[v4.2.0-rhel] Update buildah for CVE-2024-9675

Addresses: https://issues.redhat.com/browse/RHEL-62376 https://issues.redhat.com/browse/RHEL-62385 [NO NEW TESTS NEEDED] Signed-off-by: David Shea <dshea@redhat.com>
2025-05-20 08:36:23 +08:00 · 2024-10-25 11:18:07 -04:00
parent df142d64d6
commit c1d643e387
7 changed files with 24 additions and 8 deletions
--- a/go.mod
+++ b/go.mod
@ -11,7 +11,7 @@ require (
 	github.com/container-orchestrated-devices/container-device-interface v0.4.0
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.1.1
-	github.com/containers/buildah v1.27.4
+	github.com/containers/buildah v1.27.5
 	github.com/containers/common v0.49.3
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/image/v5 v5.22.1
--- a/go.sum
+++ b/go.sum
@ -304,8 +304,8 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV
 github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
 github.com/containernetworking/plugins v1.1.1 h1:+AGfFigZ5TiQH00vhR8qPeSatj53eNGz0C1d3wVYlHE=
 github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19sZPp3ry5uHSkI4LPxV8=
-github.com/containers/buildah v1.27.4 h1:ENGd5pHAqMxn8EZXZ4uiq6rt1BZ7TYhuXrmVQFLHmAc=
-github.com/containers/buildah v1.27.4/go.mod h1:FVZlpAffn7BTMQgGIxsrRXh70595XI7KWdkFRF1oUSU=
+github.com/containers/buildah v1.27.5 h1:aDLI1Iqw8JSWnxixAeoMUIVlCsQ4IdoYm7UP3UXhCW8=
+github.com/containers/buildah v1.27.5/go.mod h1:FVZlpAffn7BTMQgGIxsrRXh70595XI7KWdkFRF1oUSU=
 github.com/containers/common v0.49.3 h1:fPS7rm2s86umFImchQTAeg8LRKRtj6tfIeiW5Xagz74=
 github.com/containers/common v0.49.3/go.mod h1:ueM5hT0itKqCQvVJDs+EtjornAQtrHYxQJzP2gxeGIg=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@ -2,6 +2,10 @@

 # Changelog

+## v1.27.5 (2024-10-24)
+
+    Properly validate cache IDs and sources
+
 ## v1.27.4 (2024-03-26)

    [release-1.27] Bump Bump google.golang.org/protobuf to v1.33.0
--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@ -1,3 +1,6 @@
+- Changelog for v1.27.5 (2024-10-24)
+  * Properly validate cache IDs and sources
+
 - Changelog for v1.27.4 (2024-03-26)
  * [release-1.27] Bump Bump google.golang.org/protobuf to v1.33.0
  * [release-1.27] conformance tests: don't break on trailing zeroes
--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
@ -30,7 +30,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.27.4"
+	Version = "1.27.5"

 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"
--- a/vendor/github.com/containers/buildah/internal/parse/parse.go
+++ b/vendor/github.com/containers/buildah/internal/parse/parse.go
@ -18,6 +18,7 @@ import (
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/lockfile"
+	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )

@ -306,7 +307,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 			return newMount, lockedTargets, fmt.Errorf("no stage found with name %s", fromStage)
 		}
 		// path should be /contextDir/specified path
-		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
+		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
+		if err != nil {
+			return newMount, nil, err
+		}
+		newMount.Source = evaluated
 	} else {
 		// we need to create cache on host if no image is being used

@ -323,9 +328,13 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 		}

 		if id != "" {
-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
+			// Don't let the user control where we place the directory.
+			dirID := digest.FromString(id).Encoded()[:16]
+			newMount.Source = filepath.Join(cacheParent, dirID)
 		} else {
-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
+			// Don't let the user control where we place the directory.
+			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+			newMount.Source = filepath.Join(cacheParent, dirID)
 		}
 		idPair := idtools.IDPair{
 			UID: uid,
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -103,7 +103,7 @@ github.com/containernetworking/cni/pkg/version
 # github.com/containernetworking/plugins v1.1.1
 ## explicit; go 1.17
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.27.4
+# github.com/containers/buildah v1.27.5
 ## explicit; go 1.17
 github.com/containers/buildah
 github.com/containers/buildah/bind