packages/buildah
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
buildah/0004-CVE-2024-1753.patch
Jianmin 683c1fc3ca fix CVE-2024-1753 and CVE-2022-2990 
(cherry picked from commit 0b266a05625d1dd9555fb24e45403c0cdcae7f21)
2025-01-14 09:48:52 +08:00

71 lines
2.6 KiB
Diff
Raw Blame History

From 8c261ed7492513d90a22448ef58981b4175f67d2 Mon Sep 17 00:00:00 2001
From: tomsweeneyredhat <tsweeney@redhat.com>
Date: Mon, 18 Mar 2024 10:47:43 -0400
Subject: [PATCH] [release-1.26] CVE-2024-1753 container escape fix
Addresses CVE-2024-1753 which allowed a user to write files to the
`/` directory of the host machine if selinux was not enabled.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
---
internal/parse/parse.go | 7 ++++++-
tests/bud.bats | 23 +++++++++++++++++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/internal/parse/parse.go b/internal/parse/parse.go
index 1c736cdf11f..6610de0c91e 100644
--- a/internal/parse/parse.go
+++ b/internal/parse/parse.go
@@ -8,6 +8,7 @@ import (
"strconv"
"strings"
+ "github.com/containers/buildah/copier"
"github.com/containers/buildah/internal"
internalUtil "github.com/containers/buildah/internal/util"
"github.com/containers/common/pkg/parse"
@@ -151,7 +152,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
// buildkit parity: support absolute path for sources from current build context
if contextDir != "" {
// path should be /contextDir/specified path
- newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
+ evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
+ if err != nil {
+ return newMount, "", err
+ }
+ newMount.Source = evaluated
} else {
// looks like its coming from `build run --mount=type=bind` allow using absolute path
// error out if no source is set
diff --git a/tests/bud.bats b/tests/bud.bats
index e4b16b1ac0d..c016e451137 100644
--- a/tests/bud.bats
+++ b/tests/bud.bats
@@ -4598,3 +4598,26 @@ _EOF
echo checking:
! grep 'not fully killed' ${TEST_SCRATCH_DIR}/log
}
+
+@test "build no write file on host - CVE-2024-1753" {
+ _prefetch alpine
+ cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
+FROM alpine as base
+
+RUN ln -s / /rootdir
+
+FROM alpine
+
+RUN echo "With exploit show host root, not the container's root, and create /BIND_BREAKOUT in / on the host"
+RUN --mount=type=bind,from=base,source=/rootdir,destination=/exploit,rw ls -l /exploit; touch /exploit/BIND_BREAKOUT; ls -l /exploit
+
+_EOF
+
+ run_buildah build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
+ expect_output --substring "/BIND_BREAKOUT"
+
+ run ls /BIND_BREAKOUT
+ rm -f /BIND_BREAKOUT
+ assert "$status" -eq 2 "exit code from ls"
+ expect_output --substring "No such file or directory"
+}
Reference in New Issue View Git Blame Copy Permalink