From 1569c209829530b1f42e8c2fce851de8003ab3fe Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 10 Jun 2025 14:16:46 +0200 Subject: [PATCH] machine init: fix tls check Ensure we verify the TLS connection when pulling the OCI image. Fixes: CVE-2025-6032 Signed-off-by: Paul Holzinger (cherry picked from commit 726b506acc8a00d99f1a3a1357ecf619a1f798c3) Signed-off-by: Paul Holzinger --- pkg/machine/ocipull/ociartifact.go | 2 +- pkg/machine/ocipull/pull.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/machine/ocipull/ociartifact.go b/pkg/machine/ocipull/ociartifact.go index 9dc81c43fb..4f5d3f36b1 100644 --- a/pkg/machine/ocipull/ociartifact.go +++ b/pkg/machine/ocipull/ociartifact.go @@ -224,7 +224,7 @@ func (o *OCIArtifactDisk) getDestArtifact() (types.ImageReference, digest.Digest } fmt.Printf("Looking up Podman Machine image at %s to create VM\n", imgRef.DockerReference()) sysCtx := &types.SystemContext{ - DockerInsecureSkipTLSVerify: types.NewOptionalBool(!o.pullOptions.TLSVerify), + DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify, } imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx) if err != nil { diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go index 0822578e8a..85cf5c18ec 100644 --- a/pkg/machine/ocipull/pull.go +++ b/pkg/machine/ocipull/pull.go @@ -21,8 +21,8 @@ import ( // PullOptions includes data to alter certain knobs when pulling a source // image. type PullOptions struct { - // Require HTTPS and verify certificates when accessing the registry. - TLSVerify bool + // Skip TLS verification when accessing the registry. + SkipTLSVerify types.OptionalBool // [username[:password] to use when connecting to the registry. Credentials string // Quiet the progress bars when pushing. @@ -46,7 +46,7 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d } sysCtx := &types.SystemContext{ - DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify), + DockerInsecureSkipTLSVerify: options.SkipTLSVerify, } if options.Credentials != "" { authConf, err := parse.AuthConfig(options.Credentials)