[meta-virtualization][kirkstone][PATCH 1/2] podman: fix CVE-2024-9341

[meta-virtualization][kirkstone][PATCH 1/2] podman: fix CVE-2024-9341

[yurade]

From: Yogita Urade <yogita.urade@windriver.com>

A flaw was found in Go. When FIPS mode is enabled on a system,
container runtimes may incorrectly handle certain file paths due to
improper validation in the containers/common Go library. This flaw
allows an attacker to exploit symbolic links and trick the system
into mounting sensitive host directories inside a container. This
issue also allows attackers to access critical host files, bypassing
the intended isolation between containers and the host system.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-9341

Upstream-patch:
https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../podman/podman/CVE-2024-9341.patch         | 50 +++++++++++++++++++
 recipes-containers/podman/podman_git.bb       |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 recipes-containers/podman/podman/CVE-2024-9341.patch

diff --git a/recipes-containers/podman/podman/CVE-2024-9341.patch b/recipes-containers/podman/podman/CVE-2024-9341.patch
new file mode 100644
index 00000000..ddba4e73
--- /dev/null
+++ b/recipes-containers/podman/podman/CVE-2024-9341.patch
@@ -0,0 +1,50 @@
+From e7db06585c32e1a782c1d9aa3b71ccd708f5e23f Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Fri, 27 Sep 2024 14:01:56 +0200
+Subject: [PATCH] pkg/subscriptions: use securejoin for the container path
+
+If we join a path from the container image we must always use securejoin
+to prevent us from following a symlink onto the host.
+
+Fixes CVE-2024-9341
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+
+CVE: CVE-2024-9341
+Upstream-status: Backport [https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f]
+
+Changes:
+- Used old API errors.Wrapf instead of new fmt.Errorf API and
+  modified code accordingly.
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ .../containers/common/pkg/subscriptions/subscriptions.go    | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index 3c0d2b237d..ec42fbe197 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -9,6 +9,7 @@ import (
+
+	"github.com/containers/common/pkg/umask"
+	"github.com/containers/storage/pkg/idtools"
++        securejoin "github.com/cyphar/filepath-securejoin"
+	rspec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+@@ -342,7 +343,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+
+	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+	destDir := "/etc/crypto-policies/back-ends"
+-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
++        if err != nil {
++		return errors.Wrapf(err, "resolve %s in the container", srcBackendDir)
++	}
+	if _, err := os.Stat(srcOnHost); err != nil {
+		if os.IsNotExist(err) {
+			return nil
+--
+2.40.0
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 6d9e4749..3011c38d 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -24,6 +24,7 @@ SRC_URI = " \
     file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang \
     file://CVE-2022-27649.patch;patchdir=src/import \
     file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
+    file://CVE-2024-9341.patch;patchdir=src/import \
     ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
 "
 
-- 
2.40.0

[meta-virtualization][kirkstone][PATCH 2/2] buildah: fix CVE-2024-9341

[yurade]

From: Yogita Urade <yogita.urade@windriver.com>

A flaw was found in Go. When FIPS mode is enabled on a system,
container runtimes may incorrectly handle certain file paths due to
improper validation in the containers/common Go library. This flaw
allows an attacker to exploit symbolic links and trick the system
into mounting sensitive host directories inside a container. This
issue also allows attackers to access critical host files, bypassing
the intended isolation between containers and the host system.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-9341

Upstream-patch:
https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 recipes-containers/buildah/buildah_git.bb     |  1 +
 .../buildah/files/CVE-2024-9341.patch         | 46 +++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 recipes-containers/buildah/files/CVE-2024-9341.patch

diff --git a/recipes-containers/buildah/buildah_git.bb b/recipes-containers/buildah/buildah_git.bb
index 10597d8a..9f0d7635 100644
--- a/recipes-containers/buildah/buildah_git.bb
+++ b/recipes-containers/buildah/buildah_git.bb
@@ -28,6 +28,7 @@ GOBUILDFLAGS += "-mod vendor"
 SRC_URI = " \
     git://github.com/containers/buildah;branch=release-1.26;name=buildah;protocol=https \
     file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/vendor/github.com/containers/storage \
+    file://CVE-2024-9341.patch;patchdir=src/github.com/containers/buildah \
     "
 
