Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package buildah for openSUSE:Factory checked in at 2024-10-16 23:45:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/buildah (Old) and /work/SRC/openSUSE:Factory/.buildah.new.19354 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "buildah" Wed Oct 16 23:45:03 2024 rev:93 rq:1208166 version:1.37.4 Changes: -------- --- /work/SRC/openSUSE:Factory/buildah/buildah.changes 2024-10-08 17:25:59.624997623 +0200 +++ /work/SRC/openSUSE:Factory/.buildah.new.19354/buildah.changes 2024-10-16 23:46:08.519453994 +0200 @@ -1,0 +2,6 @@ +Tue Oct 15 06:48:18 UTC 2024 - Danish Prakash <danish.prak...@suse.com> + +- Add patch for CVE-2024-9675 (bsc#1231499): + * 0001-Properly-validate-cache-IDs-and-sources.patch + +------------------------------------------------------------------- New: ---- 0001-Properly-validate-cache-IDs-and-sources.patch BETA DEBUG BEGIN: New:- Add patch for CVE-2024-9675 (bsc#1231499): * 0001-Properly-validate-cache-IDs-and-sources.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ buildah.spec ++++++ --- /var/tmp/diff_new_pack.1FdLTJ/_old 2024-10-16 23:46:10.131521225 +0200 +++ /var/tmp/diff_new_pack.1FdLTJ/_new 2024-10-16 23:46:10.131521225 +0200 @@ -27,6 +27,7 @@ URL: https://%{project} Source0: %{name}-%{version}.tar.xz Source1: %{name}-rpmlintrc +Patch0: 0001-Properly-validate-cache-IDs-and-sources.patch BuildRequires: bash-completion BuildRequires: device-mapper-devel BuildRequires: fdupes ++++++ 0001-Properly-validate-cache-IDs-and-sources.patch ++++++ >From 37d71af79a9c2dbebe56073fa6f4bd7271b1419e Mon Sep 17 00:00:00 2001 From: Matt Heon <mh...@redhat.com> Date: Wed, 9 Oct 2024 15:23:03 -0400 Subject: [PATCH] Properly validate cache IDs and sources The `--mount type=cache` argument to the `RUN` instruction in Dockerfiles was using `filepath.Join` on user input, allowing crafted paths to be used to gain access to paths on the host, when the command should normally be limited only to Buildah;s own cache and context directories. Switch to `filepath.SecureJoin` to resolve the issue. Fixes CVE-2024-9675 Signed-off-by: Matt Heon <mh...@redhat.com> Signed-off-by: Danish Prakash <cont...@danishpraka.sh> --- internal/volumes/volumes.go | 19 ++++++++++++++----- tests/bud.bats | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 5 deletions(-) diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go index da6b768fdc21..610e9fcf11b2 100644 --- a/internal/volumes/volumes.go +++ b/internal/volumes/volumes.go @@ -23,6 +23,7 @@ import ( "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/lockfile" "github.com/containers/storage/pkg/unshare" + digest "github.com/opencontainers/go-digest" specs "github.com/opencontainers/runtime-spec/specs-go" selinux "github.com/opencontainers/selinux/go-selinux" ) @@ -374,7 +375,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage) } // path should be /contextDir/specified path - newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source)) + evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{}) + if err != nil { + return newMount, nil, err + } + newMount.Source = evaluated } else { // we need to create cache on host if no image is being used @@ -391,11 +396,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a } if id != "" { - newMount.Source = filepath.Join(cacheParent, filepath.Clean(id)) - buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id)) + // Don't let the user control where we place the directory. + dirID := digest.FromString(id).Encoded()[:16] + newMount.Source = filepath.Join(cacheParent, dirID) + buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) } else { - newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination)) - buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination)) + // Don't let the user control where we place the directory. + dirID := digest.FromString(newMount.Destination).Encoded()[:16] + newMount.Source = filepath.Join(cacheParent, dirID) + buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) } idPair := idtools.IDPair{ UID: uid, diff --git a/tests/bud.bats b/tests/bud.bats index b1ed89072ce6..79ca91b2b5e6 100644 --- a/tests/bud.bats +++ b/tests/bud.bats @@ -6917,3 +6917,37 @@ _EOF run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR} expect_output --substring "invalid mount option" } + +@test "build-check-cve-2024-9675" { + _prefetch alpine + + touch ${TEST_SCRATCH_DIR}/file.txt + + cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF +FROM alpine +RUN --mount=type=cache,id=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \ +ls -l /var/tmp && cat /var/tmp/file.txt +EOF + + run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR} + expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory" + + cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF +FROM alpine +RUN --mount=type=cache,source=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \ +ls -l /var/tmp && cat /var/tmp/file.txt +EOF + + run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR} + expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory" + + mkdir ${TEST_SCRATCH_DIR}/cve20249675 + cat > ${TEST_SCRATCH_DIR}/cve20249675/Containerfile <<EOF +FROM alpine +RUN --mount=type=cache,from=testbuild,source=../,target=/var/tmp \ +ls -l /var/tmp && cat /var/tmp/file.txt +EOF + + run_buildah 1 build --security-opt label=disable --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ --no-cache ${TEST_SCRATCH_DIR}/cve20249675/ + expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory" +} -- 2.46.0
