From 70eb24019154e39ccf2fd6e041c4017d5c77159cf94eff5529bd0292afb01b95 Mon Sep 17 00:00:00 2001
From: Danish Prakash <danish.prakash@suse.com>
Date: Mon, 7 Oct 2024 08:40:42 +0000
Subject: [PATCH 1/5] Load ip6_tables

OBS-URL: https://build.opensuse.org/package/show/devel:microos/podman?expand=0&rev=64
---
 podman.changes | 5 +++++
 podman.conf    | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/podman.changes b/podman.changes
index 8f7ebc8..b945836 100644
--- a/podman.changes
+++ b/podman.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Oct  4 08:27:53 UTC 2024 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
+
+- Load ip6_tables kernel module, required for IPv6 networks (bsc#1214612)
+
 -------------------------------------------------------------------
 Tue Sep 24 17:07:25 UTC 2024 - opensuse_buildservice@ojkastl.de
 
diff --git a/podman.conf b/podman.conf
index 5efd4d7..b11d02a 100644
--- a/podman.conf
+++ b/podman.conf
@@ -1,2 +1,5 @@
 # Load br_netfilter module at boot
 br_netfilter
+# ip6_tables module is required if netavark is using iptables on an ipv6
+# network, which is currently the default in Tumbleweed
+ip6_tables

From 7e9687f604a22a092715630c49b88c7a0d92c4ea15eebce77e34d1d665263e92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
Date: Mon, 7 Oct 2024 09:36:51 +0000
Subject: [PATCH 2/5] OBS-URL:
 https://build.opensuse.org/package/show/devel:microos/podman?expand=0&rev=65

---
 _history | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 _history

diff --git a/_history b/_history
new file mode 100644
index 0000000..473a0f4

From 1bcb1e1cee1feb7fbeb7fa50838716a836f73144986c7e415c03055d3d5a243b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
Date: Mon, 7 Oct 2024 09:37:42 +0000
Subject: [PATCH 3/5] OBS-URL:
 https://build.opensuse.org/package/show/devel:microos/podman?expand=0&rev=66

---
 _history | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 _history

diff --git a/_history b/_history
deleted file mode 100644
index 473a0f4..0000000

From 39658542b23d8e606d01e22273b6a54a84f8613553de5bd859b83a6e0f97f607 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
Date: Mon, 7 Oct 2024 10:01:04 +0000
Subject: [PATCH 4/5] Add patch for CVE-2024-9341 (bsc#1231230)

OBS-URL: https://build.opensuse.org/package/show/devel:microos/podman?expand=0&rev=67
---
 ...Update-c-common-to-fix-CVE-2024-9341.patch | 95 +++++++++++++++++++
 podman.changes                                |  6 ++
 podman.spec                                   |  1 +
 3 files changed, 102 insertions(+)
 create mode 100644 0001-Update-c-common-to-fix-CVE-2024-9341.patch

