[release-1.26] Properly validate cache IDs and sources #5794
Conversation
dashea
force-pushed
the
1.26-cve-2024-9675
branch
from
c932ac4 to
c682674
Compare
|
Changes LGTM. The older variants of Buildah version themselves slightly differently. I'm not sure what's out of whack on this one, I'd try running |
dashea
force-pushed
the
1.26-cve-2024-9675
branch
from
c682674 to
03681c1
Compare
|
Forgot to add a new changelog entry to the spec file. Updated. |
cevich
force-pushed
the
1.26-cve-2024-9675
branch
from
03681c1 to
b0eb0de
Compare
The `--mount type=cache` argument to the `RUN` instruction in Dockerfiles was using `filepath.Join` on user input, allowing crafted paths to be used to gain access to paths on the host, when the command should normally be limited only to Buildah;s own cache and context directories. Switch to `filepath.SecureJoin` to resolve the issue. Fixes CVE-2024-9675 N/B: The system test was slightly modified from the original fix done by Matt. The older CI environments used by this release successfully block the escape with SELinux. Signed-off-by: Matt Heon <[email protected]> Signed-off-by: David Shea <[email protected]> Signed-off-by: Chris Evich <[email protected]>
cevich
force-pushed
the
1.26-cve-2024-9675
branch
from
b0eb0de to
5fc4804
Compare
Signed-off-by: David Shea <[email protected]>
Signed-off-by: David Shea <[email protected]>
dashea
force-pushed
the
1.26-cve-2024-9675
branch
from
5fc4804 to
60b40b9
Compare
|
@dashea I re-ran two tests that had flakes - "quay: 503 gateway timeout". Quay is notoriously flaky on these older branches. In podman CI too. |
|
Just to summarize the changes since Tom's approval: @cevich disabled selinux on the new test since selinux was preventing access to /var/tmp with or without the code change, and I added a pre-fetch on busybox in |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dashea, nalind The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit e2feca7
into
containers:release-1.26
Backport the changes from #5778 to release-1.26
The
--mount type=cacheargument to theRUNinstruction in Dockerfiles was usingfilepath.Joinon user input, allowing crafted paths to be used to gain access to paths on the host, when the command should normally be limited only to Buildah;s own cache and context directories. Switch tofilepath.SecureJointo resolve the issue.Fixes CVE-2024-9675
What type of PR is this?
What this PR does / why we need it:
How to verify it
Includes the new test from the original change,
build-check-cve-2024-9675Which issue(s) this PR fixes:
https://issues.redhat.com/browse/RHEL-62366
https://issues.redhat.com/browse/RHEL-62371
Special notes for your reviewer:
Does this PR introduce a user-facing change?