Add symlink to catatonit in /usr/libexec/podman

Fixes (bsc#1248988)

Signed-off-by: rcmadhankumar <madhankumar.chellamuthu@suse.com>

0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch

@@ -1,7 +1,7 @@
 From 172170d06ef6c5ecbe19db448284a8c8c732ed15 Mon Sep 17 00:00:00 2001
 From: Danish Prakash <contact@danishpraka.sh>
 Date: Thu, 13 Mar 2025 14:37:38 +0530
-Subject: [PATCH 1/3] CVE-2025-22869: ssh: limit the size of the internal
+Subject: [PATCH 1/6] CVE-2025-22869: ssh: limit the size of the internal
  packet queue while waiting for KEX (#13)
 
 In the SSH protocol, clients and servers execute the key exchange to
@@ -131,5 +131,5 @@ index 56cdc7c21c3b..a68d20f7f396 100644
  
  	return nil
 -- 
-2.49.0
+2.51.1
 

0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch

@@ -1,7 +1,7 @@
 From 1207d8507d2567c890b552a9e156c8460b5fa477 Mon Sep 17 00:00:00 2001
 From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
 Date: Mon, 12 May 2025 19:34:12 +0530
-Subject: [PATCH 2/3] Fix: Remove appending rw as the default mount option
+Subject: [PATCH 2/6] Fix: Remove appending rw as the default mount option
 
 The backstory for this is that runc 1.2 (opencontainers/runc#3967)
 fixed a long-standing bug in our mount flag handling (a bug that crun
@@ -55,5 +55,5 @@ index c9a773093e72..4e37fd74a0af 100644
  		if recursiveBind {
  			newOptions = append(newOptions, "rprivate")
 -- 
-2.49.0
+2.51.1
 

0003-CVE-2025-6032-machine-init-fix-tls-check.patch

@@ -1,7 +1,7 @@
 From 879b877db3607f50b8d1b30d096b1882b7aba65c Mon Sep 17 00:00:00 2001
 From: Paul Holzinger <pholzing@redhat.com>
 Date: Tue, 10 Jun 2025 14:16:46 +0200
-Subject: [PATCH 3/3] CVE-2025-6032: machine init: fix tls check
+Subject: [PATCH 3/6] CVE-2025-6032: machine init: fix tls check
 
 Ensure we verify the TLS connection when pulling the OCI image.
 
@@ -53,5 +53,5 @@ index 0822578e8a96..85cf5c18ec73 100644
  	if options.Credentials != "" {
  		authConf, err := parse.AuthConfig(options.Credentials)
 -- 
-2.49.0
+2.51.1
 