diff --git a/0001-Update-c-common-to-fix-CVE-2024-9341.patch b/0001-Update-c-common-to-fix-CVE-2024-9341.patch
new file mode 100644
index 0000000..663400e
--- /dev/null
+++ b/0001-Update-c-common-to-fix-CVE-2024-9341.patch
@@ -0,0 +1,95 @@
+From 16ef9d253fe1ec94162178557bdc36a1e634678f Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Fri, 4 Oct 2024 13:42:48 +0530
+Subject: [PATCH] Update c/common to fix CVE-2024-9341
+
+Fixes CVE-2024-9341
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ go.mod                                                      | 2 +-
+ go.sum                                                      | 4 ++--
+ .../containers/common/pkg/subscriptions/subscriptions.go    | 6 +++++-
+ vendor/github.com/containers/common/version/version.go      | 2 +-
+ vendor/modules.txt                                          | 2 +-
+ 5 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/go.mod b/go.mod
+index f3820edd0372..d53d70bb0ebb 100644
+--- a/go.mod
++++ b/go.mod
+@@ -13,7 +13,7 @@ require (
+ 	github.com/checkpoint-restore/go-criu/v7 v7.1.0
+ 	github.com/containernetworking/plugins v1.5.1
+ 	github.com/containers/buildah v1.37.3
+-	github.com/containers/common v0.60.3
++	github.com/containers/common v0.60.4
+ 	github.com/containers/conmon v2.0.20+incompatible
+ 	github.com/containers/gvisor-tap-vsock v0.7.4
+ 	github.com/containers/image/v5 v5.32.2
+diff --git a/go.sum b/go.sum
+index 4b83f1c8ff6a..67b58d680563 100644
+--- a/go.sum
++++ b/go.sum
+@@ -79,8 +79,8 @@ github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+
+ github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM=
+ github.com/containers/buildah v1.37.3 h1:nSmbdBqaRMjvTtwVuOKZGT2jefaUKsZXbgpH9b4HzIs=
+ github.com/containers/buildah v1.37.3/go.mod h1:alFCM3X0xfhE6ZjsFQkUlOMyKzOnbv9FL9fe1Ho48PA=
+-github.com/containers/common v0.60.3 h1:pToT7gtFx/KWyMtWw98g4pIbW54i9KfGH2QrdN2s1io=
+-github.com/containers/common v0.60.3/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54=
++github.com/containers/common v0.60.4 h1:H5+LAMHPZEqX6vVNOQ+IguVsaFl8kbO/SZ/VPXjxhy0=
++github.com/containers/common v0.60.4/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54=
+ github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
+ github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
+ github.com/containers/gvisor-tap-vsock v0.7.4 h1:iOtr/KEi+r599OOx1+9Qbss91jD5yxh1HO35MKTdths=
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index ded66365bb47..a6538ffb9082 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -11,6 +11,7 @@ import (
+ 	"github.com/containers/common/pkg/umask"
+ 	"github.com/containers/storage/pkg/fileutils"
+ 	"github.com/containers/storage/pkg/idtools"
++	securejoin "github.com/cyphar/filepath-securejoin"
+ 	rspec "github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+ 	"github.com/sirupsen/logrus"
+@@ -346,7 +347,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+ 
+ 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ 	destDir := "/etc/crypto-policies/back-ends"
+-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
++	if err != nil {
++		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
++	}
+ 	if err := fileutils.Exists(srcOnHost); err != nil {
+ 		if errors.Is(err, os.ErrNotExist) {
+ 			return nil
+diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
+index 3703dc8d93fb..8f30e4688179 100644
+--- a/vendor/github.com/containers/common/version/version.go
++++ b/vendor/github.com/containers/common/version/version.go
+@@ -1,4 +1,4 @@
+ package version
+ 
+ // Version is the version of the build.
+-const Version = "0.60.3"
++const Version = "0.60.4"
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index dd7c7b81638b..b9ab6aeaf263 100644
+--- a/vendor/modules.txt
++++ b/vendor/modules.txt
+@@ -170,7 +170,7 @@ github.com/containers/buildah/pkg/sshagent
+ github.com/containers/buildah/pkg/util
+ github.com/containers/buildah/pkg/volumes
+ github.com/containers/buildah/util
+-# github.com/containers/common v0.60.3
++# github.com/containers/common v0.60.4
+ ## explicit; go 1.21.0
+ github.com/containers/common/internal
+ github.com/containers/common/internal/attributedstring
+-- 
+2.46.0
+
diff --git a/podman.changes b/podman.changes
index b945836..04183d5 100644
--- a/podman.changes
+++ b/podman.changes
@@ -3,6 +3,12 @@ Fri Oct  4 08:27:53 UTC 2024 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
 
 - Load ip6_tables kernel module, required for IPv6 networks (bsc#1214612)
 
+-------------------------------------------------------------------
+Fri Oct  4 08:15:58 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9341 (bsc#1231230):
+  * 0001-Update-c-common-to-fix-CVE-2024-9341.patch
+
 -------------------------------------------------------------------
 Tue Sep 24 17:07:25 UTC 2024 - opensuse_buildservice@ojkastl.de
 
diff --git a/podman.spec b/podman.spec
index 7face65..f7ec55b 100644
--- a/podman.spec
+++ b/podman.spec
@@ -30,6 +30,7 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.gz
 Source1:        podman.conf
+Patch0:         0001-Update-c-common-to-fix-CVE-2024-9341.patch
 BuildRequires:  man
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel

From a7b22dc3e357987511505f17a3d9bfb6f0d195fcc615f384ac6265ff9c53dc62 Mon Sep 17 00:00:00 2001
From: Danish Prakash <danish.prakash@suse.com>
Date: Tue, 8 Oct 2024 13:13:50 +0000
Subject: [PATCH 5/5] - Update to version 5.2.4:   * Bump to v5.2.4   * Update
 release notes for v5.2.4   * Validate the bind-propagation option to
 `--mount` CVE-2024-9407 (bsc#1231208)   * Bump Buildah to v1.37.4   * vendor:
 update c/common to v0.60.4 CVE-2024-9341 (bsc#1231230)   * Bump to v5.2.4-dev
 - Removed patch:   * 0001-Update-c-common-to-fix-CVE-2024-9341.patch (merged
 upstream)

