From 683c1fc3ca2c8a2a0b60a3b6cdd0b160e560970c Mon Sep 17 00:00:00 2001
From: Jianmin <jianmin@iscas.ac.cn>
Date: Wed, 25 Dec 2024 11:38:29 +0800
Subject: [PATCH] fix CVE-2024-1753 and CVE-2022-2990

(cherry picked from commit 0b266a05625d1dd9555fb24e45403c0cdcae7f21)
---
 0004-CVE-2024-1753.patch | 70 +++++++++++++++++++++++++++++++
 0005-CVE-2022-2990.patch | 89 ++++++++++++++++++++++++++++++++++++++++
 buildah.spec             |  7 +++-
 3 files changed, 165 insertions(+), 1 deletion(-)
 create mode 100644 0004-CVE-2024-1753.patch
 create mode 100644 0005-CVE-2022-2990.patch

diff --git a/0004-CVE-2024-1753.patch b/0004-CVE-2024-1753.patch
new file mode 100644
index 0000000..1d36ee6
--- /dev/null
+++ b/0004-CVE-2024-1753.patch
@@ -0,0 +1,70 @@
+From 8c261ed7492513d90a22448ef58981b4175f67d2 Mon Sep 17 00:00:00 2001
+From: tomsweeneyredhat <tsweeney@redhat.com>
+Date: Mon, 18 Mar 2024 10:47:43 -0400
+Subject: [PATCH] [release-1.26] CVE-2024-1753 container escape fix
+
+Addresses CVE-2024-1753 which allowed a user to write files to the
+`/` directory of the host machine if selinux was not enabled.
+
+Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
+---
+ internal/parse/parse.go |  7 ++++++-
+ tests/bud.bats          | 23 +++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/internal/parse/parse.go b/internal/parse/parse.go
+index 1c736cdf11f..6610de0c91e 100644
+--- a/internal/parse/parse.go
++++ b/internal/parse/parse.go
+@@ -8,6 +8,7 @@ import (
+ 	"strconv"
+ 	"strings"
+ 
++        "github.com/containers/buildah/copier"
+ 	"github.com/containers/buildah/internal"
+ 	internalUtil "github.com/containers/buildah/internal/util"
+ 	"github.com/containers/common/pkg/parse"
+@@ -151,7 +152,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 	// buildkit parity: support absolute path for sources from current build context
+ 	if contextDir != "" {
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
++                evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
++                if err != nil {
++                    return newMount, "", err
++                }
++                newMount.Source = evaluated
+ 	} else {
+ 		// looks like its coming from `build run --mount=type=bind` allow using absolute path
+ 		// error out if no source is set
+diff --git a/tests/bud.bats b/tests/bud.bats
+index e4b16b1ac0d..c016e451137 100644
+--- a/tests/bud.bats
++++ b/tests/bud.bats
+@@ -4598,3 +4598,26 @@ _EOF
+   echo checking:
+   ! grep 'not fully killed' ${TEST_SCRATCH_DIR}/log
+ }
++
++@test "build no write file on host - CVE-2024-1753" {
++  _prefetch alpine
++  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
++FROM alpine as base
++
++RUN ln -s / /rootdir
++
++FROM alpine
++
++RUN echo "With exploit show host root, not the container's root, and create /BIND_BREAKOUT in / on the host"
++RUN --mount=type=bind,from=base,source=/rootdir,destination=/exploit,rw ls -l /exploit; touch /exploit/BIND_BREAKOUT; ls -l /exploit
++
++_EOF
++
++  run_buildah build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
++  expect_output --substring "/BIND_BREAKOUT"
++
++  run ls /BIND_BREAKOUT
++  rm -f /BIND_BREAKOUT
++  assert "$status" -eq 2 "exit code from ls"
++  expect_output --substring "No such file or directory"
++}
diff --git a/0005-CVE-2022-2990.patch b/0005-CVE-2022-2990.patch
new file mode 100644
index 0000000..b8bcb95
--- /dev/null
+++ b/0005-CVE-2022-2990.patch
@@ -0,0 +1,89 @@
+From a9c5cbc1e66e6ac8e5fc6749755c1b40690ffc23 Mon Sep 17 00:00:00 2001
+From: Jianmin <jianmin@iscas.ac.cn>
+Date: Wed, 25 Dec 2024 12:49:25 +0800
+Subject: [PATCH] [backport][PATCH] run: add container gid to additional groups
+
+---
+ run_linux.go                             |  1 +
+ tests/bud.bats                           | 16 ++++++++++++++++
+ tests/bud/supplemental-groups/Dockerfile |  3 +++
+ tests/run.bats                           | 14 ++++++++++++++
+ 4 files changed, 34 insertions(+)
+ create mode 100644 tests/bud/supplemental-groups/Dockerfile
+
+diff --git a/run_linux.go b/run_linux.go
+index f52754c..7a61a9a 100644
+--- a/run_linux.go
++++ b/run_linux.go
+@@ -2063,6 +2063,7 @@ func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, opti
+ 	}
+ 	g.SetProcessUID(user.UID)
+ 	g.SetProcessGID(user.GID)
++	g.AddProcessAdditionalGid(user.GID)
+ 	for _, gid := range user.AdditionalGids {
+ 		g.AddProcessAdditionalGid(gid)
+ 	}
+diff --git a/tests/bud.bats b/tests/bud.bats
+index f43a4a9..8d2ca2c 100644
+--- a/tests/bud.bats
++++ b/tests/bud.bats
+@@ -601,6 +601,22 @@ _EOF
+   expect_output "[]"
+ }
+ 
++@test "build test has gid in supplemental groups" {
++  _prefetch alpine
++  run_buildah build $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile
++  # gid 1000 must be in supplemental groups
++  expect_output --substring "Groups:	1000"
++}
++
++@test "build test if supplemental groups has gid with --isolation chroot" {
++  test -z "${BUILDAH_ISOLATION}" || skip "BUILDAH_ISOLATION=${BUILDAH_ISOLATION} overrides --isolation"
++
++  _prefetch alpine
++  run_buildah build --isolation chroot $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile
++  # gid 1000 must be in supplemental groups
++  expect_output --substring "Groups:	1000"
++}
++
+ @test "build with custom build output and output rootfs to directory" {
+   _prefetch alpine
+   mytmpdir=${TEST_SCRATCH_DIR}/my-dir
+diff --git a/tests/bud/supplemental-groups/Dockerfile b/tests/bud/supplemental-groups/Dockerfile
+new file mode 100644
+index 0000000..462d9ea
+--- /dev/null
++++ b/tests/bud/supplemental-groups/Dockerfile
+@@ -0,0 +1,3 @@
++FROM alpine
++USER 1000:1000
++RUN cat /proc/$$/status
+diff --git a/tests/run.bats b/tests/run.bats
+index 6574337..6a7cadf 100644
+--- a/tests/run.bats
++++ b/tests/run.bats
+@@ -349,6 +349,20 @@ function configure_and_check_user() {
+   expect_output "888:888"
+ }
+ 
++@test "run --user and verify gid in supplemental groups" {
++  skip_if_no_runtime
++
++  # Create the container.
++  _prefetch alpine
++  run_buildah from $WITH_POLICY_JSON alpine
++  ctr="$output"
++
++  # Run with uid:gid 1000:1000 and verify if gid is present in additional groups
++  run_buildah run --user 1000:1000 "$ctr" cat /proc/self/status
++  # gid 1000 must be in additional/supplemental groups
++  expect_output --substring "Groups:	1000 "
++}
++
+ @test "run --workingdir" {
+ 	skip_if_no_runtime
+ 
+-- 
+2.39.5 (Apple Git-154)
+
diff --git a/buildah.spec b/buildah.spec
index 515d36b..773a262 100644
--- a/buildah.spec
+++ b/buildah.spec
@@ -25,7 +25,7 @@
 