0004-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch

@@ -0,0 +1,148 @@
+From 086fcc6cb3ba901873bd8d300c241be264517fe3 Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Fri, 29 Aug 2025 15:39:38 +0200
+Subject: [PATCH 4/6] CVE-2025-9566: kube play: don't follow volume symlinks
+ onto the host
+
+For ConfigMap and Secret kube play volumes podman populates the data
+from the yaml. However the volume content is not controlled by us and we
+can be tricked following a symlink to a file on the host instead.
+
+Bugs: bsc#1249154
+Fixes: CVE-2025-9566
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ pkg/domain/infra/abi/play.go             |  5 ++-
+ pkg/domain/infra/abi/play_linux.go       | 18 +++++++++++
+ pkg/domain/infra/abi/play_unsupported.go | 13 ++++++++
+ pkg/domain/infra/abi/play_utils.go       | 39 +++++++++++++++++++++++-
+ 4 files changed, 71 insertions(+), 4 deletions(-)
+ create mode 100644 pkg/domain/infra/abi/play_linux.go
+ create mode 100644 pkg/domain/infra/abi/play_unsupported.go
+
+diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
+index 6ffbf4cf54e6..2fa2752d7cda 100644
+--- a/pkg/domain/infra/abi/play.go
++++ b/pkg/domain/infra/abi/play.go
+@@ -808,8 +808,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
+ 			defaultMode := v.DefaultMode
+ 			// Create files and add data to the volume mountpoint based on the Items in the volume
+ 			for k, v := range v.Items {
+-				dataPath := filepath.Join(mountPoint, k)
+-				f, err := os.Create(dataPath)
++				f, err := openPathSafely(mountPoint, k)
+ 				if err != nil {
+ 					return nil, nil, fmt.Errorf("cannot create file %q at volume mountpoint %q: %w", k, mountPoint, err)
+ 				}
+@@ -819,7 +818,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
+ 					return nil, nil, err
+ 				}
+ 				// Set file permissions
+-				if err := os.Chmod(f.Name(), os.FileMode(defaultMode)); err != nil {
++				if err := f.Chmod(os.FileMode(defaultMode)); err != nil {
+ 					return nil, nil, err
+ 				}
+ 			}
+diff --git a/pkg/domain/infra/abi/play_linux.go b/pkg/domain/infra/abi/play_linux.go
+new file mode 100644
+index 000000000000..a0f981151669
+--- /dev/null
++++ b/pkg/domain/infra/abi/play_linux.go
+@@ -0,0 +1,18 @@
++//go:build !remote
++
++package abi
++
++import (
++	"os"
++
++	securejoin "github.com/cyphar/filepath-securejoin"
++)
++
++// openSymlinkPath opens the path under root using securejoin.OpenatInRoot().
++func openSymlinkPath(root *os.File, unsafePath string, flags int) (*os.File, error) {
++	file, err := securejoin.OpenatInRoot(root, unsafePath)
++	if err != nil {
++		return nil, err
++	}
++	return securejoin.Reopen(file, flags)
++}
+diff --git a/pkg/domain/infra/abi/play_unsupported.go b/pkg/domain/infra/abi/play_unsupported.go
+new file mode 100644
+index 000000000000..3ecbae7cc1f6
+--- /dev/null
++++ b/pkg/domain/infra/abi/play_unsupported.go
+@@ -0,0 +1,13 @@
++//go:build !linux && !remote
++
++package abi
++
++import (
++	"errors"
++	"os"
++)
++
++// openSymlinkPath is not supported on this platform.
++func openSymlinkPath(root *os.File, unsafePath string, flags int) (*os.File, error) {
++	return nil, errors.New("cannot safely open symlink on this platform")
++}
+diff --git a/pkg/domain/infra/abi/play_utils.go b/pkg/domain/infra/abi/play_utils.go
+index 7285d9c9b987..217b6569972a 100644
+--- a/pkg/domain/infra/abi/play_utils.go
++++ b/pkg/domain/infra/abi/play_utils.go
+@@ -2,7 +2,14 @@
+ 
+ package abi
+ 
+-import "github.com/containers/podman/v5/libpod/define"
++import (
++	"fmt"
++	"os"
++	"strings"
++
++	"github.com/containers/podman/v5/libpod/define"
++	"golang.org/x/sys/unix"
++)
+ 
+ // getSdNotifyMode returns the `sdNotifyAnnotation/$name` for the specified
+ // name. If name is empty, it'll only look for `sdNotifyAnnotation`.
+@@ -16,3 +23,33 @@ func getSdNotifyMode(annotations map[string]string, name string) (string, error)
+ 	}
+ 	return mode, define.ValidateSdNotifyMode(mode)
+ }
++
++// openPathSafely opens the given name under the trusted root path, the unsafeName
++// must be a single path component and not contain "/".
++// The resulting path will be opened or created if it does not exists.
++// Following of symlink is done within staying under root, escapes outsides
++// of root are not allowed and prevent.
++//
++// This custom function is needed because securejoin.SecureJoin() is not race safe
++// and the volume might be mounted in another container that could swap in a symlink
++// after the function ahs run. securejoin.OpenInRoot() doesn't work either because
++// it cannot create files and doesn't work on freebsd.
++func openPathSafely(root, unsafeName string) (*os.File, error) {
++	if strings.Contains(unsafeName, "/") {
++		return nil, fmt.Errorf("name %q must not contain path separator", unsafeName)
++	}
++	fdDir, err := os.OpenFile(root, unix.O_RDONLY, 0)
++	if err != nil {
++		return nil, err
++	}
++	defer fdDir.Close()
++	flags := unix.O_CREAT | unix.O_WRONLY | unix.O_TRUNC | unix.O_CLOEXEC
++	fd, err := unix.Openat(int(fdDir.Fd()), unsafeName, flags|unix.O_NOFOLLOW, 0o644)
++	if err == nil {
++		return os.NewFile(uintptr(fd), unsafeName), nil
++	}
++	if err == unix.ELOOP {
++		return openSymlinkPath(fdDir, unsafeName, flags)
++	}
++	return nil, &os.PathError{Op: "openat", Path: unsafeName, Err: err}
++}
+-- 
+2.51.1
+

