Sync changes to SLFO-1.2 branch

2025-08-20 10:43:58 +02:00
11 changed files with 716 additions and 668 deletions
--- a/0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
+++ b/0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
@@ -0,0 +1,135 @@
+From 172170d06ef6c5ecbe19db448284a8c8c732ed15 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Thu, 13 Mar 2025 14:37:38 +0530
+Subject: [PATCH 1/3] CVE-2025-22869: ssh: limit the size of the internal
+ packet queue while waiting for KEX (#13)
+
+In the SSH protocol, clients and servers execute the key exchange to
+generate one-time session keys used for encryption and authentication.
+The key exchange is performed initially after the connection is
+established and then periodically after a configurable amount of data.
+While a key exchange is in progress, we add the received packets to an
+internal queue until we receive SSH_MSG_KEXINIT from the other side.
+This can result in high memory usage if the other party is slow to
+respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a
+malicious client never responds to an SSH_MSG_KEXINIT packet during a
+large file transfer.
+We now limit the internal queue to 64 packets: this means 2MB with the
+typical 32KB packet size.
+When the internal queue is full we block further writes until the
+pending key exchange is completed or there is a read or write error.
+
+Thanks to Yuichi Watanabe for reporting this issue.
+
+Fixes: CVE-2025-22869
+Bugs: bsc#1239330
+
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+Co-authored-by: Nicola Murino <nicola.murino@gmail.com>
+---
+ vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
+ 1 file changed, 37 insertions(+), 10 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
+index 56cdc7c21c3b..a68d20f7f396 100644
+--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
+@@ -25,6 +25,11 @@ const debugHandshake = false
+ // quickly.
+ const chanSize = 16
+ 
+// maxPendingPackets sets the maximum number of packets to queue while waiting
+// for KEX to complete. This limits the total pending data to maxPendingPackets
+// * maxPacket bytes, which is ~16.8MB.
+const maxPendingPackets = 64
+
+ // keyingTransport is a packet based transport that supports key
+ // changes. It need not be thread-safe. It should pass through
+ // msgNewKeys in both directions.
+@@ -73,11 +78,19 @@ type handshakeTransport struct {
+ 	incoming  chan []byte
+ 	readError error
+ 
+-	mu               sync.Mutex
+-	writeError       error
+-	sentInitPacket   []byte
+-	sentInitMsg      *kexInitMsg
+-	pendingPackets   [][]byte // Used when a key exchange is in progress.
+	mu sync.Mutex
+	// Condition for the above mutex. It is used to notify a completed key
+	// exchange or a write failure. Writes can wait for this condition while a
+	// key exchange is in progress.
+	writeCond      *sync.Cond
+	writeError     error
+	sentInitPacket []byte
+	sentInitMsg    *kexInitMsg
+	// Used to queue writes when a key exchange is in progress. The length is
+	// limited by pendingPacketsSize. Once full, writes will block until the key
+	// exchange is completed or an error occurs. If not empty, it is emptied
+	// all at once when the key exchange is completed in kexLoop.
+	pendingPackets   [][]byte
+ 	writePacketsLeft uint32
+ 	writeBytesLeft   int64
+ 
+@@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
+ 
+ 		config: config,
+ 	}
+	t.writeCond = sync.NewCond(&t.mu)
+ 	t.resetReadThresholds()
+ 	t.resetWriteThresholds()
+ 
+@@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
+ 	defer t.mu.Unlock()
+ 	if t.writeError == nil && err != nil {
+ 		t.writeError = err
+		t.writeCond.Broadcast()
+ 	}
+ }
+ 
+@@ -362,6 +377,8 @@ write:
+ 			}
+ 		}
+ 		t.pendingPackets = t.pendingPackets[:0]
+		// Unblock writePacket if waiting for KEX.
+		t.writeCond.Broadcast()
+ 		t.mu.Unlock()
+ 	}
+ 
+@@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
+ 	}
+ 
+ 	if t.sentInitMsg != nil {
+-		// Copy the packet so the writer can reuse the buffer.
+-		cp := make([]byte, len(p))
+-		copy(cp, p)
+-		t.pendingPackets = append(t.pendingPackets, cp)
+-		return nil
+		if len(t.pendingPackets) < maxPendingPackets {
+			// Copy the packet so the writer can reuse the buffer.
+			cp := make([]byte, len(p))
+			copy(cp, p)
+			t.pendingPackets = append(t.pendingPackets, cp)
+			return nil
+		}
+		for t.sentInitMsg != nil {
+			// Block and wait for KEX to complete or an error.
