Accepting request 1302250 from devel:microos

- Do not recommend apparmor-parser and apparmor-abstractions: if
  the system is using apparmor, those packages will be present. If
  the system is selinux enabled, we don't want to recommend those
  packages just becuase we build support for apparmor into the
  package. (forwarded request 1302152 from dimstar)

OBS-URL: https://build.opensuse.org/request/show/1302250
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/podman?expand=0&rev=163

0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch

@@ -1,135 +0,0 @@
-From 172170d06ef6c5ecbe19db448284a8c8c732ed15 Mon Sep 17 00:00:00 2001
-From: Danish Prakash <contact@danishpraka.sh>
-Date: Thu, 13 Mar 2025 14:37:38 +0530
-Subject: [PATCH 1/3] CVE-2025-22869: ssh: limit the size of the internal
- packet queue while waiting for KEX (#13)
-
-In the SSH protocol, clients and servers execute the key exchange to
-generate one-time session keys used for encryption and authentication.
-The key exchange is performed initially after the connection is
-established and then periodically after a configurable amount of data.
-While a key exchange is in progress, we add the received packets to an
-internal queue until we receive SSH_MSG_KEXINIT from the other side.
-This can result in high memory usage if the other party is slow to
-respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a
-malicious client never responds to an SSH_MSG_KEXINIT packet during a
-large file transfer.
-We now limit the internal queue to 64 packets: this means 2MB with the
-typical 32KB packet size.
-When the internal queue is full we block further writes until the
-pending key exchange is completed or there is a read or write error.
-
-Thanks to Yuichi Watanabe for reporting this issue.
-
-Fixes: CVE-2025-22869
-Bugs: bsc#1239330
-
-Signed-off-by: Danish Prakash <contact@danishpraka.sh>
-Co-authored-by: Nicola Murino <nicola.murino@gmail.com>
----
- vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
- 1 file changed, 37 insertions(+), 10 deletions(-)
-
-diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
-index 56cdc7c21c3b..a68d20f7f396 100644
---- a/vendor/golang.org/x/crypto/ssh/handshake.go
-+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
-@@ -25,6 +25,11 @@ const debugHandshake = false
- // quickly.
- const chanSize = 16
- 
-+// maxPendingPackets sets the maximum number of packets to queue while waiting
-+// for KEX to complete. This limits the total pending data to maxPendingPackets
-+// * maxPacket bytes, which is ~16.8MB.
-+const maxPendingPackets = 64
-+
- // keyingTransport is a packet based transport that supports key
- // changes. It need not be thread-safe. It should pass through
- // msgNewKeys in both directions.
-@@ -73,11 +78,19 @@ type handshakeTransport struct {
- 	incoming  chan []byte
- 	readError error
- 
--	mu               sync.Mutex
--	writeError       error
--	sentInitPacket   []byte
--	sentInitMsg      *kexInitMsg
--	pendingPackets   [][]byte // Used when a key exchange is in progress.
-+	mu sync.Mutex
-+	// Condition for the above mutex. It is used to notify a completed key
-+	// exchange or a write failure. Writes can wait for this condition while a
-+	// key exchange is in progress.
-+	writeCond      *sync.Cond
-+	writeError     error
-+	sentInitPacket []byte
-+	sentInitMsg    *kexInitMsg
-+	// Used to queue writes when a key exchange is in progress. The length is
-+	// limited by pendingPacketsSize. Once full, writes will block until the key
-+	// exchange is completed or an error occurs. If not empty, it is emptied
-+	// all at once when the key exchange is completed in kexLoop.
-+	pendingPackets   [][]byte
- 	writePacketsLeft uint32
- 	writeBytesLeft   int64
- 
-@@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
- 
- 		config: config,
- 	}
-+	t.writeCond = sync.NewCond(&t.mu)
- 	t.resetReadThresholds()
- 	t.resetWriteThresholds()
- 
-@@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
- 	defer t.mu.Unlock()
- 	if t.writeError == nil && err != nil {
- 		t.writeError = err
-+		t.writeCond.Broadcast()
- 	}
- }
- 
-@@ -362,6 +377,8 @@ write:
- 			}
- 		}
- 		t.pendingPackets = t.pendingPackets[:0]
-+		// Unblock writePacket if waiting for KEX.
-+		t.writeCond.Broadcast()
- 		t.mu.Unlock()
- 	}
- 
-@@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
- 	}
- 
- 	if t.sentInitMsg != nil {
--		// Copy the packet so the writer can reuse the buffer.
--		cp := make([]byte, len(p))
--		copy(cp, p)
--		t.pendingPackets = append(t.pendingPackets, cp)
--		return nil
-+		if len(t.pendingPackets) < maxPendingPackets {
-+			// Copy the packet so the writer can reuse the buffer.
-+			cp := make([]byte, len(p))
-+			copy(cp, p)
-+			t.pendingPackets = append(t.pendingPackets, cp)
-+			return nil
-+		}
-+		for t.sentInitMsg != nil {
-+			// Block and wait for KEX to complete or an error.
-+			t.writeCond.Wait()
-+			if t.writeError != nil {
-+				return t.writeError
-+			}
-+		}
- 	}
- 
- 	if t.writeBytesLeft > 0 {
-@@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
- 
- 	if err := t.pushPacket(p); err != nil {
- 		t.writeError = err
-+		t.writeCond.Broadcast()
- 	}
- 
- 	return nil
--- 
-2.49.0
-