0006-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch

@@ -0,0 +1,91 @@
+From adf4ff6f9d33c6c4b74bd8fc4112b260ae346085 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Mon, 17 Nov 2025 14:57:51 +0530
+Subject: [PATCH 6/6] CVE-2025-47913, CVE-2025-47914: ssh/agent fixes
+
+--
+
+CVE-2025-47913: ssh/agent: return an error for unexpected message types
+
+Previously, receiving an unexpected message type in response to a key
+listing or a signing request could cause a panic due to a failed type
+assertion.
+
+This change adds a default case to the type switch in order to detect
+and explicitly handle unknown or invalid message types, returning a
+descriptive error instead of crashing.
+
+Fixes CVE-2025-47913
+Fixes golang/go#75178
+Fixes bsc#1253542
+
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+
+--
+
+CVE-2025-47914: ssh/agent: prevent panic on malformed constraint
+
+An attacker could supply a malformed Constraint that
+would trigger a panic in a serving agent, effectively
+causing denial of service.
+
+Thank you to Jakub Ciolek for reporting this issue.
+
+Fixes CVE-2025-47914
+Fixes golang/go#76364
+Fixes bsc#1253993
+
+Change-Id: I195bbc68b1560d4f04897722a6a653a7cbf086eb
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721960
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ vendor/golang.org/x/crypto/ssh/agent/client.go | 6 ++++--
+ vendor/golang.org/x/crypto/ssh/agent/server.go | 3 +++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
+index 106708d289eb..410e21b065ce 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
++++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
+@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
+ 		return keys, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to list keys")
++	default:
++		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // Sign has the agent sign the data using a protocol 2 key as defined
+@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
+ 		return &sig, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to sign challenge")
++	default:
++		return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // unmarshal parses an agent message in packet, returning the parsed
+diff --git a/vendor/golang.org/x/crypto/ssh/agent/server.go b/vendor/golang.org/x/crypto/ssh/agent/server.go
+index e35ca7ce3182..6c05994928ba 100644
+--- a/vendor/golang.org/x/crypto/ssh/agent/server.go
++++ b/vendor/golang.org/x/crypto/ssh/agent/server.go
+@@ -203,6 +203,9 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse
+ 	for len(constraints) != 0 {
+ 		switch constraints[0] {
+ 		case agentConstrainLifetime:
++			if len(constraints) < 5 {
++				return 0, false, nil, io.ErrUnexpectedEOF
++			}
+ 			lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5])
+ 			constraints = constraints[5:]
+ 		case agentConstrainConfirm:
+-- 
+2.51.1
+

podman.changes

@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Thu Jan 29 05:06:01 UTC 2026 - Madhankumar Chellamuthu <madhankumar.chellamuthu@suse.com>
+
+- Add symlink to catatonit in /usr/libexec/podman (bsc#1248988)
+
+-------------------------------------------------------------------
+Mon Dec 22 10:45:50 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2025-47914 (bsc#1253993), CVE-2025-47913 (bsc#1253542):
+  * 0006-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch
+- Rebase patches:
+  * 0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
+  * 0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch
+  * 0003-CVE-2025-6032-machine-init-fix-tls-check.patch
+  * 0004-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch
+  * 0005-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
+
+-------------------------------------------------------------------
+Wed Nov  5 10:38:20 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2025-31133,CVE-2025-52565,CVE-2025-52881 (bsc#1252376):
+  * 0005-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
+- Add patch for bsc#1252543:
+  * 0004-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch
+- Rebase patches:
+  * 0003-CVE-2025-6032-machine-init-fix-tls-check.patch
+  * 0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch
+  * 0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
+
 -------------------------------------------------------------------
 Wed Aug 13 06:44:07 UTC 2025 - Danish Prakash <danish.prakash@suse.com>
 

podman.spec

@@ -33,6 +33,9 @@ Source1:        podman.conf
 Patch0:         0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
 Patch1:         0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch
 Patch2:         0003-CVE-2025-6032-machine-init-fix-tls-check.patch
+Patch3:         0004-CVE-2025-9566-kube-play-don-t-follow-volume-symlinks.patch
+Patch4:         0005-CVE-2025-52881-backport-subset-of-patch-from-runc.patch
+Patch5:         0006-CVE-2025-47913-CVE-2025-47914-ssh-agent-fixes.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes
@@ -55,6 +58,7 @@ BuildRequires:  golang(API) >= 1.21
 BuildRequires:  pkgconfig(libselinux)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(systemd)
+BuildRequires:  catatonit
 %if %{with apparmor}
 Recommends:     apparmor-abstractions
 Recommends:     apparmor-parser
@@ -174,6 +178,9 @@ rm %{buildroot}%{_user_tmpfilesdir}/podman-docker.conf
 mkdir -p %{buildroot}%{_prefix}/lib/modules-load.d
 install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
 
+# create a softlink to catatonit and add it to buildroot
+ln -s %{_bindir}/catatonit %{buildroot}%{_libexecdir}/podman/catatonit
+
 %fdupes %{buildroot}/%{_datadir}
 %fdupes %{buildroot}/%{_systemd_util_dir}
 
@@ -194,6 +201,7 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
 %dir %{_libexecdir}/podman
 %{_libexecdir}/podman/rootlessport
 %{_libexecdir}/podman/quadlet
+%{_libexecdir}/podman/catatonit
 # Completion
 %{_datadir}/bash-completion/completions/podman
 %{_datadir}/zsh/site-functions/_podman