+			t.writeCond.Wait()
+			if t.writeError != nil {
+				return t.writeError
+			}
+		}
+ 	}
+ 
+ 	if t.writeBytesLeft > 0 {
+@@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
+ 
+ 	if err := t.pushPacket(p); err != nil {
+ 		t.writeError = err
+		t.writeCond.Broadcast()
+ 	}
+ 
+ 	return nil
+-- 
+2.49.0
+
--- a/0001-remove-appending-rw-as-the-default-mount-option.patch
+++ b/0001-remove-appending-rw-as-the-default-mount-option.patch
@@ -1,26 +0,0 @@
-From 31a4b1040e04d711c6863f70561bde234f06f05a Mon Sep 17 00:00:00 2001
-From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
-Date: Mon, 28 Apr 2025 17:40:28 +0530
-Subject: [PATCH] remove appending rw as the default mount option
-
---
- pkg/util/mount_opts.go | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/pkg/util/mount_opts.go b/pkg/util/mount_opts.go
-index c9a773093e..4e37fd74a0 100644
--- a/pkg/util/mount_opts.go
-+++ b/pkg/util/mount_opts.go
-@@ -191,9 +191,6 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
- 		newOptions = append(newOptions, opt)
- 	}
- 
-	if !foundWrite {
-		newOptions = append(newOptions, "rw")
-	}
- 	if !foundProp {
- 		if recursiveBind {
- 			newOptions = append(newOptions, "rprivate")
-- 
-2.49.0
-
--- a/0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch
+++ b/0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch
@@ -0,0 +1,59 @@
+From 1207d8507d2567c890b552a9e156c8460b5fa477 Mon Sep 17 00:00:00 2001
+From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
+Date: Mon, 12 May 2025 19:34:12 +0530
+Subject: [PATCH 2/3] Fix: Remove appending rw as the default mount option
+
+The backstory for this is that runc 1.2 (opencontainers/runc#3967)
+fixed a long-standing bug in our mount flag handling (a bug that crun
+still has). Before runc 1.2, when dealing with locked mount flags that
+user namespaced containers cannot clear, trying to explicitly clearing
+locked flags (like rw clearing MS_RDONLY) would silently ignore the rw
+flag in most cases and would result in a read-only mount. This is
+obviously not what the user expects.
+
+What runc 1.2 did is that it made it so that passing clearing flags
+like rw would always result in an attempt to clear the flag (which was
+not the case before), and would (in all cases) explicitly return an
+error if we try to clear locking flags. (This also let us finally fix a
+bunch of other long-standing issues with locked mount flags causing
+seemingly spurious errors).
+
+The problem is that podman sets rw on all mounts by default (even if
+the user doesn't specify anything). This is actually a no-op in
+runc 1.1 and crun because of a bug in how clearing flags were handled
+(rw is the absence of MS_RDONLY but until runc 1.2 we didn't correctly
+track clearing flags like that, meaning that rw would literally be
+handled as if it were not set at all by users) but in runc 1.2 leads to
+unfortunate breakages and a subtle change in behaviour (before, a ro
+mount being bind-mounted into a container would also be ro -- though
+due to the above bug even setting rw explicitly would result in ro in
+most cases -- but with runc 1.2 the mount will always be rw even if
+the user didn't explicitly request it which most users would find
+surprising). By the way, this "always set rw" behaviour is a departure
+from Docker and it is not necesssary.
+
+Bugs: bsc#1242132
+
+Signed-off-by: rcmadhankumar <madhankumar.chellamuthu@suse.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ pkg/util/mount_opts.go | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/pkg/util/mount_opts.go b/pkg/util/mount_opts.go
+index c9a773093e72..4e37fd74a0af 100644
+--- a/pkg/util/mount_opts.go
+++ b/pkg/util/mount_opts.go
+@@ -191,9 +191,6 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
+ 		newOptions = append(newOptions, opt)
+ 	}
+ 
+-	if !foundWrite {
+-		newOptions = append(newOptions, "rw")
+-	}
+ 	if !foundProp {
+ 		if recursiveBind {
+ 			newOptions = append(newOptions, "rprivate")
+-- 
+2.49.0
+
--- a/0003-CVE-2025-6032-machine-init-fix-tls-check.patch
+++ b/0003-CVE-2025-6032-machine-init-fix-tls-check.patch
@@ -0,0 +1,57 @@
+From 879b877db3607f50b8d1b30d096b1882b7aba65c Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Tue, 10 Jun 2025 14:16:46 +0200
+Subject: [PATCH 3/3] CVE-2025-6032: machine init: fix tls check
+
+Ensure we verify the TLS connection when pulling the OCI image.
+
+Bugs: bsc#1245320
+Fixes: CVE-2025-6032
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ pkg/machine/ocipull/ociartifact.go | 2 +-
+ pkg/machine/ocipull/pull.go        | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/pkg/machine/ocipull/ociartifact.go b/pkg/machine/ocipull/ociartifact.go
+index e144689ffe53..75154437e9ae 100644
+--- a/pkg/machine/ocipull/ociartifact.go
+++ b/pkg/machine/ocipull/ociartifact.go
+@@ -224,7 +224,7 @@ func (o *OCIArtifactDisk) getDestArtifact() (types.ImageReference, digest.Digest
+ 	}
+ 	fmt.Printf("Looking up Podman Machine image at %s to create VM\n", imgRef.DockerReference())
+ 	sysCtx := &types.SystemContext{
+-		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!o.pullOptions.TLSVerify),
+		DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify,
+ 	}
+ 	imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx)
+ 	if err != nil {
+diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go
+index 0822578e8a96..85cf5c18ec73 100644
+--- a/pkg/machine/ocipull/pull.go
+++ b/pkg/machine/ocipull/pull.go
+@@ -21,8 +21,8 @@ import (
+ // PullOptions includes data to alter certain knobs when pulling a source
+ // image.
