diff --git a/go.mod b/go.mod index 12261ae6..daaa62fc 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.21.0 require ( github.com/containers/common v0.60.4 github.com/containers/image/v5 v5.32.2 - github.com/containers/podman/v5 v5.2.4 + github.com/containers/podman/v5 v5.2.5 github.com/go-kit/log v0.2.1 github.com/onsi/ginkgo/v2 v2.20.1 github.com/onsi/gomega v1.34.1 @@ -41,13 +41,13 @@ require ( github.com/containerd/typeurl/v2 v2.1.1 // indirect github.com/containernetworking/cni v1.2.3 // indirect github.com/containernetworking/plugins v1.5.1 // indirect - github.com/containers/buildah v1.37.4 // indirect + github.com/containers/buildah v1.37.5 // indirect github.com/containers/conmon v2.0.20+incompatible // indirect github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect github.com/containers/luksy v0.0.0-20240618143119-a8846e21c08c // indirect github.com/containers/ocicrypt v1.2.0 // indirect github.com/containers/psgo v1.9.0 // indirect - github.com/containers/storage v1.55.0 // indirect + github.com/containers/storage v1.55.1 // indirect github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f // indirect github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect diff --git a/go.sum b/go.sum index 6a6e15cf..7f71dd60 100644 --- a/go.sum +++ b/go.sum @@ -62,8 +62,8 @@ github.com/containernetworking/cni v1.2.3 h1:hhOcjNVUQTnzdRJ6alC5XF+wd9mfGIUaj8F github.com/containernetworking/cni v1.2.3/go.mod h1:DuLgF+aPd3DzcTQTtp/Nvl1Kim23oFKdm2okJzBQA5M= github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+E5J/EcKOE4gQ= github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM= -github.com/containers/buildah v1.37.4 h1:lobQ4hznT4FbZERelCk5+ZjqtLACPDKl7oD9U5JsZiI= -github.com/containers/buildah v1.37.4/go.mod h1:e8oMZq+Br2BgJKX99qe1XuTMbeJimpIdXrIg2cvn4Ng= +github.com/containers/buildah v1.37.5 h1:oJ+cVbtgxB3ZHux4No9rKbWfcd7uoDpk8r7wcbm+Vbo= +github.com/containers/buildah v1.37.5/go.mod h1:kiNTdC/78ek5XfqX6xUAq5aR8HNVy+CQ4ODjUNbiPJM= github.com/containers/common v0.60.4 h1:H5+LAMHPZEqX6vVNOQ+IguVsaFl8kbO/SZ/VPXjxhy0= github.com/containers/common v0.60.4/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= @@ -76,12 +76,12 @@ github.com/containers/luksy v0.0.0-20240618143119-a8846e21c08c h1:gJDiBJYc8JFD46 github.com/containers/luksy v0.0.0-20240618143119-a8846e21c08c/go.mod h1:Ufusu7xAtl0LSTry0JS6dSxbxR/XJQSEqlhLqTkCaH8= github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sirVuPM= github.com/containers/ocicrypt v1.2.0/go.mod h1:ZNviigQajtdlxIZGibvblVuIFBKIuUI2M0QM12SD31U= -github.com/containers/podman/v5 v5.2.4 h1:BqqgugaPpxb+O80TTAv/gN9+TFCEBT35t0jp6u2Wkec= -github.com/containers/podman/v5 v5.2.4/go.mod h1:/zayx9OsnD9GDQ5RjBu+0bx3OLdmPjcXe4igfLdCeWo= +github.com/containers/podman/v5 v5.2.5 h1:OqipZ/e34NSJ+JafLiyD1zM5G4404hDbNelSOPAlSes= +github.com/containers/podman/v5 v5.2.5/go.mod h1:In5i6rJrJ3aYX3dvpllL4vLFi6har7hHVe6RcJYPRR8= github.com/containers/psgo v1.9.0 h1:eJ74jzSaCHnWt26OlKZROSyUyRcGDf+gYBdXnxrMW4g= github.com/containers/psgo v1.9.0/go.mod h1:0YoluUm43Mz2UnBIh1P+6V6NWcbpTL5uRtXyOcH0B5A= -github.com/containers/storage v1.55.0 h1:wTWZ3YpcQf1F+dSP4KxG9iqDfpQY1otaUXjPpffuhgg= -github.com/containers/storage v1.55.0/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ= +github.com/containers/storage v1.55.1 h1:ius7angdTqxO56hmTJnAznyEcUnYeLOV3ybwLozA/h8= +github.com/containers/storage v1.55.1/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f h1:JOrtw2xFKzlg+cbHpyrpLDmnN1HqhBfnX7WDiW7eG2c= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 h1:OoRAFlvDGCUqDLampLQjk0yeeSGdF9zzst/3G9IkBbc= diff --git a/vendor/github.com/containers/buildah/.packit.yaml b/vendor/github.com/containers/buildah/.packit.yaml index b96a1605..ab7681cb 100644 --- a/vendor/github.com/containers/buildah/.packit.yaml +++ b/vendor/github.com/containers/buildah/.packit.yaml @@ -102,6 +102,7 @@ jobs: # Fedora Koji build - job: koji_build trigger: commit + packages: [buildah-fedora] sidetag_group: podman-releases # Dependents are not rpm dependencies, but the package whose bodhi update # should include this package. diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index b1fbfba5..b2c18089 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,6 +2,12 @@ # Changelog +## v1.37.5 (2024-10-17) + + Bump the containers/storage library to v1.55.1 + Properly validate cache IDs and sources + Packit: constrain koji