diff --git a/0001-Update-c-common-to-fix-CVE-2024-9341.patch b/0001-Update-c-common-to-fix-CVE-2024-9341.patch new file mode 100644 index 0000000..663400e --- /dev/null +++ b/0001-Update-c-common-to-fix-CVE-2024-9341.patch @@ -0,0 +1,95 @@ +From 16ef9d253fe1ec94162178557bdc36a1e634678f Mon Sep 17 00:00:00 2001 +From: Danish Prakash +Date: Fri, 4 Oct 2024 13:42:48 +0530 +Subject: [PATCH] Update c/common to fix CVE-2024-9341 + +Fixes CVE-2024-9341 + +Signed-off-by: Paul Holzinger +Signed-off-by: Danish Prakash +--- + go.mod | 2 +- + go.sum | 4 ++-- + .../containers/common/pkg/subscriptions/subscriptions.go | 6 +++++- + vendor/github.com/containers/common/version/version.go | 2 +- + vendor/modules.txt | 2 +- + 5 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/go.mod b/go.mod +index f3820edd0372..d53d70bb0ebb 100644 +--- a/go.mod ++++ b/go.mod +@@ -13,7 +13,7 @@ require ( + github.com/checkpoint-restore/go-criu/v7 v7.1.0 + github.com/containernetworking/plugins v1.5.1 + github.com/containers/buildah v1.37.3 +- github.com/containers/common v0.60.3 ++ github.com/containers/common v0.60.4 + github.com/containers/conmon v2.0.20+incompatible + github.com/containers/gvisor-tap-vsock v0.7.4 + github.com/containers/image/v5 v5.32.2 +diff --git a/go.sum b/go.sum +index 4b83f1c8ff6a..67b58d680563 100644 +--- a/go.sum ++++ b/go.sum +@@ -79,8 +79,8 @@ github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+ + github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM= + github.com/containers/buildah v1.37.3 h1:nSmbdBqaRMjvTtwVuOKZGT2jefaUKsZXbgpH9b4HzIs= + github.com/containers/buildah v1.37.3/go.mod h1:alFCM3X0xfhE6ZjsFQkUlOMyKzOnbv9FL9fe1Ho48PA= +-github.com/containers/common v0.60.3 h1:pToT7gtFx/KWyMtWw98g4pIbW54i9KfGH2QrdN2s1io= +-github.com/containers/common v0.60.3/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54= ++github.com/containers/common v0.60.4 h1:H5+LAMHPZEqX6vVNOQ+IguVsaFl8kbO/SZ/VPXjxhy0= ++github.com/containers/common v0.60.4/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54= + github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= + github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= + github.com/containers/gvisor-tap-vsock v0.7.4 h1:iOtr/KEi+r599OOx1+9Qbss91jD5yxh1HO35MKTdths= +diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +index ded66365bb47..a6538ffb9082 100644 +--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go ++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +@@ -11,6 +11,7 @@ import ( + "github.com/containers/common/pkg/umask" + "github.com/containers/storage/pkg/fileutils" + "github.com/containers/storage/pkg/idtools" ++ securejoin "github.com/cyphar/filepath-securejoin" + rspec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux/label" + "github.com/sirupsen/logrus" +@@ -346,7 +347,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, + + srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" + destDir := "/etc/crypto-policies/back-ends" +- srcOnHost := filepath.Join(mountPoint, srcBackendDir) ++ srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir) ++ if err != nil { ++ return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err) ++ } + if err := fileutils.Exists(srcOnHost); err != nil { + if errors.Is(err, os.ErrNotExist) { + return nil +diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go +index 3703dc8d93fb..8f30e4688179 100644 +--- a/vendor/github.com/containers/common/version/version.go ++++ b/vendor/github.com/containers/common/version/version.go +@@ -1,4 +1,4 @@ + package version + + // Version is the version of the build. +-const Version = "0.60.3" ++const Version = "0.60.4" +diff --git a/vendor/modules.txt b/vendor/modules.txt +index dd7c7b81638b..b9ab6aeaf263 100644 +--- a/vendor/modules.txt ++++ b/vendor/modules.txt +@@ -170,7 +170,7 @@ github.com/containers/buildah/pkg/sshagent + github.com/containers/buildah/pkg/util + github.com/containers/buildah/pkg/volumes + github.com/containers/buildah/util +-# github.com/containers/common v0.60.3 ++# github.com/containers/common v0.60.4 + ## explicit; go 1.21.0 + github.com/containers/common/internal + github.com/containers/common/internal/attributedstring +-- +2.46.0 + diff --git a/podman.changes b/podman.changes index b945836..04183d5 100644 --- a/podman.changes +++ b/podman.changes @@ -3,6 +3,12 @@ Fri Oct 4 08:27:53 UTC 2024 - Alexandre Vicenzi - Load ip6_tables kernel module, required for IPv6 networks (bsc#1214612) +------------------------------------------------------------------- +Fri Oct 4 08:15:58 UTC 2024 - Danish Prakash + +- Add patch for CVE-2024-9341 (bsc#1231230): + * 0001-Update-c-common-to-fix-CVE-2024-9341.patch + ------------------------------------------------------------------- Tue Sep 24 17:07:25 UTC 2024 - opensuse_buildservice@ojkastl.de diff --git a/podman.spec b/podman.spec index 7face65..f7ec55b 100644 --- a/podman.spec +++ b/podman.spec @@ -30,6 +30,7 @@ Group: System/Management URL: https://%{project} Source0: %{name}-%{version}.tar.gz Source1: podman.conf +Patch0: 0001-Update-c-common-to-fix-CVE-2024-9341.patch BuildRequires: man BuildRequires: bash-completion BuildRequires: device-mapper-devel