!22 [sync] PR-17: fix CVE-2024-1753 and CVE-2022-2990

From: @openeuler-sync-bot Reviewed-by: @jianminw Signed-off-by: @jianminw
2025-01-14 01:56:56 +00:00 · 2025-01-14 01:56:56 +00:00 · 76308f86b9
commit 76308f86b9
parent 0f25c71cd5 683c1fc3ca
3 changed files with 165 additions and 1 deletions
--- a/0004-CVE-2024-1753.patch
+++ b/0004-CVE-2024-1753.patch
@ -0,0 +1,70 @@
+From 8c261ed7492513d90a22448ef58981b4175f67d2 Mon Sep 17 00:00:00 2001
+From: tomsweeneyredhat <tsweeney@redhat.com>
+Date: Mon, 18 Mar 2024 10:47:43 -0400
+Subject: [PATCH] [release-1.26] CVE-2024-1753 container escape fix
+
+Addresses CVE-2024-1753 which allowed a user to write files to the
+`/` directory of the host machine if selinux was not enabled.
+
+Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
+---
+ internal/parse/parse.go |  7 ++++++-
+ tests/bud.bats          | 23 +++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/internal/parse/parse.go b/internal/parse/parse.go
+index 1c736cdf11f..6610de0c91e 100644
+--- a/internal/parse/parse.go
+++ b/internal/parse/parse.go
+@@ -8,6 +8,7 @@ import (
+ 	"strconv"
+ 	"strings"
+ 
+        "github.com/containers/buildah/copier"
+ 	"github.com/containers/buildah/internal"
+ 	internalUtil "github.com/containers/buildah/internal/util"
+ 	"github.com/containers/common/pkg/parse"
+@@ -151,7 +152,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 	// buildkit parity: support absolute path for sources from current build context
+ 	if contextDir != "" {
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
+                evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
+                if err != nil {
+                    return newMount, "", err
+                }
+                newMount.Source = evaluated
+ 	} else {
+ 		// looks like its coming from `build run --mount=type=bind` allow using absolute path
+ 		// error out if no source is set
+diff --git a/tests/bud.bats b/tests/bud.bats
+index e4b16b1ac0d..c016e451137 100644
+--- a/tests/bud.bats
+++ b/tests/bud.bats
+@@ -4598,3 +4598,26 @@ _EOF
+   echo checking:
+   ! grep 'not fully killed' ${TEST_SCRATCH_DIR}/log
+ }
+
+@test "build no write file on host - CVE-2024-1753" {
+  _prefetch alpine
+  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
+FROM alpine as base
+
+RUN ln -s / /rootdir
+
+FROM alpine
+
+RUN echo "With exploit show host root, not the container's root, and create /BIND_BREAKOUT in / on the host"
+RUN --mount=type=bind,from=base,source=/rootdir,destination=/exploit,rw ls -l /exploit; touch /exploit/BIND_BREAKOUT; ls -l /exploit
+
+_EOF
+
+  run_buildah build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
+  expect_output --substring "/BIND_BREAKOUT"
+
+  run ls /BIND_BREAKOUT
+  rm -f /BIND_BREAKOUT
+  assert "$status" -eq 2 "exit code from ls"
+  expect_output --substring "No such file or directory"
+}
--- a/0005-CVE-2022-2990.patch
+++ b/0005-CVE-2022-2990.patch
@ -0,0 +1,89 @@
+From a9c5cbc1e66e6ac8e5fc6749755c1b40690ffc23 Mon Sep 17 00:00:00 2001
+From: Jianmin <jianmin@iscas.ac.cn>
+Date: Wed, 25 Dec 2024 12:49:25 +0800
+Subject: [PATCH] [backport][PATCH] run: add container gid to additional groups
+
+---
+ run_linux.go                             |  1 +
+ tests/bud.bats                           | 16 ++++++++++++++++
+ tests/bud/supplemental-groups/Dockerfile |  3 +++
+ tests/run.bats                           | 14 ++++++++++++++
+ 4 files changed, 34 insertions(+)
+ create mode 100644 tests/bud/supplemental-groups/Dockerfile
+
+diff --git a/run_linux.go b/run_linux.go
+index f52754c..7a61a9a 100644
+--- a/run_linux.go
+++ b/run_linux.go
+@@ -2063,6 +2063,7 @@ func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, opti
+ 	}
+ 	g.SetProcessUID(user.UID)
+ 	g.SetProcessGID(user.GID)
+	g.AddProcessAdditionalGid(user.GID)
+ 	for _, gid := range user.AdditionalGids {
+ 		g.AddProcessAdditionalGid(gid)
+ 	}
+diff --git a/tests/bud.bats b/tests/bud.bats
+index f43a4a9..8d2ca2c 100644
+--- a/tests/bud.bats
+++ b/tests/bud.bats
+@@ -601,6 +601,22 @@ _EOF
+   expect_output "[]"
+ }
+ 
+@test "build test has gid in supplemental groups" {
+  _prefetch alpine
+  run_buildah build $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile
+  # gid 1000 must be in supplemental groups
+  expect_output --substring "Groups:	1000"
+}
+
+@test "build test if supplemental groups has gid with --isolation chroot" {
+  test -z "${BUILDAH_ISOLATION}" || skip "BUILDAH_ISOLATION=${BUILDAH_ISOLATION} overrides --isolation"
+
+  _prefetch alpine
+  run_buildah build --isolation chroot $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile
+  # gid 1000 must be in supplemental groups
+  expect_output --substring "Groups:	1000"
+}
+
+ @test "build with custom build output and output rootfs to directory" {
+   _prefetch alpine
+   mytmpdir=${TEST_SCRATCH_DIR}/my-dir
+diff --git a/tests/bud/supplemental-groups/Dockerfile b/tests/bud/supplemental-groups/Dockerfile
+new file mode 100644
+index 0000000..462d9ea
+--- /dev/null
+++ b/tests/bud/supplemental-groups/Dockerfile
+@@ -0,0 +1,3 @@
+FROM alpine
+USER 1000:1000
+RUN cat /proc/$$/status
+diff --git a/tests/run.bats b/tests/run.bats
+index 6574337..6a7cadf 100644
+--- a/tests/run.bats
+++ b/tests/run.bats
+@@ -349,6 +349,20 @@ function configure_and_check_user() {
+   expect_output "888:888"
+ }
+ 
+@test "run --user and verify gid in supplemental groups" {
+  skip_if_no_runtime
+
+  # Create the container.
+  _prefetch alpine
+  run_buildah from $WITH_POLICY_JSON alpine
+  ctr="$output"
+
+  # Run with uid:gid 1000:1000 and verify if gid is present in additional groups
+  run_buildah run --user 1000:1000 "$ctr" cat /proc/self/status
+  # gid 1000 must be in additional/supplemental groups
+  expect_output --substring "Groups:	1000 "
+}
+
+ @test "run --workingdir" {
+ 	skip_if_no_runtime
+ 
+-- 
+2.39.5 (Apple Git-154)
+
--- a/buildah.spec
+++ b/buildah.spec
@ -25,7 +25,7 @@