job to fedora package to avoid dupes + ## v1.37.4 (2024-10-07) Fixed CVE-2024-9407 and CVE-2024-934 diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index cfe26ffd..4fe7dbf1 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,3 +1,8 @@ +- Changelog for v1.37.5 (2024-10-17) + * Bump the containers/storage library to v1.55.1 + * Properly validate cache IDs and sources + * Packit: constrain koji job to fedora package to avoid dupes + - Changelog for v1.37.4 (2024-10-07) * Fixed CVE-2024-9407 and CVE-2024-934 diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go index 9e95b4f5..5267d087 100644 --- a/vendor/github.com/containers/buildah/define/types.go +++ b/vendor/github.com/containers/buildah/define/types.go @@ -29,7 +29,7 @@ const ( // identify working containers. Package = "buildah" // Version for the Package. Also used by .packit.sh for Packit builds. - Version = "1.37.4" + Version = "1.37.5" // DefaultRuntime if containers.conf fails. DefaultRuntime = "runc" diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go index da6b768f..610e9fcf 100644 --- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go +++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go @@ -23,6 +23,7 @@ import ( "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/lockfile" "github.com/containers/storage/pkg/unshare" + digest "github.com/opencontainers/go-digest" specs "github.com/opencontainers/runtime-spec/specs-go" selinux "github.com/opencontainers/selinux/go-selinux" ) @@ -374,7 +375,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage) } // path should be /contextDir/specified path - newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source)) + evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{}) + if err != nil { + return newMount, nil, err + } + newMount.Source = evaluated } else { // we need to create cache on host if no image is being used @@ -391,11 +396,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a } if id != "" { - newMount.Source = filepath.Join(cacheParent, filepath.Clean(id)) - buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id)) + // Don't let the user control where we place the directory. + dirID := digest.FromString(id).Encoded()[:16] + newMount.Source = filepath.Join(cacheParent, dirID) + buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) } else { - newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination)) - buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination)) + // Don't let the user control where we place the directory. + dirID := digest.FromString(newMount.Destination).Encoded()[:16] + newMount.Source = filepath.Join(cacheParent, dirID) + buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) } idPair := idtools.IDPair{ UID: uid, diff --git a/vendor/github.com/containers/podman/v5/version/rawversion/version.go b/vendor/github.com/containers/podman/v5/version/rawversion/version.go index 9634706c..3df0426b 100644 --- a/vendor/github.com/containers/podman/v5/version/rawversion/version.go +++ b/vendor/github.com/containers/podman/v5/version/rawversion/version.go @@ -7,4 +7,4 @@ package rawversion // // NOTE: remember to bump the version at the top of the top-level README.md // file when this is bumped. -const RawVersion = "5.2.4" +const RawVersion = "5.2.5" diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml index 50b98761..49a6e33b 100644 --- a/vendor/github.com/containers/storage/.cirrus.yml +++ b/vendor/github.com/containers/storage/.cirrus.yml @@ -120,7 +120,7 @@ lint_task: env: CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage" container: - image: golang + image: golang:1.21 modules_cache: fingerprint_script: cat go.sum folder: $GOPATH/pkg/mod diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION index 094d6ad0..6570a6d0 100644 --- a/vendor/github.com/containers/storage/VERSION +++ b/vendor/github.com/containers/storage/VERSION @@ -1 +1 @@ -1.55.0 +1.55.1 diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go index 57120731..09919394 100644 --- a/vendor/github.com/containers/storage/userns.go +++ b/vendor/github.com/containers/storage/userns.go @@ -1,18 +1,21 @@ +//go:build linux + package storage import ( "fmt" "os" "os/user" - "path/filepath" "strconv" drivers "github.com/containers/storage/drivers" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/unshare" "github.com/containers/storage/types" + securejoin "github.com/cyphar/filepath-securejoin" libcontainerUser "github.com/moby/sys/user" "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" ) // getAdditionalSubIDs looks up the additional IDs configured for @@ -85,40 +88,59 @@ const nobodyUser = 65534 // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and // /etc/group files. func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 { + var ( + passwd *os.File + group *os.File + size int + err error + ) if passwdFile == "" { - passwdFile = filepath.Join(containerMount, "etc/passwd") - } - if groupFile == "" { - groupFile = filepath.Join(groupFile, "etc/group") + passwd, err = secureOpen(containerMount, "/etc/passwd") + } else { + // User-specified override from a volume. Will not be in + // container root. + passwd, err = os.Open(passwdFile) } - - size := 0 - - users, err := libcontainerUser.ParsePasswdFile(passwdFile) if err == nil { - for _, u := range users { - // Skip the "nobody" user otherwise we end up with 65536 - // ids with most images - if u.Name == "nobody" { - continue - } - if u.Uid > size && u.Uid != nobodyUser { - size = u.Uid - } - if u.Gid > size && u.Gid != nobodyUser { - size = u.Gid + defer passwd.Close() + + users, err := libcontainerUser.ParsePasswd(passwd) + if err == nil { + for _, u := range users { + // Skip the "nobody" user otherwise we end up with 65536 + // ids with most images + if u.Name == "nobody" || u.Name == "nogroup" { + continue + } + if u.Uid > size && u.Uid != nobodyUser { + size = u.Uid + 1 + } + if u.Gid > size && u.Gid != nobodyUser { + size = u.Gid + 1 + } } } } - groups, err := libcontainerUser.ParseGroupFile(groupFile) + if groupFile == "" { + group, err = secureOpen(containerMount, "/etc/group") + } else { + // User-specified override from a volume. Will not be in + // container root. + group, err = os.Open(groupFile) + } if err == nil { - for _, g := range groups { - if g.Name == "nobody" { - continue - } - if g.Gid > size && g.Gid != nobodyUser { - size = g.Gid + defer group.Close() + + groups, err := libcontainerUser.ParseGroup(group) + if err == nil { + for _, g := range groups { + if g.Name == "nobody" || g.Name == "nogroup" { + continue + } + if g.Gid > size && g.Gid != nobodyUser { + size = g.Gid + 1 + } } } } @@ -309,3 +331,14 @@ func getAutoUserNSIDMappings( gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...) return uidMap, gidMap, nil } + +// Securely open (read-only) a file in a container mount. +func secureOpen(containerMount, file string) (*os.File, error) { + tmpFile, err := securejoin.OpenInRoot(containerMount, file) + if err != nil { + return nil, err + } + defer tmpFile.Close() + + return securejoin.Reopen(tmpFile, unix.O_RDONLY) +} diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go new file mode 100644 index 00000000..e37c18fe --- /dev/null +++ b/vendor/github.com/containers/storage/userns_unsupported.go @@ -0,0 +1,14 @@ +//go:build !linux + +package storage + +import ( + "errors" + + "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/types" +) + +func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) { + return nil, nil, errors.New("user namespaces are not supported on this platform") +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 6170dce9..8f148ad2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -113,7 +113,7 @@ github.com/containernetworking/cni/pkg/version # github.com/containernetworking/plugins v1.5.1 ## explicit; go 1.20 github.com/containernetworking/plugins/pkg/ns -# github.com/containers/buildah v1.37.4 +# github.com/containers/buildah v1.37.5 ## explicit; go 1.21.0 github.com/containers/buildah github.com/containers/buildah/bind @@ -297,7 +297,7 @@ github.com/containers/ocicrypt/keywrap/pkcs7 github.com/containers/ocicrypt/spec github.com/containers/ocicrypt/utils github.com/containers/ocicrypt/utils/keyprovider -# github.com/containers/podman/v5 v5.2.4 +# github.com/containers/podman/v5 v5.2.5 ## explicit; go 1.21.0 github.com/containers/podman/v5/cmd/podman/parse github.com/containers/podman/v5/cmd/podman/registry @@ -393,7 +393,7 @@ github.com/containers/psgo/internal/dev github.com/containers/psgo/internal/host github.com/containers/psgo/internal/proc github.com/containers/psgo/internal/process -# github.com/containers/storage v1.55.0 +# github.com/containers/storage v1.55.1 ## explicit; go 1.21 github.com/containers/storage github.com/containers/storage/drivers