2 files changed, 114 insertions, 0 deletions
diff --git a/recipes-containers/buildah/buildah/CVE-2024-9675.patch b/recipes-containers/buildah/buildah/CVE-2024-9675.patch
new file mode 100644
index 00000000..6a655366
--- /dev/null
+++ b/recipes-containers/buildah/buildah/CVE-2024-9675.patch
@@ -0,0 +1,113 @@
+From cffa820dc8be07efdb7fc4e8e8b9ff44c70aaf93 Mon Sep 17 00:00:00 2001
+From: Matt Heon <mheon@redhat.com>
+Date: Wed, 9 Oct 2024 15:23:03 -0400
+Subject: [PATCH] Properly validate cache IDs and sources
+The `--mount type=cache` argument to the `RUN` instruction in
+Dockerfiles was using `filepath.Join` on user input, allowing
+crafted paths to be used to gain access to paths on the host,
+when the command should normally be limited only to Buildah;s own
+cache and context directories. Switch to `filepath.SecureJoin` to
+resolve the issue.
+Fixes CVE-2024-9675
+CVE: CVE-2024-9675
+Upstream-Status: Backport [https://github.com/containers/buildah/commit/cffa820dc8be07efdb7fc4e8e8b9ff44c70aaf93]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ internal/volumes/volumes.go | 19 ++++++++++++++-----
+ tests/bud.bats              | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 48 insertions(+), 5 deletions(-)
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index c07c67ebe..c6d6e3545 100644
+--- a/internal/volumes/volumes.go
+++ b/internal/volumes/volumes.go
+@@ -23,6 +23,7 @@ import (
+        "github.com/containers/storage/pkg/idtools"
+        "github.com/containers/storage/pkg/lockfile"
+        "github.com/containers/storage/pkg/unshare"
+       digest "github.com/opencontainers/go-digest"
+        specs "github.com/opencontainers/runtime-spec/specs-go"
+        selinux "github.com/opencontainers/selinux/go-selinux"
+ )
+@@ -362,7 +363,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+                        return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
+                }
+                // path should be /contextDir/specified path
+-               newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
+               evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
+               if err != nil {
+                       return newMount, nil, err
+               }
+               newMount.Source = evaluated
+        } else {
+                // we need to create cache on host if no image is being used
+@@ -379,11 +384,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+                }
+                if id != "" {
+-                       newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
+-                       buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
+                       // Don't let the user control where we place the directory.
+                       dirID := digest.FromString(id).Encoded()[:16]
+                       newMount.Source = filepath.Join(cacheParent, dirID)
+                       buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+                } else {
+-                       newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
+-                       buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
+                       // Don't let the user control where we place the directory.
+                       dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+                       newMount.Source = filepath.Join(cacheParent, dirID)
+                       buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+                }
+                idPair := idtools.IDPair{
+                        UID: uid,
+diff --git a/tests/bud.bats b/tests/bud.bats
+index 3a1dbd63a..9e3930f52 100644
+--- a/tests/bud.bats
+++ b/tests/bud.bats
+@@ -6648,3 +6648,37 @@ _EOF
+   assert "$status" -eq 2 "exit code from ls"
+   expect_output --substring "No such file or directory"
+ }
+
+@test "build-check-cve-2024-9675" {
+  _prefetch alpine
+
+  touch ${TEST_SCRATCH_DIR}/file.txt
+
+  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
+FROM alpine
+RUN --mount=type=cache,id=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
+ls -l /var/tmp && cat /var/tmp/file.txt
+EOF
+
+  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
+  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
+
+  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
+FROM alpine
+RUN --mount=type=cache,source=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
+ls -l /var/tmp && cat /var/tmp/file.txt
+EOF
+
+  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
+  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
+
+  mkdir ${TEST_SCRATCH_DIR}/cve20249675
+  cat > ${TEST_SCRATCH_DIR}/cve20249675/Containerfile <<EOF
+FROM alpine
+RUN --mount=type=cache,from=testbuild,source=../,target=/var/tmp \
+ls -l /var/tmp && cat /var/tmp/file.txt
+EOF
+
+  run_buildah 1 build --security-opt label=disable --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ --no-cache ${TEST_SCRATCH_DIR}/cve20249675/
+  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
+}
+--
+2.40.0
diff --git a/recipes-containers/buildah/buildah_git.bb b/recipes-containers/buildah/buildah_git.bb
index 288a1cb0..83d861cb 100644
--- a/recipes-containers/buildah/buildah_git.bb
+++ b/recipes-containers/buildah/buildah_git.bb
@@ -34,6 +34,7 @@ SRCREV_storage = "246ba3062e8b551026aef2708eee747014ce5c52"
 SRC_URI = " \
    git://github.com/containers/buildah;branch=release-1.34;name=buildah;protocol=https \
    file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/vendor/github.com/containers/storage \
+    file://CVE-2024-9675.patch;patchdir=src/github.com/containers/buildah \
    "
 DEPENDS = "libdevmapper btrfs-tools gpgme"

diff --git a/recipes-containers/buildah/buildah/CVE-2024-9675.patch b/recipes-containers/buildah/buildah/CVE-2024-9675.patch new file mode 100644 index 00000000..6a655366 --- /dev/null +++ b/recipes-containers/buildah/buildah/CVE-2024-9675.patch
@@ -0,0 +1,113 @@
		1	From cffa820dc8be07efdb7fc4e8e8b9ff44c70aaf93 Mon Sep 17 00:00:00 2001
		2	From: Matt Heon <mheon@redhat.com>
		3	Date: Wed, 9 Oct 2024 15:23:03 -0400
		4	Subject: [PATCH] Properly validate cache IDs and sources
		5
		6	The `--mount type=cache` argument to the `RUN` instruction in
		7	Dockerfiles was using `filepath.Join` on user input, allowing
		8	crafted paths to be used to gain access to paths on the host,
		9	when the command should normally be limited only to Buildah;s own
		10	cache and context directories. Switch to `filepath.SecureJoin` to
		11	resolve the issue.