OBS-URL: https://build.opensuse.org/package/show/devel:microos/podman?expand=0&rev=68
---
 ...Update-c-common-to-fix-CVE-2024-9341.patch | 95 -------------------
 _service                                      |  2 +-
 _servicedata                                  |  2 +-
 podman-5.2.3.obscpio                          |  3 -
 podman-5.2.4.obscpio                          |  3 +
 podman.changes                                | 13 +++
 podman.obsinfo                                |  6 +-
 podman.spec                                   |  3 +-
 8 files changed, 22 insertions(+), 105 deletions(-)
 delete mode 100644 0001-Update-c-common-to-fix-CVE-2024-9341.patch
 delete mode 100644 podman-5.2.3.obscpio
 create mode 100644 podman-5.2.4.obscpio

diff --git a/0001-Update-c-common-to-fix-CVE-2024-9341.patch b/0001-Update-c-common-to-fix-CVE-2024-9341.patch
deleted file mode 100644
index 663400e..0000000
--- a/0001-Update-c-common-to-fix-CVE-2024-9341.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 16ef9d253fe1ec94162178557bdc36a1e634678f Mon Sep 17 00:00:00 2001
-From: Danish Prakash <contact@danishpraka.sh>
-Date: Fri, 4 Oct 2024 13:42:48 +0530
-Subject: [PATCH] Update c/common to fix CVE-2024-9341
-
-Fixes CVE-2024-9341
-
-Signed-off-by: Paul Holzinger <pholzing@redhat.com>
-Signed-off-by: Danish Prakash <contact@danishpraka.sh>
----
- go.mod                                                      | 2 +-
- go.sum                                                      | 4 ++--
- .../containers/common/pkg/subscriptions/subscriptions.go    | 6 +++++-
- vendor/github.com/containers/common/version/version.go      | 2 +-
- vendor/modules.txt                                          | 2 +-
- 5 files changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/go.mod b/go.mod
-index f3820edd0372..d53d70bb0ebb 100644
---- a/go.mod
-+++ b/go.mod
-@@ -13,7 +13,7 @@ require (
- 	github.com/checkpoint-restore/go-criu/v7 v7.1.0
- 	github.com/containernetworking/plugins v1.5.1
- 	github.com/containers/buildah v1.37.3
--	github.com/containers/common v0.60.3
-+	github.com/containers/common v0.60.4
- 	github.com/containers/conmon v2.0.20+incompatible
- 	github.com/containers/gvisor-tap-vsock v0.7.4
- 	github.com/containers/image/v5 v5.32.2
-diff --git a/go.sum b/go.sum
-index 4b83f1c8ff6a..67b58d680563 100644
---- a/go.sum
-+++ b/go.sum
-@@ -79,8 +79,8 @@ github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+
- github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM=
- github.com/containers/buildah v1.37.3 h1:nSmbdBqaRMjvTtwVuOKZGT2jefaUKsZXbgpH9b4HzIs=
- github.com/containers/buildah v1.37.3/go.mod h1:alFCM3X0xfhE6ZjsFQkUlOMyKzOnbv9FL9fe1Ho48PA=
--github.com/containers/common v0.60.3 h1:pToT7gtFx/KWyMtWw98g4pIbW54i9KfGH2QrdN2s1io=
--github.com/containers/common v0.60.3/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54=
-+github.com/containers/common v0.60.4 h1:H5+LAMHPZEqX6vVNOQ+IguVsaFl8kbO/SZ/VPXjxhy0=
-+github.com/containers/common v0.60.4/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54=
- github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
- github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
- github.com/containers/gvisor-tap-vsock v0.7.4 h1:iOtr/KEi+r599OOx1+9Qbss91jD5yxh1HO35MKTdths=
-diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
-index ded66365bb47..a6538ffb9082 100644
---- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
-+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
-@@ -11,6 +11,7 @@ import (
- 	"github.com/containers/common/pkg/umask"
- 	"github.com/containers/storage/pkg/fileutils"
- 	"github.com/containers/storage/pkg/idtools"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	rspec "github.com/opencontainers/runtime-spec/specs-go"
- 	"github.com/opencontainers/selinux/go-selinux/label"
- 	"github.com/sirupsen/logrus"
-@@ -346,7 +347,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
- 
- 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
- 	destDir := "/etc/crypto-policies/back-ends"
--	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
-+	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
