Sync changes to SLFO-1.2 branch

OBS-URL: https://build.opensuse.org/request/show/1288469
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/podman?expand=0&rev=161

0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch

@@ -0,0 +1,135 @@
+From 172170d06ef6c5ecbe19db448284a8c8c732ed15 Mon Sep 17 00:00:00 2001
+From: Danish Prakash <contact@danishpraka.sh>
+Date: Thu, 13 Mar 2025 14:37:38 +0530
+Subject: [PATCH 1/3] CVE-2025-22869: ssh: limit the size of the internal
+ packet queue while waiting for KEX (#13)
+
+In the SSH protocol, clients and servers execute the key exchange to
+generate one-time session keys used for encryption and authentication.
+The key exchange is performed initially after the connection is
+established and then periodically after a configurable amount of data.
+While a key exchange is in progress, we add the received packets to an
+internal queue until we receive SSH_MSG_KEXINIT from the other side.
+This can result in high memory usage if the other party is slow to
+respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a
+malicious client never responds to an SSH_MSG_KEXINIT packet during a
+large file transfer.
+We now limit the internal queue to 64 packets: this means 2MB with the
+typical 32KB packet size.
+When the internal queue is full we block further writes until the
+pending key exchange is completed or there is a read or write error.
+
+Thanks to Yuichi Watanabe for reporting this issue.
+
+Fixes: CVE-2025-22869
+Bugs: bsc#1239330
+
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+Co-authored-by: Nicola Murino <nicola.murino@gmail.com>
+---
+ vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
+ 1 file changed, 37 insertions(+), 10 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
+index 56cdc7c21c3b..a68d20f7f396 100644
+--- a/vendor/golang.org/x/crypto/ssh/handshake.go
++++ b/vendor/golang.org/x/crypto/ssh/handshake.go
+@@ -25,6 +25,11 @@ const debugHandshake = false
+ // quickly.
+ const chanSize = 16
+ 
++// maxPendingPackets sets the maximum number of packets to queue while waiting
++// for KEX to complete. This limits the total pending data to maxPendingPackets
++// * maxPacket bytes, which is ~16.8MB.
++const maxPendingPackets = 64
++
+ // keyingTransport is a packet based transport that supports key
+ // changes. It need not be thread-safe. It should pass through
+ // msgNewKeys in both directions.
+@@ -73,11 +78,19 @@ type handshakeTransport struct {
+ 	incoming  chan []byte
+ 	readError error
+ 
+-	mu               sync.Mutex
+-	writeError       error
+-	sentInitPacket   []byte
+-	sentInitMsg      *kexInitMsg
+-	pendingPackets   [][]byte // Used when a key exchange is in progress.
++	mu sync.Mutex
++	// Condition for the above mutex. It is used to notify a completed key
++	// exchange or a write failure. Writes can wait for this condition while a
++	// key exchange is in progress.
++	writeCond      *sync.Cond
++	writeError     error
++	sentInitPacket []byte
++	sentInitMsg    *kexInitMsg
++	// Used to queue writes when a key exchange is in progress. The length is
++	// limited by pendingPacketsSize. Once full, writes will block until the key
++	// exchange is completed or an error occurs. If not empty, it is emptied
++	// all at once when the key exchange is completed in kexLoop.
++	pendingPackets   [][]byte
+ 	writePacketsLeft uint32
+ 	writeBytesLeft   int64
+ 
+@@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
+ 
+ 		config: config,
+ 	}
++	t.writeCond = sync.NewCond(&t.mu)
+ 	t.resetReadThresholds()
+ 	t.resetWriteThresholds()
+ 
+@@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
+ 	defer t.mu.Unlock()
+ 	if t.writeError == nil && err != nil {
+ 		t.writeError = err
++		t.writeCond.Broadcast()
+ 	}
+ }
+ 
+@@ -362,6 +377,8 @@ write:
+ 			}
+ 		}
+ 		t.pendingPackets = t.pendingPackets[:0]
++		// Unblock writePacket if waiting for KEX.
++		t.writeCond.Broadcast()
+ 		t.mu.Unlock()
+ 	}
+ 
+@@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
+ 	}
+ 
+ 	if t.sentInitMsg != nil {
+-		// Copy the packet so the writer can reuse the buffer.
+-		cp := make([]byte, len(p))
+-		copy(cp, p)
+-		t.pendingPackets = append(t.pendingPackets, cp)
+-		return nil
++		if len(t.pendingPackets) < maxPendingPackets {
++			// Copy the packet so the writer can reuse the buffer.
++			cp := make([]byte, len(p))
++			copy(cp, p)
++			t.pendingPackets = append(t.pendingPackets, cp)
++			return nil
++		}
++		for t.sentInitMsg != nil {
++			// Block and wait for KEX to complete or an error.
++			t.writeCond.Wait()
++			if t.writeError != nil {
++				return t.writeError
++			}
++		}
+ 	}
+ 
+ 	if t.writeBytesLeft > 0 {
+@@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
+ 
+ 	if err := t.pushPacket(p); err != nil {
+ 		t.writeError = err
++		t.writeCond.Broadcast()
+ 	}
+ 
+ 	return nil
+-- 
+2.49.0
+