0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch

@@ -1,59 +0,0 @@
-From 1207d8507d2567c890b552a9e156c8460b5fa477 Mon Sep 17 00:00:00 2001
-From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
-Date: Mon, 12 May 2025 19:34:12 +0530
-Subject: [PATCH 2/3] Fix: Remove appending rw as the default mount option
-
-The backstory for this is that runc 1.2 (opencontainers/runc#3967)
-fixed a long-standing bug in our mount flag handling (a bug that crun
-still has). Before runc 1.2, when dealing with locked mount flags that
-user namespaced containers cannot clear, trying to explicitly clearing
-locked flags (like rw clearing MS_RDONLY) would silently ignore the rw
-flag in most cases and would result in a read-only mount. This is
-obviously not what the user expects.
-
-What runc 1.2 did is that it made it so that passing clearing flags
-like rw would always result in an attempt to clear the flag (which was
-not the case before), and would (in all cases) explicitly return an
-error if we try to clear locking flags. (This also let us finally fix a
-bunch of other long-standing issues with locked mount flags causing
-seemingly spurious errors).
-
-The problem is that podman sets rw on all mounts by default (even if
-the user doesn't specify anything). This is actually a no-op in
-runc 1.1 and crun because of a bug in how clearing flags were handled
-(rw is the absence of MS_RDONLY but until runc 1.2 we didn't correctly
-track clearing flags like that, meaning that rw would literally be
-handled as if it were not set at all by users) but in runc 1.2 leads to
-unfortunate breakages and a subtle change in behaviour (before, a ro
-mount being bind-mounted into a container would also be ro -- though
-due to the above bug even setting rw explicitly would result in ro in
-most cases -- but with runc 1.2 the mount will always be rw even if
-the user didn't explicitly request it which most users would find
-surprising). By the way, this "always set rw" behaviour is a departure
-from Docker and it is not necesssary.
-
-Bugs: bsc#1242132
-
-Signed-off-by: rcmadhankumar <madhankumar.chellamuthu@suse.com>
-Signed-off-by: Danish Prakash <contact@danishpraka.sh>
----
- pkg/util/mount_opts.go | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/pkg/util/mount_opts.go b/pkg/util/mount_opts.go
-index c9a773093e72..4e37fd74a0af 100644
---- a/pkg/util/mount_opts.go
-+++ b/pkg/util/mount_opts.go
-@@ -191,9 +191,6 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
- 		newOptions = append(newOptions, opt)
- 	}
- 
--	if !foundWrite {
--		newOptions = append(newOptions, "rw")
--	}
- 	if !foundProp {
- 		if recursiveBind {
- 			newOptions = append(newOptions, "rprivate")
--- 
-2.49.0
-

0003-CVE-2025-6032-machine-init-fix-tls-check.patch

@@ -1,57 +0,0 @@
-From 879b877db3607f50b8d1b30d096b1882b7aba65c Mon Sep 17 00:00:00 2001
-From: Paul Holzinger <pholzing@redhat.com>
-Date: Tue, 10 Jun 2025 14:16:46 +0200
-Subject: [PATCH 3/3] CVE-2025-6032: machine init: fix tls check
-
-Ensure we verify the TLS connection when pulling the OCI image.
-
-Bugs: bsc#1245320
-Fixes: CVE-2025-6032
-
-Signed-off-by: Paul Holzinger <pholzing@redhat.com>
-Signed-off-by: Danish Prakash <contact@danishpraka.sh>
----
- pkg/machine/ocipull/ociartifact.go | 2 +-
- pkg/machine/ocipull/pull.go        | 6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/pkg/machine/ocipull/ociartifact.go b/pkg/machine/ocipull/ociartifact.go
-index e144689ffe53..75154437e9ae 100644
---- a/pkg/machine/ocipull/ociartifact.go
-+++ b/pkg/machine/ocipull/ociartifact.go
-@@ -224,7 +224,7 @@ func (o *OCIArtifactDisk) getDestArtifact() (types.ImageReference, digest.Digest
- 	}
- 	fmt.Printf("Looking up Podman Machine image at %s to create VM\n", imgRef.DockerReference())
- 	sysCtx := &types.SystemContext{
--		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!o.pullOptions.TLSVerify),
-+		DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify,
- 	}
- 	imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx)
- 	if err != nil {
-diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go
-index 0822578e8a96..85cf5c18ec73 100644
---- a/pkg/machine/ocipull/pull.go
-+++ b/pkg/machine/ocipull/pull.go
-@@ -21,8 +21,8 @@ import (
- // PullOptions includes data to alter certain knobs when pulling a source
- // image.
- type PullOptions struct {
--	// Require HTTPS and verify certificates when accessing the registry.
--	TLSVerify bool
-+	// Skip TLS verification when accessing the registry.
-+	SkipTLSVerify types.OptionalBool
- 	// [username[:password] to use when connecting to the registry.
- 	Credentials string
- 	// Quiet the progress bars when pushing.
-@@ -46,7 +46,7 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d
- 	}
- 
- 	sysCtx := &types.SystemContext{
--		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
-+		DockerInsecureSkipTLSVerify: options.SkipTLSVerify,
- 	}
- 	if options.Credentials != "" {
- 		authConf, err := parse.AuthConfig(options.Credentials)
--- 
-2.49.0
-

