vendor: update common and buildah

vendor the following dependencies: - https://github.com/containers/common/pull/2375 - https://github.com/containers/buildah/pull/6074 Closes: https://github.com/containers/podman/issues/25634 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-12-02 11:08:36 +08:00 · 2025-03-20 11:57:58 +01:00
parent 94e77af09d
commit 260035d069
49 changed files with 566 additions and 639 deletions
--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
@@ -557,14 +557,19 @@ func GetCacheMount(sys *types.SystemContext, args []string, store storage.Store,
 			return newMount, "", "", "", nil, fmt.Errorf("unable to create build cache directory: %w", err)
 		}

+		ownerInfo := fmt.Sprintf(":%d:%d", uid, gid)
 		if id != "" {
-			// Don't let the user control where we place the directory.
-			dirID := digest.FromString(id).Encoded()[:16]
+			// Don't let the user try to inject pathname components by directly using
+			// the ID when constructing the cache directory location; distinguish
+			// between caches by ID and ownership
+			dirID := digest.FromString(id + ownerInfo).Encoded()[:16]
 			thisCacheRoot = filepath.Join(cacheParent, dirID)
 			buildahLockFilesDir = filepath.Join(cacheParent, BuildahCacheLockfileDir, dirID)
 		} else {
-			// Don't let the user control where we place the directory.
-			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+			// Don't let the user try to inject pathname components by directly using
+			// the target path when constructing the cache directory location;
+			// distinguish between caches by mount target location and ownership
+			dirID := digest.FromString(newMount.Destination + ownerInfo).Encoded()[:16]
 			thisCacheRoot = filepath.Join(cacheParent, dirID)
 			buildahLockFilesDir = filepath.Join(cacheParent, BuildahCacheLockfileDir, dirID)
 		}