0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch

@@ -0,0 +1,59 @@
+From 1207d8507d2567c890b552a9e156c8460b5fa477 Mon Sep 17 00:00:00 2001
+From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
+Date: Mon, 12 May 2025 19:34:12 +0530
+Subject: [PATCH 2/3] Fix: Remove appending rw as the default mount option
+
+The backstory for this is that runc 1.2 (opencontainers/runc#3967)
+fixed a long-standing bug in our mount flag handling (a bug that crun
+still has). Before runc 1.2, when dealing with locked mount flags that
+user namespaced containers cannot clear, trying to explicitly clearing
+locked flags (like rw clearing MS_RDONLY) would silently ignore the rw
+flag in most cases and would result in a read-only mount. This is
+obviously not what the user expects.
+
+What runc 1.2 did is that it made it so that passing clearing flags
+like rw would always result in an attempt to clear the flag (which was
+not the case before), and would (in all cases) explicitly return an
+error if we try to clear locking flags. (This also let us finally fix a
+bunch of other long-standing issues with locked mount flags causing
+seemingly spurious errors).
+
+The problem is that podman sets rw on all mounts by default (even if
+the user doesn't specify anything). This is actually a no-op in
+runc 1.1 and crun because of a bug in how clearing flags were handled
+(rw is the absence of MS_RDONLY but until runc 1.2 we didn't correctly
+track clearing flags like that, meaning that rw would literally be
+handled as if it were not set at all by users) but in runc 1.2 leads to
+unfortunate breakages and a subtle change in behaviour (before, a ro
+mount being bind-mounted into a container would also be ro -- though
+due to the above bug even setting rw explicitly would result in ro in
+most cases -- but with runc 1.2 the mount will always be rw even if
+the user didn't explicitly request it which most users would find
+surprising). By the way, this "always set rw" behaviour is a departure
+from Docker and it is not necesssary.
+
+Bugs: bsc#1242132
+
+Signed-off-by: rcmadhankumar <madhankumar.chellamuthu@suse.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ pkg/util/mount_opts.go | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/pkg/util/mount_opts.go b/pkg/util/mount_opts.go
+index c9a773093e72..4e37fd74a0af 100644
+--- a/pkg/util/mount_opts.go
++++ b/pkg/util/mount_opts.go
+@@ -191,9 +191,6 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
+ 		newOptions = append(newOptions, opt)
+ 	}
+ 
+-	if !foundWrite {
+-		newOptions = append(newOptions, "rw")
+-	}
+ 	if !foundProp {
+ 		if recursiveBind {
+ 			newOptions = append(newOptions, "rprivate")
+-- 
+2.49.0
+

0003-CVE-2025-6032-machine-init-fix-tls-check.patch

@@ -0,0 +1,57 @@
+From 879b877db3607f50b8d1b30d096b1882b7aba65c Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Tue, 10 Jun 2025 14:16:46 +0200
+Subject: [PATCH 3/3] CVE-2025-6032: machine init: fix tls check
+
+Ensure we verify the TLS connection when pulling the OCI image.
+
+Bugs: bsc#1245320
+Fixes: CVE-2025-6032
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ pkg/machine/ocipull/ociartifact.go | 2 +-
+ pkg/machine/ocipull/pull.go        | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/pkg/machine/ocipull/ociartifact.go b/pkg/machine/ocipull/ociartifact.go
+index e144689ffe53..75154437e9ae 100644
+--- a/pkg/machine/ocipull/ociartifact.go
++++ b/pkg/machine/ocipull/ociartifact.go
+@@ -224,7 +224,7 @@ func (o *OCIArtifactDisk) getDestArtifact() (types.ImageReference, digest.Digest
+ 	}
+ 	fmt.Printf("Looking up Podman Machine image at %s to create VM\n", imgRef.DockerReference())
+ 	sysCtx := &types.SystemContext{
+-		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!o.pullOptions.TLSVerify),
++		DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify,
+ 	}
+ 	imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx)
+ 	if err != nil {
+diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go
+index 0822578e8a96..85cf5c18ec73 100644
+--- a/pkg/machine/ocipull/pull.go
++++ b/pkg/machine/ocipull/pull.go
+@@ -21,8 +21,8 @@ import (
+ // PullOptions includes data to alter certain knobs when pulling a source
+ // image.
+ type PullOptions struct {
+-	// Require HTTPS and verify certificates when accessing the registry.
+-	TLSVerify bool
++	// Skip TLS verification when accessing the registry.
++	SkipTLSVerify types.OptionalBool
+ 	// [username[:password] to use when connecting to the registry.
+ 	Credentials string
+ 	// Quiet the progress bars when pushing.
+@@ -46,7 +46,7 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d
+ 	}
+ 
+ 	sysCtx := &types.SystemContext{
+-		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
++		DockerInsecureSkipTLSVerify: options.SkipTLSVerify,
+ 	}
+ 	if options.Credentials != "" {
+ 		authConf, err := parse.AuthConfig(options.Credentials)
+-- 
+2.49.0
+