_service

@@ -2,7 +2,7 @@
   <service name="obs_scm" mode="manual">
     <param name="url">https://github.com/containers/podman.git</param>
     <param name="scm">git</param>
-    <param name="revision">v5.4.2</param>
+    <param name="revision">v5.6.0</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/containers/podman.git</param>
-              <param name="changesrevision">be85287fcf4590961614ee37be65eeb315e5d9ff</param></service></servicedata>
+              <param name="changesrevision">da671ef6cfa3fc9ac6225c18f1dd0a70a951e43f</param></service></servicedata>

podman-5.6.0.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8f8fe13947a65924ea92e867d50912efd827f0ec2432d2faa5d9cdb2941ccb05
+size 94526478

podman.obsinfo

@@ -1,4 +1,4 @@
 name: podman
-version: 5.4.2
-mtime: 1743601389
-commit: be85287fcf4590961614ee37be65eeb315e5d9ff
+version: 5.6.0
+mtime: 1755265355
+commit: da671ef6cfa3fc9ac6225c18f1dd0a70a951e43f

podman.spec

@@ -22,7 +22,7 @@
 %bcond_without  apparmor
 
 Name:           podman
-Version:        5.4.2
+Version:        5.6.0
 Release:        0
 Summary:        Daemon-less container engine for managing containers, pods and images
 License:        Apache-2.0
@@ -30,9 +30,7 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.gz
 Source1:        podman.conf
-Patch0:         0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
-Patch1:         0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch
-Patch2:         0003-CVE-2025-6032-machine-init-fix-tls-check.patch
+BuildRequires:  man
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes
@@ -50,22 +48,18 @@ BuildRequires:  libcontainers-common
 BuildRequires:  libgpgme-devel
 BuildRequires:  libostree-devel
 BuildRequires:  libseccomp-devel
-# at least go 1.18 is needed from go.mod
-BuildRequires:  golang(API) >= 1.21
+BuildRequires:  golang(API) >= 1.23
 BuildRequires:  pkgconfig(libselinux)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(systemd)
-%if %{with apparmor}
-Recommends:     apparmor-abstractions
-Recommends:     apparmor-parser
-%endif
 # requirement for `podman machine`
 Recommends:     gvisor-tap-vsock
 Requires:       catatonit >= 0.1.7
 Requires:       conmon >= 2.0.24
+Recommends:     criu
 Requires:       fuse-overlayfs
 Requires:       libcontainers-common >= 20230214
-%if 0%{?suse_version} && 0%{?suse_version} < 1600
+%if 0%{?sle_version} && 0%{?sle_version} <= 150500
 # Build podman with CNI support for SLE-15-SP5 and lower
 Requires:       (netavark or cni-plugins)
 # We still want users with fresh installation to start off
@@ -207,7 +201,6 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
 %{_unitdir}/podman-restart.service
 %{_unitdir}/podman-auto-update.timer
 %{_unitdir}/podman-clean-transient.service
-%{_userunitdir}/podman-user-wait-network-online.service
 %{_userunitdir}/podman.service
 %{_userunitdir}/podman.socket
 %{_userunitdir}/podman-auto-update.service
@@ -215,6 +208,7 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
 %{_userunitdir}/podman-restart.service
 %{_userunitdir}/podman-auto-update.timer
 %{_userunitdir}/podman-clean-transient.service
+%{_userunitdir}/podman-user-wait-network-online.service
 %{_systemdusergeneratordir}/podman-user-generator
 %{_systemdgeneratordir}/podman-system-generator
 %ghost /run/podman