+ type PullOptions struct {
+-	// Require HTTPS and verify certificates when accessing the registry.
+-	TLSVerify bool
+	// Skip TLS verification when accessing the registry.
+	SkipTLSVerify types.OptionalBool
+ 	// [username[:password] to use when connecting to the registry.
+ 	Credentials string
+ 	// Quiet the progress bars when pushing.
+@@ -46,7 +46,7 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d
+ 	}
+ 
+ 	sysCtx := &types.SystemContext{
+-		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
+		DockerInsecureSkipTLSVerify: options.SkipTLSVerify,
+ 	}
+ 	if options.Credentials != "" {
+ 		authConf, err := parse.AuthConfig(options.Credentials)
+-- 
+2.49.0
+
--- a/2
+++ b/2
@@ -2,7 +2,7 @@
  <service name="obs_scm" mode="manual">
    <param name="url">https://github.com/containers/podman.git</param>
    <param name="scm">git</param>
-    <param name="revision">v5.5.2</param>
+    <param name="revision">v5.4.2</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
    <param name="versionrewrite-pattern">v(.*)</param>
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/containers/podman.git</param>
-              <param name="changesrevision">e7d8226745ba07a64b7176a7f128e4ef53225a0e</param></service></servicedata>
+              <param name="changesrevision">be85287fcf4590961614ee37be65eeb315e5d9ff</param></service></servicedata>
--- a/podman-5.4.2.obscpio
+++ b/podman-5.4.2.obscpio
--- a/podman-5.5.2.obscpio
+++ b/podman-5.5.2.obscpio
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:31173b15ee5a17d29af7fa1266eb661bc202007bc74c9adc4fe1001aea9851a8
-size 96685582
--- a/podman.changes
+++ b/podman.changes
--- a/podman.obsinfo
+++ b/podman.obsinfo
@@ -1,4 +1,4 @@
 name: podman
-version: 5.5.2
-mtime: 1750776105
-commit: e7d8226745ba07a64b7176a7f128e4ef53225a0e
+version: 5.4.2
+mtime: 1743601389
+commit: be85287fcf4590961614ee37be65eeb315e5d9ff
--- a/podman.spec
+++ b/podman.spec
@@ -22,7 +22,7 @@
 %bcond_without  apparmor

 Name:           podman
-Version:        5.5.2
+Version:        5.4.2
 Release:        0
 Summary:        Daemon-less container engine for managing containers, pods and images
 License:        Apache-2.0
@@ -30,8 +30,9 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.gz
 Source1:        podman.conf
-Patch1:         0001-remove-appending-rw-as-the-default-mount-option.patch
-BuildRequires:  man
+Patch0:         0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
+Patch1:         0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch
+Patch2:         0003-CVE-2025-6032-machine-init-fix-tls-check.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes
@@ -49,7 +50,8 @@ BuildRequires:  libcontainers-common
 BuildRequires:  libgpgme-devel
 BuildRequires:  libostree-devel
 BuildRequires:  libseccomp-devel
-BuildRequires:  golang(API) >= 1.23
+# at least go 1.18 is needed from go.mod
+BuildRequires:  golang(API) >= 1.21
 BuildRequires:  pkgconfig(libselinux)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(systemd)
@@ -61,10 +63,9 @@ Recommends:     apparmor-parser
 Recommends:     gvisor-tap-vsock
 Requires:       catatonit >= 0.1.7
 Requires:       conmon >= 2.0.24
-Recommends:     criu
 Requires:       fuse-overlayfs
 Requires:       libcontainers-common >= 20230214
-%if 0%{?sle_version} && 0%{?sle_version} <= 150500
+%if 0%{?suse_version} && 0%{?suse_version} < 1600
 # Build podman with CNI support for SLE-15-SP5 and lower
 Requires:       (netavark or cni-plugins)
 # We still want users with fresh installation to start off
@@ -206,6 +207,7 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
 %{_unitdir}/podman-restart.service
 %{_unitdir}/podman-auto-update.timer
 %{_unitdir}/podman-clean-transient.service
+%{_userunitdir}/podman-user-wait-network-online.service
 %{_userunitdir}/podman.service
 %{_userunitdir}/podman.socket
 %{_userunitdir}/podman-auto-update.service
@@ -213,7 +215,6 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
 %{_userunitdir}/podman-restart.service
 %{_userunitdir}/podman-auto-update.timer
 %{_userunitdir}/podman-clean-transient.service
-%{_userunitdir}/podman-user-wait-network-online.service
 %{_systemdusergeneratordir}/podman-user-generator
 %{_systemdgeneratordir}/podman-system-generator
 %ghost /run/podman