diff --git a/0001-Properly-validate-cache-IDs-and-sources.patch b/0001-Properly-validate-cache-IDs-and-sources.patch deleted file mode 100644 index cbc304e..0000000 --- a/0001-Properly-validate-cache-IDs-and-sources.patch +++ /dev/null @@ -1,68 +0,0 @@ -From fe456eed5ac0647250fa5249e663ddb236b2adfb Mon Sep 17 00:00:00 2001 -From: Danish Prakash -Date: Tue, 15 Oct 2024 22:14:55 +0530 -Subject: [PATCH 1/2] Properly validate cache IDs and sources - -The `--mount type=cache` argument to the `RUN` instruction in -Dockerfiles was using `filepath.Join` on user input, allowing -crafted paths to be used to gain access to paths on the host, -when the command should normally be limited only to Buildah;s own -cache and context directories. Switch to `filepath.SecureJoin` to -resolve the issue. - -Fixes CVE-2024-9675 - -Signed-off-by: Matt Heon -Signed-off-by: Danish Prakash ---- - .../buildah/internal/volumes/volumes.go | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go -index da6b768fdc21..610e9fcf11b2 100644 ---- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go -+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go -@@ -23,6 +23,7 @@ import ( - "github.com/containers/storage/pkg/idtools" - "github.com/containers/storage/pkg/lockfile" - "github.com/containers/storage/pkg/unshare" -+ digest "github.com/opencontainers/go-digest" - specs "github.com/opencontainers/runtime-spec/specs-go" - selinux "github.com/opencontainers/selinux/go-selinux" - ) -@@ -374,7 +375,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a - return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage) - } - // path should be /contextDir/specified path -- newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source)) -+ evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{}) -+ if err != nil { -+ return newMount, nil, err -+ } -+ newMount.Source = evaluated - } else { - // we need to create cache on host if no image is being used - -@@ -391,11 +396,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a - } - - if id != "" { -- newMount.Source = filepath.Join(cacheParent, filepath.Clean(id)) -- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id)) -+ // Don't let the user control where we place the directory. -+ dirID := digest.FromString(id).Encoded()[:16] -+ newMount.Source = filepath.Join(cacheParent, dirID) -+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) - } else { -- newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination)) -- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination)) -+ // Don't let the user control where we place the directory. -+ dirID := digest.FromString(newMount.Destination).Encoded()[:16] -+ newMount.Source = filepath.Join(cacheParent, dirID) -+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) - } - idPair := idtools.IDPair{ - UID: uid, --- -2.46.0 - diff --git a/0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch b/0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch deleted file mode 100644 index 7a2285a..0000000 --- a/0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch +++ /dev/null @@ -1,239 +0,0 @@ -From 006e1387eaf2791d7b9c730b135de9648003c7db Mon Sep 17 00:00:00 2001 -From: Danish Prakash -Date: Mon, 21 Oct 2024 11:33:43 +0530 -Subject: [PATCH 2/2] Use securejoin.SecureJoin when forming userns paths - -We need to read /etc/passwd and /etc/group in the container to -get an idea of how many UIDs and GIDs we need to allocate for a -user namespace when `--userns=auto` is specified. We were forming -paths for these using filepath.Join, which is not safe for paths -within a container, resulting in this CVE allowing crafted -symlinks in the container to access paths on the host instead. - -Addresses CVE-2024-9676 - -Signed-off-by: Matt Heon -Signed-off-by: Danish Prakash ---- - go.mod | 2 +- - go.sum | 4 +- - .../github.com/containers/storage/.cirrus.yml | 2 +- - vendor/github.com/containers/storage/VERSION | 2 +- - .../github.com/containers/storage/userns.go | 87 +++++++++++++------ - .../containers/storage/userns_unsupported.go | 14 +++ - vendor/modules.txt | 2 +- - 7 files changed, 80 insertions(+), 33 deletions(-) - create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go - -diff --git a/go.mod b/go.mod -index 02d1876148a4..8f049568e0b8 100644 ---- a/go.mod -+++ b/go.mod -@@ -20,7 +20,7 @@ require ( - github.com/containers/libhvee v0.7.1 - github.com/containers/ocicrypt v1.2.0 - github.com/containers/psgo v1.9.0 -- github.com/containers/storage v1.55.0 -+ github.com/containers/storage v1.55.1 - github.com/containers/winquit v1.1.0 - github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 - github.com/coreos/stream-metadata-go v0.4.4 -diff --git a/go.sum b/go.sum -index 60da92454ca2..66795b5b82ad 100644 ---- a/go.sum -+++ b/go.sum -@@ -97,8 +97,8 @@ github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sir - github.com/containers/ocicrypt v1.2.0/go.mod h1:ZNviigQajtdlxIZGibvblVuIFBKIuUI2M0QM12SD31U= - github.com/containers/psgo v1.9.0 h1:eJ74jzSaCHnWt26OlKZROSyUyRcGDf+gYBdXnxrMW4g= - github.com/containers/psgo v1.9.0/go.mod h1:0YoluUm43Mz2UnBIh1P+6V6NWcbpTL5uRtXyOcH0B5A= --github.com/containers/storage v1.55.0 h1:wTWZ3YpcQf1F+dSP4KxG9iqDfpQY1otaUXjPpffuhgg= --github.com/containers/storage v1.55.0/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ= -+github.com/containers/storage v1.55.1 h1:ius7angdTqxO56hmTJnAznyEcUnYeLOV3ybwLozA/h8= -+github.com/containers/storage v1.55.1/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ= - github.com/containers/winquit v1.1.0 h1:jArun04BNDQvt2W0Y78kh9TazN2EIEMG5Im6/JY7+pE= - github.com/containers/winquit v1.1.0/go.mod h1:PsPeZlnbkmGGIToMPHF1zhWjBUkd8aHjMOr/vFcPxw8= - github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU= -diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml -index 50b98761694a..49a6e33b7014 100644 ---- a/vendor/github.com/containers/storage/.cirrus.yml -+++ b/vendor/github.com/containers/storage/.cirrus.yml -@@ -120,7 +120,7 @@ lint_task: - env: - CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage" - container: -- image: golang -+ image: golang:1.21 - modules_cache: - fingerprint_script: cat go.sum - folder: $GOPATH/pkg/mod -diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION -index 094d6ad00ce7..6570a6d0dd76 100644 ---- a/vendor/github.com/containers/storage/VERSION -+++ b/vendor/github.com/containers/storage/VERSION -@@ -1 +1 @@ --1.55.0 -+1.55.1 -diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go -index 57120731be57..09919394c026 100644 ---- a/vendor/github.com/containers/storage/userns.go -+++ b/vendor/github.com/containers/storage/userns.go -@@ -1,18 +1,21 @@ -+//go:build linux -+ - package storage - - import ( - "fmt" - "os" - "os/user" -- "path/filepath" - "strconv" - - drivers "github.com/containers/storage/drivers" - "github.com/containers/storage/pkg/idtools" - "github.com/containers/storage/pkg/unshare" - "github.com/containers/storage/types" -+ securejoin "github.com/cyphar/filepath-securejoin" - libcontainerUser "github.com/moby/sys/user" - "github.com/sirupsen/logrus" -+ "golang.org/x/sys/unix" - ) - - // getAdditionalSubIDs looks up the additional IDs configured for -@@ -85,40 +88,59 @@ const nobodyUser = 65534 - // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and - // /etc/group files. - func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 { -+ var ( -+ passwd *os.File -+ group *os.File -+ size int -+ err error -+ ) - if passwdFile == "" { -- passwdFile = filepath.Join(containerMount, "etc/passwd") -- } -- if groupFile == "" { -- groupFile = filepath.Join(groupFile, "etc/group") -+ passwd, err = secureOpen(containerMount, "/etc/passwd") -+ } else { -+ // User-specified override from a volume. Will not be in -+ // container root. -+ passwd, err = os.Open(passwdFile) - } -- -- size := 0 -- -- users, err := libcontainerUser.ParsePasswdFile(passwdFile) - if err == nil { -- for _, u := range users { -- // Skip the "nobody" user otherwise we end up with 65536 -- // ids with most images -- if u.Name == "nobody" { -- continue -- } -- if u.Uid > size && u.Uid != nobodyUser { -- size = u.Uid -- } -- if u.Gid > size && u.Gid != nobodyUser { -- size = u.Gid -+ defer passwd.Close() -+ -+ users, err := libcontainerUser.ParsePasswd(passwd) -+ if err == nil { -+ for _, u := range users { -+ // Skip the "nobody" user otherwise we end up with 65536 -+ // ids with most images -+ if u.Name == "nobody" || u.Name == "nogroup" { -+ continue -+ } -+ if u.Uid > size && u.Uid != nobodyUser { -+ size = u.Uid + 1 -+ } -+ if u.Gid > size && u.Gid != nobodyUser { -+ size = u.Gid + 1 -+ } - } - } - } - -- groups, err := libcontainerUser.ParseGroupFile(groupFile) -+ if groupFile == "" { -+ group, err = secureOpen(containerMount, "/etc/group") -+ } else { -+ // User-specified override from a volume. Will not be in -+ // container root. -+ group, err = os.Open(groupFile) -+ } - if err == nil { -- for _, g := range groups { -- if g.Name == "nobody" { -- continue -- } -- if g.Gid > size && g.Gid != nobodyUser { -- size = g.Gid -+ defer group.Close() -+ -+ groups, err := libcontainerUser.ParseGroup(group) -+ if err == nil { -+ for _, g := range groups { -+ if g.Name == "nobody" || g.Name == "nogroup" { -+ continue -+ } -+ if g.Gid > size && g.Gid != nobodyUser { -+ size = g.Gid + 1 -+ } - } - } - } -@@ -309,3 +331,14 @@ func getAutoUserNSIDMappings( - gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...) - return uidMap, gidMap, nil - } -+ -+// Securely open (read-only) a file in a container mount. -+func secureOpen(containerMount, file string) (*os.File, error) { -+ tmpFile, err := securejoin.OpenInRoot(containerMount, file) -+ if err != nil { -+ return nil, err -+ } -+ defer tmpFile.Close() -+ -+ return securejoin.Reopen(tmpFile, unix.O_RDONLY) -+} -diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go -new file mode 100644 -index 000000000000..e37c18fe4381 ---- /dev/null -+++ b/vendor/github.com/containers/storage/userns_unsupported.go -@@ -0,0 +1,14 @@ -+//go:build !linux -+ -+package storage -+ -+import ( -+ "errors" -+ -+ "github.com/containers/storage/pkg/idtools" -+ "github.com/containers/storage/types" -+) -+ -+func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) { -+ return nil, nil, errors.New("user namespaces are not supported on this platform") -+} -diff --git a/vendor/modules.txt b/vendor/modules.txt -index 3d35b8be92d7..c0801a56b979 100644 ---- a/vendor/modules.txt -+++ b/vendor/modules.txt -@@ -354,7 +354,7 @@ github.com/containers/psgo/internal/dev - github.com/containers/psgo/internal/host - github.com/containers/psgo/internal/proc - github.com/containers/psgo/internal/process --# github.com/containers/storage v1.55.0 -+# github.com/containers/storage v1.55.1 - ## explicit; go 1.21 - github.com/containers/storage - github.com/containers/storage/drivers --- -2.46.0 - diff --git a/_service b/_service index 56dda9c..12e1784 100644 --- a/_service +++ b/_service @@ -2,7 +2,7 @@ https://github.com/containers/podman.git git - v5.2.4 + v5.2.5 @PARENT_TAG@ enable v(.*) diff --git a/_servicedata b/_servicedata index ad6d686..3c35085 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/containers/podman.git - 76d0859d9f6e5d7c84392da9dcd2fae3447f789d \ No newline at end of file + 10c5aa720d59480bc7edad347c1f5d5b75d4424f \ No newline at end of file diff --git a/podman-5.2.4.obscpio b/podman-5.2.4.obscpio deleted file mode 100644 index ebbbe97..0000000 --- a/podman-5.2.4.obscpio +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d98c93f568b31cecc530b86cfd0078fb290f72ec0ab61649b63ca4407173a809 -size 109701646 diff --git a/podman-5.2.5.obscpio b/podman-5.2.5.obscpio new file mode 100644 index 0000000..844c7ae --- /dev/null +++ b/podman-5.2.5.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf70c5e307cda183ed60a3222bea20a5001779f804d65e8d8b508679dd9d9349 +size 109704718 diff --git a/podman.changes b/podman.changes index 1df25d1..496dd10 100644 --- a/podman.changes +++ b/podman.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Oct 24 07:57:00 UTC 2024 - madhankumar.chellamuthu@suse.com + +- Update to version 5.2.5: + * Bump to v5.2.5 + * Update release notes for 5.2.5 + * Bump c/storage to v1.55.1 CVE-2024-9675 (bsc#1231499) and Buildah to v1.37.5 CVE-2024-9676 (bsc#1231698) + * RPM: remove dup Provides + * Packit: constrain koji and bodhi jobs to fedora package to avoid dupes + * Bump to v5.2.5-dev +- Removed patches: + * 0001-Properly-validate-cache-IDs-and-sources.patch (merged upstream) + * 0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch (merged upstream) + ------------------------------------------------------------------- Mon Oct 21 06:20:05 UTC 2024 - Danish Prakash diff --git a/podman.obsinfo b/podman.obsinfo index 9b53158..c040aeb 100644 --- a/podman.obsinfo +++ b/podman.obsinfo @@ -1,4 +1,4 @@ name: podman -version: 5.2.4 -mtime: 1728308549 -commit: 76d0859d9f6e5d7c84392da9dcd2fae3447f789d +version: 5.2.5 +mtime: 1729263108 +commit: 10c5aa720d59480bc7edad347c1f5d5b75d4424f diff --git a/podman.spec b/podman.spec index 74d649c..04c97ae 100644 --- a/podman.spec +++ b/podman.spec @@ -22,7 +22,7 @@ %bcond_without apparmor Name: podman -Version: 5.2.4 +Version: 5.2.5 Release: 0 Summary: Daemon-less container engine for managing containers, pods and images License: Apache-2.0 @@ -30,8 +30,6 @@ Group: System/Management URL: https://%{project} Source0: %{name}-%{version}.tar.gz Source1: podman.conf -Patch0: 0001-Properly-validate-cache-IDs-and-sources.patch -Patch1: 0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch BuildRequires: man BuildRequires: bash-completion BuildRequires: device-mapper-devel