 Name:           buildah
 Version:        1.26.1
-Release:        3
+Release:        4
 Summary:        A command line tool used for creating OCI Images
 License:        ASL 2.0 and BSD and MIT and MPLv2.0
 URL:            https://%{name}.io
@@ -34,6 +34,8 @@ Source1:        https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
 Patch1:         0001-CVE-2023-39325.patch
 Patch2:         0002-CVE-2023-48795.patch
 Patch3:         0003-CVE-2022-41723.patch
+Patch4:         0004-CVE-2024-1753.patch
+Patch5:         0005-CVE-2022-2990.patch
 BuildRequires:  device-mapper-devel git-core golang >= 1.17.3-33 glib2-devel glibc-static gpgme-devel libassuan-devel
 BuildRequires:  make ostree-devel btrfs-progs-devel libseccomp-static
 Requires:       containers-common netavark iptables nftables libseccomp >= 2.4.1-0
@@ -139,6 +141,9 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
 %{_datadir}/bash-completion/completions/%{name}
 
 %changelog
+* Wed Dec 25 2024 Jianmin <jianmin@iscas.ac.cn> - 1.26.1-4
+- fix CVE-2024-1753 and CVE-2022-2990
+
 * Mon Dec 23 2024 Jianmin <jianmin@iscas.ac.cn> - 1.26.1-3
 - fix CVE-2023-39325, CVE-2022-41723 and CVE-2023-48795