diff --git a/CHANGELOG.md b/CHANGELOG.md index 73792393c16..f2864b8ec18 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,14 @@ # Changelog +## v1.33.10 (2024-10-17) + + [release-1.33] Properly validate cache IDs and sources + vendor: update c/common to v0.57.7 + [release-1.33] Bump to v1.33.9 + [release-1.33] Fixes Listing tags in JFrog Artifactory may fail + Cross-build on Fedora + ## v1.33.9 (2024-07-16) [release-1.33] Fixes Listing tags in JFrog Artifactory may fail diff --git a/changelog.txt b/changelog.txt index 92b67b330f2..b31c0cfbae7 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,10 @@ +- Changelog for v1.33.10 (2024-10-17) + * [release-1.33] Properly validate cache IDs and sources + * vendor: update c/common to v0.57.7 + * [release-1.33] Bump to v1.33.9 + * [release-1.33] Fixes Listing tags in JFrog Artifactory may fail + * Cross-build on Fedora + - Changelog for v1.33.9 (2024-07-16) * [release-1.33] Fixes Listing tags in JFrog Artifactory may fail diff --git a/define/types.go b/define/types.go index 2d4ec5830fc..40e65215ed6 100644 --- a/define/types.go +++ b/define/types.go @@ -29,7 +29,7 @@ const ( // identify working containers. Package = "buildah" // Version for the Package. Also used by .packit.sh for Packit builds. - Version = "1.33.9" + Version = "1.33.10" // DefaultRuntime if containers.conf fails. DefaultRuntime = "runc" diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go index fd1ff7f9859..f20b254ef7d 100644 --- a/internal/volumes/volumes.go +++ b/internal/volumes/volumes.go @@ -23,6 +23,7 @@ import ( "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/lockfile" "github.com/containers/storage/pkg/unshare" + digest "github.com/opencontainers/go-digest" specs "github.com/opencontainers/runtime-spec/specs-go" selinux "github.com/opencontainers/selinux/go-selinux" ) @@ -101,6 +102,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st if len(kv) == 1 { return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg) } + switch kv[1] { + default: + return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption) + case "shared", "rshared", "private", "rprivate", "slave", "rslave": + // this should be the relevant parts of the same list of options we accepted above + } newMount.Options = append(newMount.Options, kv[1]) case "src", "source": if len(kv) == 1 { @@ -276,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a if len(kv) == 1 { return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg) } + switch kv[1] { + default: + return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption) + case "shared", "rshared", "private", "rprivate", "slave", "rslave": + // this should be the relevant parts of the same list of options we accepted above + } newMount.Options = append(newMount.Options, kv[1]) case "id": if len(kv) == 1 { @@ -361,7 +374,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage) } // path should be /contextDir/specified path - newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source)) + evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{}) + if err != nil { + return newMount, nil, err + } + newMount.Source = evaluated } else { // we need to create cache on host if no image is being used @@ -378,11 +395,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a } if id != "" { - newMount.Source = filepath.Join(cacheParent, filepath.Clean(id)) - buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id)) + // Don't let the user control where we place the directory. + dirID := digest.FromString(id).Encoded()[:16] + newMount.Source = filepath.Join(cacheParent, dirID) + buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) } else { - newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination)) - buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination)) + // Don't let the user control where we place the directory. + dirID := digest.FromString(newMount.Destination).Encoded()[:16] + newMount.Source = filepath.Join(cacheParent, dirID) + buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) } idPair := idtools.IDPair{ UID: uid, diff --git a/tests/bud.bats b/tests/bud.bats index 1941fbb9fe7..bd26fe85f19 100644 --- a/tests/bud.bats +++ b/tests/bud.bats @@ -6558,3 +6558,62 @@ _EOF assert "$status" -eq 2 "exit code from ls" expect_output --substring "No such file or directory" } + +@test "build-check-cve-2024-9675" { + _prefetch alpine + + touch ${TEST_SCRATCH_DIR}/file.txt + + cat > ${TEST_SCRATCH_DIR}/Containerfile < ${TEST_SCRATCH_DIR}/Containerfile < ${TEST_SCRATCH_DIR}/cve20249675/Containerfile < ${TEST_SCRATCH_DIR}/Containerfile << _EOF +FROM alpine as base +FROM alpine +RUN --mount=type=bind,from=base,source=/,destination=/var/empty,rw,bind-propagation=suid pwd +_EOF + + run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR} + expect_output --substring "invalid mount option" +} + +@test "build-validates-cache-bind-propagation" { + _prefetch alpine + + cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF +FROM alpine +RUN --mount=type=cache,destination=/var/empty,rw,bind-propagation=suid pwd +_EOF + + run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR} + expect_output --substring "invalid mount option" +}