From c1d643e387b25c36f22a6e08c18f79b455d7cc79 Mon Sep 17 00:00:00 2001 From: David Shea Date: Fri, 25 Oct 2024 11:18:07 -0400 Subject: [PATCH] [v4.2.0-rhel] Update buildah for CVE-2024-9675 Addresses: https://issues.redhat.com/browse/RHEL-62376 https://issues.redhat.com/browse/RHEL-62385 [NO NEW TESTS NEEDED] Signed-off-by: David Shea --- go.mod | 2 +- go.sum | 4 ++-- vendor/github.com/containers/buildah/CHANGELOG.md | 4 ++++ .../github.com/containers/buildah/changelog.txt | 3 +++ .../github.com/containers/buildah/define/types.go | 2 +- .../containers/buildah/internal/parse/parse.go | 15 ++++++++++++--- vendor/modules.txt | 2 +- 7 files changed, 24 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 6c79f064a6..aae3a73447 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/container-orchestrated-devices/container-device-interface v0.4.0 github.com/containernetworking/cni v1.1.2 github.com/containernetworking/plugins v1.1.1 - github.com/containers/buildah v1.27.4 + github.com/containers/buildah v1.27.5 github.com/containers/common v0.49.3 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.22.1 diff --git a/go.sum b/go.sum index 629380be7a..0960a59113 100644 --- a/go.sum +++ b/go.sum @@ -304,8 +304,8 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= github.com/containernetworking/plugins v1.1.1 h1:+AGfFigZ5TiQH00vhR8qPeSatj53eNGz0C1d3wVYlHE= github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19sZPp3ry5uHSkI4LPxV8= -github.com/containers/buildah v1.27.4 h1:ENGd5pHAqMxn8EZXZ4uiq6rt1BZ7TYhuXrmVQFLHmAc= -github.com/containers/buildah v1.27.4/go.mod h1:FVZlpAffn7BTMQgGIxsrRXh70595XI7KWdkFRF1oUSU= +github.com/containers/buildah v1.27.5 h1:aDLI1Iqw8JSWnxixAeoMUIVlCsQ4IdoYm7UP3UXhCW8= +github.com/containers/buildah v1.27.5/go.mod h1:FVZlpAffn7BTMQgGIxsrRXh70595XI7KWdkFRF1oUSU= github.com/containers/common v0.49.3 h1:fPS7rm2s86umFImchQTAeg8LRKRtj6tfIeiW5Xagz74= github.com/containers/common v0.49.3/go.mod h1:ueM5hT0itKqCQvVJDs+EtjornAQtrHYxQJzP2gxeGIg= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index cdb211f860..da89f0348b 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,6 +2,10 @@ # Changelog +## v1.27.5 (2024-10-24) + + Properly validate cache IDs and sources + ## v1.27.4 (2024-03-26) [release-1.27] Bump Bump google.golang.org/protobuf to v1.33.0 diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index e1d51fe254..2701a67274 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,3 +1,6 @@ +- Changelog for v1.27.5 (2024-10-24) + * Properly validate cache IDs and sources + - Changelog for v1.27.4 (2024-03-26) * [release-1.27] Bump Bump google.golang.org/protobuf to v1.33.0 * [release-1.27] conformance tests: don't break on trailing zeroes diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go index ce14d006c6..04662f546d 100644 --- a/vendor/github.com/containers/buildah/define/types.go +++ b/vendor/github.com/containers/buildah/define/types.go @@ -30,7 +30,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.27.4" + Version = "1.27.5" // DefaultRuntime if containers.conf fails. DefaultRuntime = "runc" diff --git a/vendor/github.com/containers/buildah/internal/parse/parse.go b/vendor/github.com/containers/buildah/internal/parse/parse.go index a6bba1319e..f699a72ea0 100644 --- a/vendor/github.com/containers/buildah/internal/parse/parse.go +++ b/vendor/github.com/containers/buildah/internal/parse/parse.go @@ -18,6 +18,7 @@ import ( "github.com/containers/storage" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/lockfile" + digest "github.com/opencontainers/go-digest" specs "github.com/opencontainers/runtime-spec/specs-go" ) @@ -306,7 +307,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a return newMount, lockedTargets, fmt.Errorf("no stage found with name %s", fromStage) } // path should be /contextDir/specified path - newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source)) + evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{}) + if err != nil { + return newMount, nil, err + } + newMount.Source = evaluated } else { // we need to create cache on host if no image is being used @@ -323,9 +328,13 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a } if id != "" { - newMount.Source = filepath.Join(cacheParent, filepath.Clean(id)) + // Don't let the user control where we place the directory. + dirID := digest.FromString(id).Encoded()[:16] + newMount.Source = filepath.Join(cacheParent, dirID) } else { - newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination)) + // Don't let the user control where we place the directory. + dirID := digest.FromString(newMount.Destination).Encoded()[:16] + newMount.Source = filepath.Join(cacheParent, dirID) } idPair := idtools.IDPair{ UID: uid, diff --git a/vendor/modules.txt b/vendor/modules.txt index 46b90019f9..cab8c7fbc1 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -103,7 +103,7 @@ github.com/containernetworking/cni/pkg/version # github.com/containernetworking/plugins v1.1.1 ## explicit; go 1.17 github.com/containernetworking/plugins/pkg/ns -# github.com/containers/buildah v1.27.4 +# github.com/containers/buildah v1.27.5 ## explicit; go 1.17 github.com/containers/buildah github.com/containers/buildah/bind