		12
		13	Fixes CVE-2024-9675
		14
		15	CVE: CVE-2024-9675
		16
		17	Upstream-Status: Backport [https://github.com/containers/buildah/commit/cffa820dc8be07efdb7fc4e8e8b9ff44c70aaf93]
		18
		19	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
		20	---
		21	internal/volumes/volumes.go \| 19 ++++++++++++++-----
		22	tests/bud.bats \| 34 ++++++++++++++++++++++++++++++++++
		23	2 files changed, 48 insertions(+), 5 deletions(-)
		24
		25	diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
		26	index c07c67ebe..c6d6e3545 100644
		27	--- a/internal/volumes/volumes.go
		28	+++ b/internal/volumes/volumes.go
		29	@@ -23,6 +23,7 @@ import (
		30	"github.com/containers/storage/pkg/idtools"
		31	"github.com/containers/storage/pkg/lockfile"
		32	"github.com/containers/storage/pkg/unshare"
		33	+ digest "github.com/opencontainers/go-digest"
		34	specs "github.com/opencontainers/runtime-spec/specs-go"
		35	selinux "github.com/opencontainers/selinux/go-selinux"
		36	)
		37	@@ -362,7 +363,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
		38	return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
		39	}
		40	// path should be /contextDir/specified path
		41	- newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
		42	+ evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
		43	+ if err != nil {
		44	+ return newMount, nil, err
		45	+ }
		46	+ newMount.Source = evaluated
		47	} else {
		48	// we need to create cache on host if no image is being used
		49
		50	@@ -379,11 +384,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
		51	}
		52
		53	if id != "" {
		54	- newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
		55	- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
		56	+ // Don't let the user control where we place the directory.
		57	+ dirID := digest.FromString(id).Encoded()[:16]
		58	+ newMount.Source = filepath.Join(cacheParent, dirID)
		59	+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
		60	} else {
		61	- newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
		62	- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
		63	+ // Don't let the user control where we place the directory.
		64	+ dirID := digest.FromString(newMount.Destination).Encoded()[:16]
		65	+ newMount.Source = filepath.Join(cacheParent, dirID)
		66	+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
		67	}
		68	idPair := idtools.IDPair{
		69	UID: uid,
		70	diff --git a/tests/bud.bats b/tests/bud.bats
		71	index 3a1dbd63a..9e3930f52 100644
		72	--- a/tests/bud.bats
		73	+++ b/tests/bud.bats
		74	@@ -6648,3 +6648,37 @@ _EOF
		75	assert "$status" -eq 2 "exit code from ls"
		76	expect_output --substring "No such file or directory"
		77	}
		78	+
		79	+@test "build-check-cve-2024-9675" {
		80	+ _prefetch alpine
		81	+
		82	+ touch ${TEST_SCRATCH_DIR}/file.txt
		83	+
		84	+ cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
		85	+FROM alpine
		86	+RUN --mount=type=cache,id=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
		87	+ls -l /var/tmp && cat /var/tmp/file.txt
		88	+EOF
		89	+
		90	+ run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
		91	+ expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
		92	+
		93	+ cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
		94	+FROM alpine
		95	+RUN --mount=type=cache,source=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
		96	+ls -l /var/tmp && cat /var/tmp/file.txt
		97	+EOF
		98	+
		99	+ run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
		100	+ expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
		101	+
		102	+ mkdir ${TEST_SCRATCH_DIR}/cve20249675
		103	+ cat > ${TEST_SCRATCH_DIR}/cve20249675/Containerfile <<EOF
		104	+FROM alpine
		105	+RUN --mount=type=cache,from=testbuild,source=../,target=/var/tmp \
		106	+ls -l /var/tmp && cat /var/tmp/file.txt
		107	+EOF
		108	+
		109	+ run_buildah 1 build --security-opt label=disable --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ --no-cache ${TEST_SCRATCH_DIR}/cve20249675/
		110	+ expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
		111	+}
		112	--
		113	2.40.0


diff --git a/recipes-containers/buildah/buildah_git.bb b/recipes-containers/buildah/buildah_git.bb index 288a1cb0..83d861cb 100644 --- a/recipes-containers/buildah/buildah_git.bb +++ b/recipes-containers/buildah/buildah_git.bb
@@ -34,6 +34,7 @@ SRCREV_storage = "246ba3062e8b551026aef2708eee747014ce5c52"
34	SRC_URI = " \	34	SRC_URI = " \
35	git://github.com/containers/buildah;branch=release-1.34;name=buildah;protocol=https \	35	git://github.com/containers/buildah;branch=release-1.34;name=buildah;protocol=https \
36	file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/vendor/github.com/containers/storage \	36	file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/vendor/github.com/containers/storage \
		37	file://CVE-2024-9675.patch;patchdir=src/github.com/containers/buildah \
37	"	38	"
38		39
39	DEPENDS = "libdevmapper btrfs-tools gpgme"	40	DEPENDS = "libdevmapper btrfs-tools gpgme"