 DEPENDS = "libdevmapper btrfs-tools gpgme"
diff --git a/recipes-containers/buildah/files/CVE-2024-9341.patch b/recipes-containers/buildah/files/CVE-2024-9341.patch
new file mode 100644
index 00000000..53728d6c
--- /dev/null
+++ b/recipes-containers/buildah/files/CVE-2024-9341.patch
@@ -0,0 +1,46 @@
+From e7db06585c32e1a782c1d9aa3b71ccd708f5e23f Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Fri, 27 Sep 2024 14:01:56 +0200
+Subject: [PATCH] pkg/subscriptions: use securejoin for the container path
+
+If we join a path from the container image we must always use securejoin
+to prevent us from following a symlink onto the host.
+
+Fixes CVE-2024-9341
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+
+CVE: CVE-2024-9341
+Upstream-status: Backport [https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ .../containers/common/pkg/subscriptions/subscriptions.go    | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index ff82b5a39..99d80afeb 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -11,6 +11,7 @@ import (
+
+	"github.com/containers/common/pkg/umask"
+	"github.com/containers/storage/pkg/idtools"
++	securejoin "github.com/cyphar/filepath-securejoin"
+	rspec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/sirupsen/logrus"
+@@ -342,7 +343,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+
+	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+	destDir := "/etc/crypto-policies/back-ends"
+-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
++	if err != nil {
++		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
++	}
+	if _, err := os.Stat(srcOnHost); err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil
+--
+2.40.0
-- 
2.40.0

Re: [meta-virtualization][kirkstone][PATCH 1/2] podman: fix CVE-2024-9341

[Bruce Ashfield]

See my comment on the other CVE patch, we need some information
about the versions and package -stable branches.

Bruce


In message: [meta-virtualization][kirkstone][PATCH 1/2] podman: fix CVE-2024-9341
on 17/09/2025 Urade, Yogita via lists.yoctoproject.org wrote:

> From: Yogita Urade <yogita.urade@windriver.com>
> 
> A flaw was found in Go. When FIPS mode is enabled on a system,
> container runtimes may incorrectly handle certain file paths due to
> improper validation in the containers/common Go library. This flaw
> allows an attacker to exploit symbolic links and trick the system
> into mounting sensitive host directories inside a container. This
> issue also allows attackers to access critical host files, bypassing
> the intended isolation between containers and the host system.
> 
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2024-9341
> 
> Upstream-patch:
> https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f
> 
> Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> ---
>  .../podman/podman/CVE-2024-9341.patch         | 50 +++++++++++++++++++
>  recipes-containers/podman/podman_git.bb       |  1 +
>  2 files changed, 51 insertions(+)
>  create mode 100644 recipes-containers/podman/podman/CVE-2024-9341.patch
> 
> diff --git a/recipes-containers/podman/podman/CVE-2024-9341.patch b/recipes-containers/podman/podman/CVE-2024-9341.patch
> new file mode 100644
> index 00000000..ddba4e73
> --- /dev/null
> +++ b/recipes-containers/podman/podman/CVE-2024-9341.patch
> @@ -0,0 +1,50 @@
> +From e7db06585c32e1a782c1d9aa3b71ccd708f5e23f Mon Sep 17 00:00:00 2001
> +From: Paul Holzinger <pholzing@redhat.com>
> +Date: Fri, 27 Sep 2024 14:01:56 +0200
> +Subject: [PATCH] pkg/subscriptions: use securejoin for the container path
> +
> +If we join a path from the container image we must always use securejoin
> +to prevent us from following a symlink onto the host.
> +
> +Fixes CVE-2024-9341
> +
> +Signed-off-by: Paul Holzinger <pholzing@redhat.com>
> +
> +CVE: CVE-2024-9341
> +Upstream-status: Backport [https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f]
> +
> +Changes:
> +- Used old API errors.Wrapf instead of new fmt.Errorf API and
> +  modified code accordingly.
> +
> +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> +---
> + .../containers/common/pkg/subscriptions/subscriptions.go    | 6 +++++-
> + 1 file changed, 5 insertions(+), 1 deletion(-)
> +
> +diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
> +index 3c0d2b237d..ec42fbe197 100644
> +--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
> ++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
> +@@ -9,6 +9,7 @@ import (
> +
> +	"github.com/containers/common/pkg/umask"
> +	"github.com/containers/storage/pkg/idtools"
> ++        securejoin "github.com/cyphar/filepath-securejoin"
> +	rspec "github.com/opencontainers/runtime-spec/specs-go"
> +	"github.com/opencontainers/selinux/go-selinux/label"
> +	"github.com/pkg/errors"
> +@@ -342,7 +343,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
> +
> +	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
> +	destDir := "/etc/crypto-policies/back-ends"
> +-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
> ++	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
> ++        if err != nil {
> ++		return errors.Wrapf(err, "resolve %s in the container", srcBackendDir)
> ++	}
> +	if _, err := os.Stat(srcOnHost); err != nil {
> +		if os.IsNotExist(err) {
> +			return nil
> +--
> +2.40.0
> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> index 6d9e4749..3011c38d 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -24,6 +24,7 @@ SRC_URI = " \
>      file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang \
>      file://CVE-2022-27649.patch;patchdir=src/import \
>      file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
> +    file://CVE-2024-9341.patch;patchdir=src/import \
>      ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
>  "
>  
> -- 
> 2.40.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9396): https://lists.yoctoproject.org/g/meta-virtualization/message/9396
> Mute This Topic: https://lists.yoctoproject.org/mt/115288578/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>