_service

@@ -2,7 +2,7 @@
   <service name="obs_scm" mode="manual">
     <param name="url">https://github.com/containers/podman.git</param>
     <param name="scm">git</param>
-    <param name="revision">v5.2.2</param>
+    <param name="revision">v5.4.2</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/containers/podman.git</param>
-              <param name="changesrevision">fcee48106a12dd531702d729d17f40f6e152027f</param></service></servicedata>
+              <param name="changesrevision">be85287fcf4590961614ee37be65eeb315e5d9ff</param></service></servicedata>

podman-5.2.2.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1f2e5bd13e4c0ca13561fe124f44c93898450405ef15e93c6cce1d10d24105c2
-size 109693454

podman.obsinfo

@@ -1,4 +1,4 @@
 name: podman
-version: 5.2.2
+version: 5.4.2
-mtime: 1724262191
+mtime: 1743601389
-commit: fcee48106a12dd531702d729d17f40f6e152027f
+commit: be85287fcf4590961614ee37be65eeb315e5d9ff

podman.spec

@@ -22,7 +22,7 @@
 %bcond_without  apparmor
 
 Name:           podman
-Version:        5.2.2
+Version:        5.4.2
 Release:        0
 Summary:        Daemon-less container engine for managing containers, pods and images
 License:        Apache-2.0
@@ -30,7 +30,9 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.gz
 Source1:        podman.conf
-BuildRequires:  man
+Patch0:         0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
+Patch1:         0002-Fix-Remove-appending-rw-as-the-default-mount-option.patch
+Patch2:         0003-CVE-2025-6032-machine-init-fix-tls-check.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes
@@ -62,9 +64,8 @@ Recommends:     gvisor-tap-vsock
 Requires:       catatonit >= 0.1.7
 Requires:       conmon >= 2.0.24
 Requires:       fuse-overlayfs
-Requires:       iptables
 Requires:       libcontainers-common >= 20230214
-%if 0%{?sle_version} && 0%{?sle_version} <= 150500
+%if 0%{?suse_version} && 0%{?suse_version} < 1600
 # Build podman with CNI support for SLE-15-SP5 and lower
 Requires:       (netavark or cni-plugins)
 # We still want users with fresh installation to start off
@@ -74,17 +75,7 @@ Suggests:       netavark
 %else
 Requires:       netavark
 %endif
-# use crun on Tumbleweed & ALP for WASM support
-%if 0%{suse_version} >= 1600
-# crun is only available for selected archs (because of criu)
-%ifarch x86_64 aarch64 ppc64le armv7l armv7hl s390x
-Requires:       crun
-%else
 Requires:       runc >= 1.0.1
-%endif
-%else
-Requires:       runc >= 1.0.1
-%endif
 Requires:       passt
 Requires:       timezone
 Suggests:       katacontainers
@@ -140,7 +131,7 @@ Provides:       %{name}-shell = %{version}
 capabilities specified in user quadlets.
 
 It is a symlink to %{_bindir}/%{name} and execs into the `%{name}sh` container
-when `%{_bindir}/%{name}sh is set as a login shell or set as os.Args[0].
+when `%{_bindir}/%{name}sh` is set as a login shell or set as os.Args[0].
 
 %build
 # Build podman
@@ -193,6 +184,7 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
 %{_mandir}/man1/podman*.1*
 %{_mandir}/man5/podman*.5*
 %{_mandir}/man5/quadlet*.5*
+%{_mandir}/man7/podman*.7*
 %exclude %{_mandir}/man1/podman-remote*.1*
 # Configs
 %dir %{_prefix}/lib/modules-load.d
@@ -215,6 +207,7 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
 %{_unitdir}/podman-restart.service
 %{_unitdir}/podman-auto-update.timer
 %{_unitdir}/podman-clean-transient.service
+%{_userunitdir}/podman-user-wait-network-online.service
 %{_userunitdir}/podman.service
 %{_userunitdir}/podman.socket
 %{_userunitdir}/podman-auto-update.service
@@ -255,18 +248,19 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
 
 %pre
 %service_add_pre podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
+%systemd_user_pre podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service podman-user-wait-network-online.service
 
 %post
 %service_add_post podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
 %tmpfiles_create %{_tmpfilesdir}/podman.conf
-%systemd_user_post podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer
+%systemd_user_post podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service podman-user-wait-network-online.service
 
 %preun
 %service_del_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
-%systemd_user_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
+%systemd_user_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service podman-user-wait-network-online.service
 
 %postun
 %service_del_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
-%systemd_user_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
+%systemd_user_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service podman-user-wait-network-online.service
 
 %changelog