vendor: update to latest c/common

Includes a fix for CVE-2024-9341

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
 	github.com/containernetworking/plugins v1.5.1
 	github.com/containers/buildah v1.37.0
-	github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad
+	github.com/containers/common v0.60.1-0.20241001171026-c3edf18f3339
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.7.5
 	github.com/containers/image/v5 v5.32.3-0.20240923171149-9e1153a28c46

go.sum

@@ -81,8 +81,8 @@ github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+
 github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM=
 github.com/containers/buildah v1.37.0 h1:jvHwu1vIwIqnHyOSg9eef9Apdpry+5oWLrm43gdf8Rk=
 github.com/containers/buildah v1.37.0/go.mod h1:MKd79tkluMf6vtH06SedhBQK5OB7E0pFVIuiTTw3dJk=
-github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad h1:Ida4yFcnk+xGPynWR267zGGUddWTfpAVMSzo6PhjPFQ=
+github.com/containers/common v0.60.1-0.20241001171026-c3edf18f3339 h1:VjK9wBKZTbmZqZ0qW2QlbW81xOu8YxXecek5MUSLGKc=
-github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad/go.mod h1:UjxkwBehRqlASg/duCPlXbsc2hu5y+iYwUt+8/N4w+8=
+github.com/containers/common v0.60.1-0.20241001171026-c3edf18f3339/go.mod h1:vuBEtzP83Fa7mgk0BJdHF2BDfFRfNayeYyVHRJw8hSM=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.7.5 h1:bTy4u3DOmmUPwurL6me2rsgfypAFDhyeJleUcQmBR/E=

vendor/github.com/containers/common/libimage/copier.go

@@ -160,8 +160,8 @@ type CopyOptions struct {
 	extendTimeoutSocket string
 }
 
-// copier is an internal helper to conveniently copy images.
+// Copier is a helper to conveniently copy images.
-type copier struct {
+type Copier struct {
 	extendTimeoutSocket string
 	imageCopyOptions    copy.Options
 	retryOptions        retry.Options
@@ -172,6 +172,13 @@ type copier struct {
 	destinationLookup LookupReferenceFunc
 }
 
+// newCopier creates a Copier based on a runtime's system context.
+// Note that fields in options *may* overwrite the counterparts of
+// the specified system context.  Please make sure to call `(*Copier).Close()`.
+func (r *Runtime) newCopier(options *CopyOptions) (*Copier, error) {
+	return NewCopier(options, r.SystemContext())
+}
+
 // storageAllowedPolicyScopes overrides the policy for local storage
 // to ensure that we can read images from it.
 var storageAllowedPolicyScopes = signature.PolicyTransportScopes{
@@ -213,17 +220,14 @@ func getDockerAuthConfig(name, passwd, creds, idToken string) (*types.DockerAuth
 	}
 }
 
-// NewCopier is a simple, exported wrapper for newCopier
+// NewCopier creates a Copier based on a provided system context.
-func NewCopier(options *CopyOptions, sc *types.SystemContext) (*copier, error) {
+// Note that fields in options *may* overwrite the counterparts of
-	return newCopier(options, sc)
+// the specified system context.  Please make sure to call `(*Copier).Close()`.
-}
+func NewCopier(options *CopyOptions, sc *types.SystemContext) (*Copier, error) {
+	c := Copier{extendTimeoutSocket: options.extendTimeoutSocket}
+	sysContextCopy := *sc
+	c.systemContext = &sysContextCopy
 
-// newCopier creates a copier.  Note that fields in options *may* overwrite the
-// counterparts of the specified system context.  Please make sure to call
-// `(*copier).close()`.
-func newCopier(options *CopyOptions, sc *types.SystemContext) (*copier, error) {
-	c := copier{extendTimeoutSocket: options.extendTimeoutSocket}
-	c.systemContext = sc
 	if options.SourceLookupReferenceFunc != nil {
 		c.sourceLookup = options.SourceLookupReferenceFunc
 	}
@@ -337,22 +341,14 @@ func newCopier(options *CopyOptions, sc *types.SystemContext) (*copier, error) {
 	return &c, nil
 }
 
-// newCopier creates a copier.  Note that fields in options *may* overwrite the
-// counterparts of the specified system context.  Please make sure to call
-// `(*copier).close()`.
-func (r *Runtime) newCopier(options *CopyOptions) (*copier, error) {
-	sc := r.systemContextCopy()
-	return newCopier(options, sc)
-}
-
 // Close open resources.
-func (c *copier) Close() error {
+func (c *Copier) Close() error {
 	return c.policyContext.Destroy()
 }
 
 // Copy the source to the destination.  Returns the bytes of the copied
 // manifest which may be used for digest computation.
-func (c *copier) Copy(ctx context.Context, source, destination types.ImageReference) ([]byte, error) {
+func (c *Copier) Copy(ctx context.Context, source, destination types.ImageReference) ([]byte, error) {
 	logrus.Debugf("Copying source image %s to destination image %s", source.StringWithinTransport(), destination.StringWithinTransport())
 
 	// Avoid running out of time when running inside a systemd unit by

vendor/github.com/containers/common/pkg/capabilities/capabilities.go

@@ -9,20 +9,13 @@ import (
 	"errors"
 	"fmt"
 	"slices"
-	"sort"
 	"strings"
 	"sync"
 
-	"github.com/syndtr/gocapability/capability"
+	"github.com/moby/sys/capability"
 )
 
 var (
-	// Used internally and populated during init().
-	capabilityList []string
-
-	// Used internally and populated during init().
-	capsList []capability.Cap
-
 	// ErrUnknownCapability is thrown when an unknown capability is processed.
 	ErrUnknownCapability = errors.New("unknown capability")
 
@@ -35,67 +28,67 @@ var (
 // Useful on the CLI for `--cap-add=all` etc.
 const All = "ALL"
 
-func getCapName(c capability.Cap) string {
+func capName(c capability.Cap) string {
 	return "CAP_" + strings.ToUpper(c.String())
 }
 
-func init() {
+// capStrList returns all capabilities supported by the currently running kernel,
-	last := capability.CAP_LAST_CAP
+// or an error if the list can not be obtained.
-	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+var capStrList = sync.OnceValues(func() ([]string, error) {
-	if last == capability.Cap(63) {
+	list, err := capability.ListSupported()
-		last = capability.CAP_BLOCK_SUSPEND
+	if err != nil {
+		return nil, err
 	}
-	for _, cap := range capability.List() {
+	caps := make([]string, len(list))
-		if cap > last {
+	for i, c := range list {
-			continue
+		caps[i] = capName(c)
-		}
-		capsList = append(capsList, cap)
-		capabilityList = append(capabilityList, getCapName(cap))
-		sort.Strings(capabilityList)
 	}
+	slices.Sort(caps)
+	return caps, nil
+})
+
+// BoundingSet returns the capabilities in the current bounding set.
+func BoundingSet() ([]string, error) {
+	return boundingSet()
 }
 
-var (
+var boundingSet = sync.OnceValues(func() ([]string, error) {
-	boundingSetOnce sync.Once
-	boundingSetRet  []string
-	boundingSetErr  error
-)
-
-// BoundingSet returns the capabilities in the current bounding set
-func BoundingSet() ([]string, error) {
-	boundingSetOnce.Do(func() {
 	currentCaps, err := capability.NewPid2(0)
 	if err != nil {
-			boundingSetErr = err
+		return nil, err
-			return
 	}
 	err = currentCaps.Load()
 	if err != nil {
-			boundingSetErr = err
+		return nil, err
-			return
+	}
+	list, err := capability.ListSupported()
+	if err != nil {
+		return nil, err
 	}
 	var r []string
-		for _, c := range capsList {
+	for _, c := range list {
 		if !currentCaps.Get(capability.BOUNDING, c) {
 			continue
 		}
-			r = append(r, getCapName(c))
+		r = append(r, capName(c))
 	}
-		boundingSetRet = r
+	slices.Sort(r)
-		sort.Strings(boundingSetRet)
+	return r, nil
-		boundingSetErr = err
+})
-	})
-	return boundingSetRet, boundingSetErr
-}
 
-// AllCapabilities returns all known capabilities.
+// AllCapabilities returns all capabilities supported by the running kernel.
 func AllCapabilities() []string {
-	return capabilityList
+	list, _ := capStrList()
+	return list
 }
 
 // NormalizeCapabilities normalizes caps by adding a "CAP_" prefix (if not yet
 // present).
 func NormalizeCapabilities(caps []string) ([]string, error) {
+	all, err := capStrList()
+	if err != nil {
+		return nil, err
+	}
 	normalized := make([]string, 0, len(caps))
 	for _, c := range caps {
 		c = strings.ToUpper(c)
@@ -106,19 +99,23 @@ func NormalizeCapabilities(caps []string) ([]string, error) {
 		if !strings.HasPrefix(c, "CAP_") {
 			c = "CAP_" + c
 		}
-		if !slices.Contains(capabilityList, c) {
+		if !slices.Contains(all, c) {
 			return nil, fmt.Errorf("%q: %w", c, ErrUnknownCapability)
 		}
 		normalized = append(normalized, c)
 	}
-	sort.Strings(normalized)
+	slices.Sort(normalized)
 	return normalized, nil
 }
 
 // ValidateCapabilities validates if caps only contains valid capabilities.
 func ValidateCapabilities(caps []string) error {
+	all, err := capStrList()
+	if err != nil {
+		return err
+	}
 	for _, c := range caps {
-		if !slices.Contains(capabilityList, c) {
+		if !slices.Contains(all, c) {
 			return fmt.Errorf("%q: %w", c, ErrUnknownCapability)
 		}
 	}
@@ -155,7 +152,7 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 			return nil, errors.New("adding all caps and removing all caps not allowed")
 		}
 		// "Drop" all capabilities; return what's in capAdd instead
-		sort.Strings(capAdd)
+		slices.Sort(capAdd)
 		return capAdd, nil
 	}
 
@@ -195,6 +192,6 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 		}
 		caps = append(caps, cap)
 	}
-	sort.Strings(caps)
+	slices.Sort(caps)
 	return caps, nil
 }

vendor/github.com/containers/common/pkg/config/containers.conf

@@ -416,6 +416,8 @@ default_sysctls = [
 #List of compression algorithms. If set makes sure that requested compression variant
 #for each platform is added to the manifest list keeping original instance intact in
 #the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`).
+#`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
+#in that case.
 #
 #add_compression = ["gzip", "zstd", "zstd:chunked"]
 
@@ -438,6 +440,8 @@ default_sysctls = [
 # This field is ignored when pushing images to the docker-daemon and
 # docker-archive formats. It is also ignored when the manifest format is set
 # to v2s2.
+# `zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
+# in that case.
 #
 #compression_format = "gzip"
 

vendor/github.com/containers/common/pkg/config/containers.conf-freebsd

@@ -326,6 +326,8 @@ default_sysctls = [
 
 # The compression format to use when pushing an image.
 # Valid options are: `gzip`, `zstd` and `zstd:chunked`.
+# `zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
+# in that case.
 #
 #compression_format = "gzip"
 

vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go

@@ -11,6 +11,7 @@ import (
 	"github.com/containers/common/pkg/umask"
 	"github.com/containers/storage/pkg/fileutils"
 	"github.com/containers/storage/pkg/idtools"
+	securejoin "github.com/cyphar/filepath-securejoin"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
@@ -346,7 +347,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
 
 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
 	destDir := "/etc/crypto-policies/back-ends"
-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
+	if err != nil {
+		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
+	}
 	if err := fileutils.Exists(srcOnHost); err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return nil

vendor/modules.txt

@@ -171,7 +171,7 @@ github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/pkg/volumes
 github.com/containers/buildah/util
-# github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad
+# github.com/containers/common v0.60.1-0.20241001171026-c3edf18f3339
 ## explicit; go 1.22.0
 github.com/containers/common/internal
 github.com/containers/common/internal/attributedstring