[v4.4.1-rhel] Update buildah for CVE-2024-9675

Addresses: https://issues.redhat.com/browse/RHEL-62386 https://issues.redhat.com/browse/RHEL-62377 [NO NEW TESTS NEEDED] Signed-off-by: David Shea <dshea@redhat.com>
2025-10-17 11:14:40 +08:00 · 2024-10-18 13:37:25 -04:00
parent 55fc954493
commit 638400242d
7 changed files with 26 additions and 10 deletions
--- a/go.mod
+++ b/go.mod
@ -11,7 +11,7 @@ require (
 	github.com/container-orchestrated-devices/container-device-interface v0.5.3
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.2.0
-	github.com/containers/buildah v1.29.3
+	github.com/containers/buildah v1.29.4
 	github.com/containers/common v0.51.4
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/image/v5 v5.24.3
--- a/go.sum
+++ b/go.sum
@ -270,8 +270,8 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV
 github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
 github.com/containernetworking/plugins v1.2.0 h1:SWgg3dQG1yzUo4d9iD8cwSVh1VqI+bP7mkPDoSfP9VU=
 github.com/containernetworking/plugins v1.2.0/go.mod h1:/VjX4uHecW5vVimFa1wkG4s+r/s9qIfPdqlLF4TW8c4=
-github.com/containers/buildah v1.29.3 h1:OMHme3lsXULrGzWGsU2i/UzXgcCuwNTJmnNja0VRdrM=
-github.com/containers/buildah v1.29.3/go.mod h1:VSGsuTRlvCEHjRGki6drxhEagZ7HzEJJBGIsHg5AHVM=
+github.com/containers/buildah v1.29.4 h1:CwiCt110+vj2cSBzACLD2PKsCLryJoW+REUivFVoOwY=
+github.com/containers/buildah v1.29.4/go.mod h1:VSGsuTRlvCEHjRGki6drxhEagZ7HzEJJBGIsHg5AHVM=
 github.com/containers/common v0.51.4 h1:1m3D9lPYgY7sS4Xod962rCEZTsOlR2nuAbYFhzopME4=
 github.com/containers/common v0.51.4/go.mod h1:CVSTmQWOs6IbjOZW7ik+7QggrOR3gzKc6gqYfRipl1c=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@ -2,6 +2,10 @@

 # Changelog

+## v1.29.4 (2024-10-17)
+
+    Properly validate cache IDs and sources
+
 ## v1.29.3 (2024-03-26)

    [release-1.29] Bump google.golang.org/protobuf to v1.33.0
--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@ -1,3 +1,6 @@
+- Changelog for v1.29.4 (2024-10-17)
+  * Properly validate cache IDs and sources
+
 - Changelog for v1.29.3 (2024-03-26)
  * [release-1.29] Bump google.golang.org/protobuf to v1.33.0
  * [release-1.29] conformance tests: don't break on trailing zeroes
--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
@ -30,7 +30,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.29.3"
+	Version = "1.29.4"

 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"
--- a/vendor/github.com/containers/buildah/internal/parse/parse.go
+++ b/vendor/github.com/containers/buildah/internal/parse/parse.go
@ -21,6 +21,7 @@ import (
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/containers/storage/pkg/unshare"
+	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	selinux "github.com/opencontainers/selinux/go-selinux"
 )
@ -343,7 +344,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
 		}
 		// path should be /contextDir/specified path
-		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
+		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
+		if err != nil {
+			return newMount, nil, err
+		}
+		newMount.Source = evaluated
 	} else {
 		// we need to create cache on host if no image is being used

@ -360,11 +365,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 		}

 		if id != "" {
-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
+			// Don't let the user control where we place the directory.
+			dirID := digest.FromString(id).Encoded()[:16]
+			newMount.Source = filepath.Join(cacheParent, dirID)
+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
 		} else {
-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
+			// Don't let the user control where we place the directory.
+			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+			newMount.Source = filepath.Join(cacheParent, dirID)
+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
 		}
 		idPair := idtools.IDPair{
 			UID: uid,
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -106,7 +106,7 @@ github.com/containernetworking/cni/pkg/version
 # github.com/containernetworking/plugins v1.2.0
 ## explicit; go 1.17
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.29.3
+# github.com/containers/buildah v1.29.4
 ## explicit; go 1.17
 github.com/containers/buildah
 github.com/containers/buildah/bind