 Name:           buildah
 Version:        1.26.1
-Release:        3
+Release:        4
 Summary:        A command line tool used for creating OCI Images
 License:        ASL 2.0 and BSD and MIT and MPLv2.0
 URL:            https://%{name}.io
@ -34,6 +34,8 @@ Source1:        https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
 Patch1:         0001-CVE-2023-39325.patch
 Patch2:         0002-CVE-2023-48795.patch
 Patch3:         0003-CVE-2022-41723.patch
+Patch4:         0004-CVE-2024-1753.patch
+Patch5:         0005-CVE-2022-2990.patch
 BuildRequires:  device-mapper-devel git-core golang >= 1.17.3-33 glib2-devel glibc-static gpgme-devel libassuan-devel
 BuildRequires:  make ostree-devel btrfs-progs-devel libseccomp-static
 Requires:       containers-common netavark iptables nftables libseccomp >= 2.4.1-0
@ -139,6 +141,9 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
 %{_datadir}/bash-completion/completions/%{name}

 %changelog
+* Wed Dec 25 2024 Jianmin <jianmin@iscas.ac.cn> - 1.26.1-4
+- fix CVE-2024-1753 and CVE-2022-2990
+
 * Mon Dec 23 2024 Jianmin <jianmin@iscas.ac.cn> - 1.26.1-3
 - fix CVE-2023-39325, CVE-2022-41723 and CVE-2023-48795