2024-10-07 10:01:04 +00:00 · 39658542b2
commit 39658542b2
parent 1bcb1e1cee
3 changed files with 102 additions and 0 deletions
--- a/0001-Update-c-common-to-fix-CVE-2024-9341.patch
+++ b/0001-Update-c-common-to-fix-CVE-2024-9341.patch
@ -0,0 +1,95 @@
+From 16ef9d253fe1ec94162178557bdc36a1e634678f Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Fri, 4 Oct 2024 13:42:48 +0530
+Subject: [PATCH] Update c/common to fix CVE-2024-9341
+
+Fixes CVE-2024-9341
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ go.mod                                                      | 2 +-
+ go.sum                                                      | 4 ++--
+ .../containers/common/pkg/subscriptions/subscriptions.go    | 6 +++++-
+ vendor/github.com/containers/common/version/version.go      | 2 +-
+ vendor/modules.txt                                          | 2 +-
+ 5 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/go.mod b/go.mod
+index f3820edd0372..d53d70bb0ebb 100644
+--- a/go.mod
+++ b/go.mod
+@@ -13,7 +13,7 @@ require (
+ 	github.com/checkpoint-restore/go-criu/v7 v7.1.0
+ 	github.com/containernetworking/plugins v1.5.1
+ 	github.com/containers/buildah v1.37.3
+-	github.com/containers/common v0.60.3
+	github.com/containers/common v0.60.4
+ 	github.com/containers/conmon v2.0.20+incompatible
+ 	github.com/containers/gvisor-tap-vsock v0.7.4
+ 	github.com/containers/image/v5 v5.32.2
+diff --git a/go.sum b/go.sum
+index 4b83f1c8ff6a..67b58d680563 100644
+--- a/go.sum
+++ b/go.sum
+@@ -79,8 +79,8 @@ github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+
+ github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM=
+ github.com/containers/buildah v1.37.3 h1:nSmbdBqaRMjvTtwVuOKZGT2jefaUKsZXbgpH9b4HzIs=
+ github.com/containers/buildah v1.37.3/go.mod h1:alFCM3X0xfhE6ZjsFQkUlOMyKzOnbv9FL9fe1Ho48PA=
+-github.com/containers/common v0.60.3 h1:pToT7gtFx/KWyMtWw98g4pIbW54i9KfGH2QrdN2s1io=
+-github.com/containers/common v0.60.3/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54=
+github.com/containers/common v0.60.4 h1:H5+LAMHPZEqX6vVNOQ+IguVsaFl8kbO/SZ/VPXjxhy0=
+github.com/containers/common v0.60.4/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54=
+ github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
+ github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
+ github.com/containers/gvisor-tap-vsock v0.7.4 h1:iOtr/KEi+r599OOx1+9Qbss91jD5yxh1HO35MKTdths=
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index ded66365bb47..a6538ffb9082 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -11,6 +11,7 @@ import (
+ 	"github.com/containers/common/pkg/umask"
+ 	"github.com/containers/storage/pkg/fileutils"
+ 	"github.com/containers/storage/pkg/idtools"
+	securejoin "github.com/cyphar/filepath-securejoin"
+ 	rspec "github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+ 	"github.com/sirupsen/logrus"
+@@ -346,7 +347,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+ 
+ 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ 	destDir := "/etc/crypto-policies/back-ends"
+-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
+	if err != nil {
+		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
+	}
+ 	if err := fileutils.Exists(srcOnHost); err != nil {
+ 		if errors.Is(err, os.ErrNotExist) {
+ 			return nil
+diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
+index 3703dc8d93fb..8f30e4688179 100644
+--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
+@@ -1,4 +1,4 @@
+ package version
+ 
+ // Version is the version of the build.
+-const Version = "0.60.3"
+const Version = "0.60.4"
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index dd7c7b81638b..b9ab6aeaf263 100644
+--- a/vendor/modules.txt
+++ b/vendor/modules.txt
+@@ -170,7 +170,7 @@ github.com/containers/buildah/pkg/sshagent
+ github.com/containers/buildah/pkg/util
+ github.com/containers/buildah/pkg/volumes
+ github.com/containers/buildah/util
+-# github.com/containers/common v0.60.3
+# github.com/containers/common v0.60.4
+ ## explicit; go 1.21.0
+ github.com/containers/common/internal
+ github.com/containers/common/internal/attributedstring
+-- 
+2.46.0
+
--- a/podman.changes
+++ b/podman.changes
@ -3,6 +3,12 @@ Fri Oct  4 08:27:53 UTC 2024 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>

 - Load ip6_tables kernel module, required for IPv6 networks (bsc#1214612)

+-------------------------------------------------------------------
+Fri Oct  4 08:15:58 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9341 (bsc#1231230):
+  * 0001-Update-c-common-to-fix-CVE-2024-9341.patch
+
 -------------------------------------------------------------------
 Tue Sep 24 17:07:25 UTC 2024 - opensuse_buildservice@ojkastl.de

--- a/podman.spec
+++ b/podman.spec
@ -30,6 +30,7 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.gz
 Source1:        podman.conf
+Patch0:         0001-Update-c-common-to-fix-CVE-2024-9341.patch
 BuildRequires:  man
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel