diff --git a/0006-fix-CVE-2024-9676-CVE-2024-9675-CVE-2024-9407-CVE-2024-9341.patch b/0006-fix-CVE-2024-9676-CVE-2024-9675-CVE-2024-9407-CVE-2024-9341.patch new file mode 100644 index 0000000000000000000000000000000000000000..7b59904809b812773f45ba6bf9d7d5a56d0d413a --- /dev/null +++ b/0006-fix-CVE-2024-9676-CVE-2024-9675-CVE-2024-9407-CVE-2024-9341.patch @@ -0,0 +1,565 @@ +From 41b0d431e1d5df30149add3713ac54d1f43f7f6d Mon Sep 17 00:00:00 2001 +From: duyiwei +Date: Fri, 10 Jan 2025 17:06:36 +0800 +Subject: [PATCH] test + +Signed-off-by: duyiwei +--- + go.mod | 8 +- + go.sum | 16 ++-- + .../github.com/containers/buildah/.cirrus.yml | 8 +- + .../containers/buildah/define/types.go | 2 +- + .../buildah/internal/volumes/volumes.go | 31 ++++++- + .../common/pkg/subscriptions/subscriptions.go | 6 +- + .../containers/common/version/version.go | 2 +- + .../image/v5/docker/docker_image.go | 22 ++++- + .../containers/image/v5/version/version.go | 2 +- + .../github.com/containers/storage/.cirrus.yml | 2 +- + vendor/github.com/containers/storage/VERSION | 2 +- + .../storage/drivers/overlay/overlay.go | 41 +++++++-- + .../github.com/containers/storage/userns.go | 92 +++++++++++++------ + .../containers/storage/userns_unsupported.go | 14 +++ + vendor/modules.txt | 8 +- + 15 files changed, 186 insertions(+), 70 deletions(-) + create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go + +diff --git a/go.mod b/go.mod +index b1e2758..1ef9ab7 100644 +--- a/go.mod ++++ b/go.mod +@@ -11,15 +11,15 @@ require ( + github.com/checkpoint-restore/go-criu/v7 v7.0.0 + github.com/containernetworking/cni v1.1.2 + github.com/containernetworking/plugins v1.3.0 +- github.com/containers/buildah v1.33.7 +- github.com/containers/common v0.57.4 ++ github.com/containers/buildah v1.33.11 ++ github.com/containers/common v0.57.7 + github.com/containers/conmon v2.0.20+incompatible + github.com/containers/gvisor-tap-vsock v0.7.2 +- github.com/containers/image/v5 v5.29.2 ++ github.com/containers/image/v5 v5.29.4 + github.com/containers/libhvee v0.5.0 + github.com/containers/ocicrypt v1.1.9 + github.com/containers/psgo v1.8.0 +- github.com/containers/storage v1.51.0 ++ github.com/containers/storage v1.51.2 + github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 + github.com/coreos/stream-metadata-go v0.4.4 + github.com/crc-org/vfkit v0.1.2-0.20231030102423-f3c783d34420 +diff --git a/go.sum b/go.sum +index 42178b0..92b443a 100644 +--- a/go.sum ++++ b/go.sum +@@ -258,16 +258,16 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV + github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= + github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q6mVDp5H1HnjM= + github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0= +-github.com/containers/buildah v1.33.7 h1:Y2kNea+hNNyZ74ppYFWmD0cLc/DwZ5A4NEUPQWPj5Zw= +-github.com/containers/buildah v1.33.7/go.mod h1:pphfdjrwtTWkuIy1aDyZMEVyMfmm0DsbvxLGxxEU1cM= +-github.com/containers/common v0.57.4 h1:kmfBad92kUjP5X44BPpOwMe+eZQqaKETfS+ASeL0g+g= +-github.com/containers/common v0.57.4/go.mod h1:o3L3CyOI9yr+JC8l4dZgvqTxcjs3qdKmkek00uchgvw= ++github.com/containers/buildah v1.33.11 h1:WhEw4xD251utfeb3Huijb/yiTY62tqh8IzchcbnQ2rA= ++github.com/containers/buildah v1.33.11/go.mod h1:MtL+0XpZL5csljQDshjeQfvjzyTV0hgZsSoExmO3eu8= ++github.com/containers/common v0.57.7 h1:xA6/dXNbScnaytcFNQKTFGn6VDxwvDlCngJtfdGAf7g= ++github.com/containers/common v0.57.7/go.mod h1:GRtgIWNPc8zmo/vcA7VoZfLWpgQRH01/kzQbeNZH8WQ= + github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= + github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= + github.com/containers/gvisor-tap-vsock v0.7.2 h1:6CyU5D85C0/DciRRd7W0bPljK4FAS+DPrrHEQMHfZKY= + github.com/containers/gvisor-tap-vsock v0.7.2/go.mod h1:6NiTxh2GCVxZQLPzfuEB78/Osp2Usd9uf6nLdd6PiUY= +-github.com/containers/image/v5 v5.29.2 h1:b8U0XYWhaQbKucK73IbmSm8WQyKAhKDbAHQc45XlsOw= +-github.com/containers/image/v5 v5.29.2/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E= ++github.com/containers/image/v5 v5.29.4 h1:EbYrwOscTvzeCXt4149OtU74T/ZuohEottcs/hz47O4= ++github.com/containers/image/v5 v5.29.4/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E= + github.com/containers/libhvee v0.5.0 h1:rDhfG2NI8Q+VgeXht2dXezanxEdpj9pHqYX3vWfOGUw= + github.com/containers/libhvee v0.5.0/go.mod h1:yvU3Em2u1ZLl2VLd2glMIBWriBwfhWsDaRJsvixUIB0= + github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= +@@ -282,8 +282,8 @@ github.com/containers/ocicrypt v1.1.9/go.mod h1:dTKx1918d8TDkxXvarscpNVY+lyPakPN + github.com/containers/psgo v1.8.0 h1:2loGekmGAxM9ir5OsXWEfGwFxorMPYnc6gEDsGFQvhY= + github.com/containers/psgo v1.8.0/go.mod h1:T8ZxnX3Ur4RvnhxFJ7t8xJ1F48RhiZB4rSrOaR/qGHc= + github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s= +-github.com/containers/storage v1.51.0 h1:AowbcpiWXzAjHosKz7MKvPEqpyX+ryZA/ZurytRrFNA= +-github.com/containers/storage v1.51.0/go.mod h1:ybl8a3j1PPtpyaEi/5A6TOFs+5TrEyObeKJzVtkUlfc= ++github.com/containers/storage v1.51.2 h1:Xw8p1AG1A+Nh6dCsb1UOB3YKF5uzlCkI3uAP4fsFup4= ++github.com/containers/storage v1.51.2/go.mod h1:ybl8a3j1PPtpyaEi/5A6TOFs+5TrEyObeKJzVtkUlfc= + github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= + github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= + github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= +diff --git a/vendor/github.com/containers/buildah/.cirrus.yml b/vendor/github.com/containers/buildah/.cirrus.yml +index ac12d66..5d99964 100644 +--- a/vendor/github.com/containers/buildah/.cirrus.yml ++++ b/vendor/github.com/containers/buildah/.cirrus.yml +@@ -138,14 +138,10 @@ cross_build_task: + only_if: >- + $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' + +- osx_instance: +- image: ghcr.io/cirruslabs/macos-ventura-base:latest ++ env: ++ HOME: /root + + script: +- - brew update +- - brew install go +- - brew install go-md2man +- - brew install gpgme + - go version + - make cross CGO_ENABLED=0 + +diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go +index 50adce0..0e1e963 100644 +--- a/vendor/github.com/containers/buildah/define/types.go ++++ b/vendor/github.com/containers/buildah/define/types.go +@@ -29,7 +29,7 @@ const ( + // identify working containers. + Package = "buildah" + // Version for the Package. Also used by .packit.sh for Packit builds. +- Version = "1.33.7" ++ Version = "1.33.11" + + // DefaultRuntime if containers.conf fails. + DefaultRuntime = "runc" +diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go +index fd1ff7f..f20b254 100644 +--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go ++++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go +@@ -23,6 +23,7 @@ import ( + "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/pkg/lockfile" + "github.com/containers/storage/pkg/unshare" ++ digest "github.com/opencontainers/go-digest" + specs "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" + ) +@@ -101,6 +102,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st + if len(kv) == 1 { + return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg) + } ++ switch kv[1] { ++ default: ++ return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption) ++ case "shared", "rshared", "private", "rprivate", "slave", "rslave": ++ // this should be the relevant parts of the same list of options we accepted above ++ } + newMount.Options = append(newMount.Options, kv[1]) + case "src", "source": + if len(kv) == 1 { +@@ -276,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a + if len(kv) == 1 { + return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg) + } ++ switch kv[1] { ++ default: ++ return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption) ++ case "shared", "rshared", "private", "rprivate", "slave", "rslave": ++ // this should be the relevant parts of the same list of options we accepted above ++ } + newMount.Options = append(newMount.Options, kv[1]) + case "id": + if len(kv) == 1 { +@@ -361,7 +374,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a + return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage) + } + // path should be /contextDir/specified path +- newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source)) ++ evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{}) ++ if err != nil { ++ return newMount, nil, err ++ } ++ newMount.Source = evaluated + } else { + // we need to create cache on host if no image is being used + +@@ -378,11 +395,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a + } + + if id != "" { +- newMount.Source = filepath.Join(cacheParent, filepath.Clean(id)) +- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id)) ++ // Don't let the user control where we place the directory. ++ dirID := digest.FromString(id).Encoded()[:16] ++ newMount.Source = filepath.Join(cacheParent, dirID) ++ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) + } else { +- newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination)) +- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination)) ++ // Don't let the user control where we place the directory. ++ dirID := digest.FromString(newMount.Destination).Encoded()[:16] ++ newMount.Source = filepath.Join(cacheParent, dirID) ++ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) + } + idPair := idtools.IDPair{ + UID: uid, +diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +index 6ba2154..d976329 100644 +--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go ++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +@@ -10,6 +10,7 @@ import ( + + "github.com/containers/common/pkg/umask" + "github.com/containers/storage/pkg/idtools" ++ securejoin "github.com/cyphar/filepath-securejoin" + rspec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux/label" + "github.com/sirupsen/logrus" +@@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, + + srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" + destDir := "/etc/crypto-policies/back-ends" +- srcOnHost := filepath.Join(mountPoint, srcBackendDir) ++ srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir) ++ if err != nil { ++ return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err) ++ } + if _, err := os.Stat(srcOnHost); err != nil { + if errors.Is(err, os.ErrNotExist) { + return nil +diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go +index 19ba92c..131d5bb 100644 +--- a/vendor/github.com/containers/common/version/version.go ++++ b/vendor/github.com/containers/common/version/version.go +@@ -1,4 +1,4 @@ + package version + + // Version is the version of the build. +-const Version = "0.57.4" ++const Version = "0.57.7" +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go +index 9316048..74f559d 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image.go +@@ -14,6 +14,7 @@ import ( + "github.com/containers/image/v5/manifest" + "github.com/containers/image/v5/types" + "github.com/opencontainers/go-digest" ++ "github.com/sirupsen/logrus" + ) + + // Image is a Docker-specific implementation of types.ImageCloser with a few extra methods +@@ -88,7 +89,26 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types. + if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil { + return nil, err + } +- tags = append(tags, tagsHolder.Tags...) ++ for _, tag := range tagsHolder.Tags { ++ if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values ++ // Per https://github.com/containers/skopeo/issues/2409 , Sonatype Nexus 3.58, contrary ++ // to the spec, may include JSON null values in the list; and Go silently parses them as "". ++ if tag == "" { ++ logrus.Debugf("Ignoring invalid empty tag") ++ continue ++ } ++ // Per https://github.com/containers/skopeo/issues/2346 , unknown versions of JFrog Artifactory, ++ // contrary to the tag format specified in ++ // https://github.com/opencontainers/distribution-spec/blob/8a871c8234977df058f1a14e299fe0a673853da2/spec.md?plain=1#L160 , ++ // include digests in the list. ++ if _, err := digest.Parse(tag); err == nil { ++ logrus.Debugf("Ignoring invalid tag %q matching a digest format", tag) ++ continue ++ } ++ return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err) ++ } ++ tags = append(tags, tag) ++ } + + link := res.Header.Get("Link") + if link == "" { +diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go +index b24ee88..441e467 100644 +--- a/vendor/github.com/containers/image/v5/version/version.go ++++ b/vendor/github.com/containers/image/v5/version/version.go +@@ -8,7 +8,7 @@ const ( + // VersionMinor is for functionality in a backwards-compatible manner + VersionMinor = 29 + // VersionPatch is for backwards-compatible bug fixes +- VersionPatch = 2 ++ VersionPatch = 4 + + // VersionDev indicates development branch. Releases will be empty string. + VersionDev = "" +diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml +index c41dd5d..9e61509 100644 +--- a/vendor/github.com/containers/storage/.cirrus.yml ++++ b/vendor/github.com/containers/storage/.cirrus.yml +@@ -119,7 +119,7 @@ lint_task: + env: + CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage" + container: +- image: golang ++ image: golang:1.19 + modules_cache: + fingerprint_script: cat go.sum + folder: $GOPATH/pkg/mod +diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION +index ba0a719..aa618f0 100644 +--- a/vendor/github.com/containers/storage/VERSION ++++ b/vendor/github.com/containers/storage/VERSION +@@ -1 +1 @@ +-1.51.0 ++1.51.2 +diff --git a/vendor/github.com/containers/storage/drivers/overlay/overlay.go b/vendor/github.com/containers/storage/drivers/overlay/overlay.go +index 04ecf87..d618d14 100644 +--- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go ++++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go +@@ -1670,13 +1670,21 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO + } + + if err := idtools.MkdirAllAs(diffDir, perms, rootUID, rootGID); err != nil { +- return "", err ++ if !inAdditionalStore { ++ return "", err ++ } ++ // if it is in an additional store, do not fail if the directory already exists ++ if _, err2 := os.Stat(diffDir); err2 != nil { ++ return "", err ++ } + } + + mergedDir := path.Join(workDirBase, "merged") +- // Create the driver merged dir +- if err := idtools.MkdirAs(mergedDir, 0o700, rootUID, rootGID); err != nil && !os.IsExist(err) { +- return "", err ++ // Attempt to create the merged dir only if it doesn't exist. ++ if _, err := os.Stat(mergedDir); err != nil && os.IsNotExist(err) { ++ if err := idtools.MkdirAs(mergedDir, 0o700, rootUID, rootGID); err != nil && !os.IsExist(err) { ++ return "", err ++ } + } + if count := d.ctr.Increment(mergedDir); count > 1 { + return mergedDir, nil +@@ -1841,7 +1849,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO + + // Put unmounts the mount path created for the give id. + func (d *Driver) Put(id string) error { +- dir := d.dir(id) ++ dir, _, inAdditionalStore := d.dir2(id) + if _, err := os.Stat(dir); err != nil { + return err + } +@@ -1902,11 +1910,26 @@ func (d *Driver) Put(id string) error { + } + } + +- if err := unix.Rmdir(mountpoint); err != nil && !os.IsNotExist(err) { +- logrus.Debugf("Failed to remove mountpoint %s overlay: %s - %v", id, mountpoint, err) +- return fmt.Errorf("removing mount point %q: %w", mountpoint, err) ++ if !inAdditionalStore { ++ uid, gid := int(0), int(0) ++ fi, err := os.Stat(mountpoint) ++ if err != nil { ++ return err ++ } ++ if stat, ok := fi.Sys().(*syscall.Stat_t); ok { ++ uid, gid = int(stat.Uid), int(stat.Gid) ++ } ++ tmpMountpoint := path.Join(dir, "merged.1") ++ if err := idtools.MkdirAs(tmpMountpoint, 0o700, uid, gid); err != nil && !errors.Is(err, os.ErrExist) { ++ return err ++ } ++ // rename(2) can be used on an empty directory, as it is the mountpoint after umount, and it retains ++ // its atomic semantic. In this way the "merged" directory is never removed. ++ if err := unix.Rename(tmpMountpoint, mountpoint); err != nil { ++ logrus.Debugf("Failed to replace mountpoint %s overlay: %s - %v", id, mountpoint, err) ++ return fmt.Errorf("replacing mount point %q: %w", mountpoint, err) ++ } + } +- + return nil + } + +diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go +index 32ae830..2c855da 100644 +--- a/vendor/github.com/containers/storage/userns.go ++++ b/vendor/github.com/containers/storage/userns.go +@@ -1,18 +1,21 @@ ++//go:build linux ++ + package storage + + import ( + "fmt" + "os" + "os/user" +- "path/filepath" + "strconv" + + drivers "github.com/containers/storage/drivers" + "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/pkg/unshare" + "github.com/containers/storage/types" ++ securejoin "github.com/cyphar/filepath-securejoin" + libcontainerUser "github.com/opencontainers/runc/libcontainer/user" + "github.com/sirupsen/logrus" ++ "golang.org/x/sys/unix" + ) + + // getAdditionalSubIDs looks up the additional IDs configured for +@@ -85,40 +88,59 @@ const nobodyUser = 65534 + // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and + // /etc/group files. + func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 { ++ var ( ++ passwd *os.File ++ group *os.File ++ size int ++ err error ++ ) + if passwdFile == "" { +- passwdFile = filepath.Join(containerMount, "etc/passwd") +- } +- if groupFile == "" { +- groupFile = filepath.Join(groupFile, "etc/group") ++ passwd, err = secureOpen(containerMount, "/etc/passwd") ++ } else { ++ // User-specified override from a volume. Will not be in ++ // container root. ++ passwd, err = os.Open(passwdFile) + } +- +- size := 0 +- +- users, err := libcontainerUser.ParsePasswdFile(passwdFile) + if err == nil { +- for _, u := range users { +- // Skip the "nobody" user otherwise we end up with 65536 +- // ids with most images +- if u.Name == "nobody" { +- continue +- } +- if u.Uid > size && u.Uid != nobodyUser { +- size = u.Uid +- } +- if u.Gid > size && u.Gid != nobodyUser { +- size = u.Gid ++ defer passwd.Close() ++ ++ users, err := libcontainerUser.ParsePasswd(passwd) ++ if err == nil { ++ for _, u := range users { ++ // Skip the "nobody" user otherwise we end up with 65536 ++ // ids with most images ++ if u.Name == "nobody" || u.Name == "nogroup" { ++ continue ++ } ++ if u.Uid > size && u.Uid != nobodyUser { ++ size = u.Uid + 1 ++ } ++ if u.Gid > size && u.Gid != nobodyUser { ++ size = u.Gid + 1 ++ } + } + } + } + +- groups, err := libcontainerUser.ParseGroupFile(groupFile) ++ if groupFile == "" { ++ group, err = secureOpen(containerMount, "/etc/group") ++ } else { ++ // User-specified override from a volume. Will not be in ++ // container root. ++ group, err = os.Open(groupFile) ++ } + if err == nil { +- for _, g := range groups { +- if g.Name == "nobody" { +- continue +- } +- if g.Gid > size && g.Gid != nobodyUser { +- size = g.Gid ++ defer group.Close() ++ ++ groups, err := libcontainerUser.ParseGroup(group) ++ if err == nil { ++ for _, g := range groups { ++ if g.Name == "nobody" || g.Name == "nogroup" { ++ continue ++ } ++ if g.Gid > size && g.Gid != nobodyUser { ++ size = g.Gid + 1 ++ } + } + } + } +@@ -309,3 +331,19 @@ func getAutoUserNSIDMappings( + gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...) + return uidMap, gidMap, nil + } ++ ++// Securely open (read-only) a file in a container mount. ++func secureOpen(containerMount, file string) (*os.File, error) { ++ filePath, err := securejoin.SecureJoin(containerMount, file) ++ if err != nil { ++ return nil, err ++ } ++ ++ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY ++ fileHandle, err := os.OpenFile(filePath, flags, 0) ++ if err != nil { ++ return nil, err ++ } ++ ++ return fileHandle, nil ++} +diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go +new file mode 100644 +index 0000000..e37c18f +--- /dev/null ++++ b/vendor/github.com/containers/storage/userns_unsupported.go +@@ -0,0 +1,14 @@ ++//go:build !linux ++ ++package storage ++ ++import ( ++ "errors" ++ ++ "github.com/containers/storage/pkg/idtools" ++ "github.com/containers/storage/types" ++) ++ ++func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) { ++ return nil, nil, errors.New("user namespaces are not supported on this platform") ++} +diff --git a/vendor/modules.txt b/vendor/modules.txt +index c261d97..f7fe104 100644 +--- a/vendor/modules.txt ++++ b/vendor/modules.txt +@@ -147,7 +147,7 @@ github.com/containernetworking/cni/pkg/version + # github.com/containernetworking/plugins v1.3.0 + ## explicit; go 1.20 + github.com/containernetworking/plugins/pkg/ns +-# github.com/containers/buildah v1.33.7 ++# github.com/containers/buildah v1.33.11 + ## explicit; go 1.20 + github.com/containers/buildah + github.com/containers/buildah/bind +@@ -176,7 +176,7 @@ github.com/containers/buildah/pkg/sshagent + github.com/containers/buildah/pkg/util + github.com/containers/buildah/pkg/volumes + github.com/containers/buildah/util +-# github.com/containers/common v0.57.4 ++# github.com/containers/common v0.57.7 + ## explicit; go 1.18 + github.com/containers/common/internal/attributedstring + github.com/containers/common/libimage +@@ -243,7 +243,7 @@ github.com/containers/conmon/runner/config + # github.com/containers/gvisor-tap-vsock v0.7.2 + ## explicit; go 1.20 + github.com/containers/gvisor-tap-vsock/pkg/types +-# github.com/containers/image/v5 v5.29.2 ++# github.com/containers/image/v5 v5.29.4 + ## explicit; go 1.19 + github.com/containers/image/v5/copy + github.com/containers/image/v5/directory +@@ -353,7 +353,7 @@ github.com/containers/psgo/internal/dev + github.com/containers/psgo/internal/host + github.com/containers/psgo/internal/proc + github.com/containers/psgo/internal/process +-# github.com/containers/storage v1.51.0 ++# github.com/containers/storage v1.51.2 + ## explicit; go 1.19 + github.com/containers/storage + github.com/containers/storage/drivers +-- +2.33.0 + diff --git a/podman.spec b/podman.spec index 85088f7e1ac86f7055f7d1dd5d758bfe9ab10362..2d0c2c2c9e58de5d9203627b4b7b52cf7baa5f83 100644 --- a/podman.spec +++ b/podman.spec @@ -2,7 +2,7 @@ Name: podman Version: 4.9.4 -Release: 10 +Release: 11 Summary: A tool for managing OCI containers and pods. Epoch: 1 License: Apache-2.0 and MIT @@ -17,6 +17,7 @@ Patch0002: 0002-fix-CVE-2023-3978.patch Patch0003: 0003-fix-CVE-2023-48795.patch Patch0004: 0004-fix-CVE-2022-3064.patch Patch0005: 0005-fix-CVE-2024-28180.patch +Patch0006: 0006-fix-CVE-2024-9676-CVE-2024-9675-CVE-2024-9407-CVE-2024-9341.patch BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel @@ -132,6 +133,7 @@ tar zxf %{SOURCE3} %patch0003 -p1 %patch0004 -p1 %patch0005 -p1 +%patch0006 -p1 %ifarch loongarch64 cd dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84 @@ -306,6 +308,12 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/ %{_bindir}/%{name}sh %changelog +* Fri Jan 10 2025 duyiwei - 1:4.9.4-11 +- Type:bugfix +- CVE:CVE-2024-9676,CVE-2024-9675, CVE-2024-9407,CVE-2024-9341 +- SUG:NA +- DESC: fix CVE-2024-9676,CVE-2024-9675, CVE-2024-9407, and CVE-2024-9341 + * Thu Jan 09 2025 duyiwei - 1:4.9.4-10 - Type:bugfix - CVE:CVE-2024-9355、CVE-2019-9514、CVE-2024-24791、CVE-2022-32189、CVE-2022-41715、CVE-2022-2880、CVE-2022-1962、CVE-2023-45290、CVE-2024-24783、CVE-2024-24785