-+	if err != nil {
-+		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
-+	}
- 	if err := fileutils.Exists(srcOnHost); err != nil {
- 		if errors.Is(err, os.ErrNotExist) {
- 			return nil
-diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
-index 3703dc8d93fb..8f30e4688179 100644
---- a/vendor/github.com/containers/common/version/version.go
-+++ b/vendor/github.com/containers/common/version/version.go
-@@ -1,4 +1,4 @@
- package version
- 
- // Version is the version of the build.
--const Version = "0.60.3"
-+const Version = "0.60.4"
-diff --git a/vendor/modules.txt b/vendor/modules.txt
-index dd7c7b81638b..b9ab6aeaf263 100644
---- a/vendor/modules.txt
-+++ b/vendor/modules.txt
-@@ -170,7 +170,7 @@ github.com/containers/buildah/pkg/sshagent
- github.com/containers/buildah/pkg/util
- github.com/containers/buildah/pkg/volumes
- github.com/containers/buildah/util
--# github.com/containers/common v0.60.3
-+# github.com/containers/common v0.60.4
- ## explicit; go 1.21.0
- github.com/containers/common/internal
- github.com/containers/common/internal/attributedstring
--- 
-2.46.0
-
diff --git a/_service b/_service
index affd502..56dda9c 100644
--- a/_service
+++ b/_service
@@ -2,7 +2,7 @@
   <service name="obs_scm" mode="manual">
     <param name="url">https://github.com/containers/podman.git</param>
     <param name="scm">git</param>
-    <param name="revision">v5.2.3</param>
+    <param name="revision">v5.2.4</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>
diff --git a/_servicedata b/_servicedata
index 94ddce5..ad6d686 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/containers/podman.git</param>
-              <param name="changesrevision">c5366a308e89edd9636b66faf79bd5cb18ed0905</param></service></servicedata>
\ No newline at end of file
+              <param name="changesrevision">76d0859d9f6e5d7c84392da9dcd2fae3447f789d</param></service></servicedata>
\ No newline at end of file
diff --git a/podman-5.2.3.obscpio b/podman-5.2.3.obscpio
deleted file mode 100644
index 3b35cf3..0000000
--- a/podman-5.2.3.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:68afd310737244fa8a86cd852d5eb047c529b0b666b7e3e3a04dafe5b07bb4dd
-size 109700110
diff --git a/podman-5.2.4.obscpio b/podman-5.2.4.obscpio
new file mode 100644
index 0000000..ebbbe97
--- /dev/null
+++ b/podman-5.2.4.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d98c93f568b31cecc530b86cfd0078fb290f72ec0ab61649b63ca4407173a809
+size 109701646
diff --git a/podman.changes b/podman.changes
index 04183d5..e77ac40 100644
--- a/podman.changes
+++ b/podman.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue Oct 08 07:05:58 UTC 2024 - madhankumar.chellamuthu@suse.com
+
+- Update to version 5.2.4:
+  * Bump to v5.2.4
+  * Update release notes for v5.2.4
+  * Validate the bind-propagation option to `--mount` CVE-2024-9407 (bsc#1231208)
+  * Bump Buildah to v1.37.4
+  * vendor: update c/common to v0.60.4 CVE-2024-9341 (bsc#1231230)
+  * Bump to v5.2.4-dev
+- Removed patch:
+  * 0001-Update-c-common-to-fix-CVE-2024-9341.patch (merged upstream)
+
 -------------------------------------------------------------------
 Fri Oct  4 08:27:53 UTC 2024 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
 
diff --git a/podman.obsinfo b/podman.obsinfo
index c3913b4..9b53158 100644
--- a/podman.obsinfo
+++ b/podman.obsinfo
@@ -1,4 +1,4 @@
 name: podman
-version: 5.2.3
-mtime: 1727187376
-commit: c5366a308e89edd9636b66faf79bd5cb18ed0905
+version: 5.2.4
+mtime: 1728308549
+commit: 76d0859d9f6e5d7c84392da9dcd2fae3447f789d
diff --git a/podman.spec b/podman.spec
index f7ec55b..ffc9d34 100644
--- a/podman.spec
+++ b/podman.spec
@@ -22,7 +22,7 @@
 %bcond_without  apparmor
 
 Name:           podman
-Version:        5.2.3
+Version:        5.2.4
 Release:        0
 Summary:        Daemon-less container engine for managing containers, pods and images
 License:        Apache-2.0
@@ -30,7 +30,6 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.gz
 Source1:        podman.conf
-Patch0:         0001-Update-c-common-to-fix-CVE-2024-9341.patch
 BuildRequires:  man
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel