[release-1.33] Address CVE-2024-9675, bump Buildah to v1.33.10 #5790
Conversation
The `--mount type=cache` argument to the `RUN` instruction in Dockerfiles was using `filepath.Join` on user input, allowing crafted paths to be used to gain access to paths on the host, when the command should normally be limited only to Buildah;s own cache and context directories. Switch to `filepath.SecureJoin` to resolve the issue. Fixes CVE-2024-9675 https://issues.redhat.com/browse/RHEL-61842 Signed-off-by: Matt Heon <[email protected]> (cherry picked from commit 873bedd) Signed-off-by: tomsweeneyredhat <[email protected]>
|
Ephemeral COPR build failed. @containers/packit-build please check. |
There was a problem hiding this comment.
Before tagging should we not bump c/storage with the fix for CVE-2024-9676 here as well? Also CVE-2024-9407 (#5761) doesn't seem to be backported here either.
|
@Luap99 I assumed (oh, oh), those two were already in here. I'll confirm and add them if not. |
CVE-2024-9407: validate that the value for the "bind-propagation" flag when handling "bind" and "cache" mounts in `buildah run` or in RUN instructions is one of the values that we would accept without the "bind-propagation=" prefix. Signed-off-by: Nalin Dahyabhai <[email protected]> (cherry picked from commit 732f770)
As the title says. Helps to fix CVE-2024-9675 in RHEL 9.4/8.10 [NO NEW TESTS NEEDED] Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/1.33_cve-2024_9675
branch
from
f842cea to
482d9e4
Compare
|
I have repushed with just the fix for CVE-2024-9047 added. The fix for CVE-2024-9676 requires a backport to c/storage then a vendor here. As it's a Medium and CVE-2024-9675 is a High, I'm moving forward without it for now, but will add it next week. |
|
ignore epel-next and fedora-39 failures. I guess we can also feel free to ignore all fedora failures. Fedora 39 had received v1.37 sometime back so 1.33 failures are not a huge concern. |
|
@lsm5 is there a way to turn them off easily in the branch? I'm assuming some .cirrus.yml hackery? |
I can update .packit.yaml. What versions of rhel / centos do we care about here? |
There was a problem hiding this comment.
@TomSweeneyRedHat Note none of the packit task are enforced anywhere (as in merge protection), we can just merge and ignore them. They break for many different reasons often not our fault, broken mirrors,etc... as such we cannot gate on them.
As such
/lgtm
/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Luap99, TomSweeneyRedHat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
openshift-merge-bot
bot
merged commit bd85c17
into
containers:release-1.33
The
--mount type=cacheargument to theRUNinstruction inDockerfiles was using
filepath.Joinon user input, allowingcrafted paths to be used to gain access to paths on the host,
when the command should normally be limited only to Buildah;s own
cache and context directories. Switch to
filepath.SecureJointoresolve the issue.
Fixes GHSA-586p-749j-fhwp
https://issues.redhat.com/browse/RHEL-61842
What type of PR is this?
What this PR does / why we need it:
How to verify it
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?