Re: [meta-virtualization][scarthgap][PATCH 1/2] podman: fix CVE-2024-9407

[Bruce Ashfield <bruce.ashfield@gmail.com>]

The same question needs to be answered for all of these CVE
patches (send a v2).

What release was the fix/commit introduced, and show that
you've checked to see if there's a release branch equivalent
for the version we are patching.

Version bumps (within the -stable branch policy of 3rd digit
or no major updates) are much preferred to patches.

Bruce

In message: [meta-virtualization][scarthgap][PATCH 1/2] podman: fix CVE-2024-9407
on 16/09/2025 Urade, Yogita via lists.yoctoproject.org wrote:

> From: Yogita Urade <yogita.urade@windriver.com>
> 
> A vulnerability exists in the bind-propagation option of the
> Dockerfile RUN --mount instruction. The system does not properly
> validate the input passed to this option, allowing users to pass
> arbitrary parameters to the mount instruction. This issue can be
> exploited to mount sensitive directories from the host into a
> container during the build process and, in some cases, modify the
> contents of those mounted files. Even if SELinux is used, this
> vulnerability can bypass its protection by allowing the source
> directory to be relabeled to give the container access to host files.
> 
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2024-9407
> 
> Upstream patch:
> https://github.com/containers/podman/commit/2b2c7a89586d0e495b6bc5cc5687bab79162118e
> 
> Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> ---
>  .../podman/podman/CVE-2024-9407.patch         | 58 +++++++++++++++++++
>  recipes-containers/podman/podman_git.bb       |  1 +
>  2 files changed, 59 insertions(+)
>  create mode 100644 recipes-containers/podman/podman/CVE-2024-9407.patch
> 
> diff --git a/recipes-containers/podman/podman/CVE-2024-9407.patch b/recipes-containers/podman/podman/CVE-2024-9407.patch
> new file mode 100644
> index 00000000..397cd362
> --- /dev/null
> +++ b/recipes-containers/podman/podman/CVE-2024-9407.patch
> @@ -0,0 +1,58 @@
> +From 2b2c7a89586d0e495b6bc5cc5687bab79162118e Mon Sep 17 00:00:00 2001
> +From: Matt Heon <mheon@redhat.com>
> +Date: Tue, 1 Oct 2024 12:38:45 -0400
> +Subject: [PATCH] Validate the bind-propagation option to `--mount`
> +
> +Similar to github.com/containers/buildah/pull/5761 but not
> +security critical as Podman does not have an expectation that
> +mounts are scoped (the ability to write a --mount option is
> +already the ability to mount arbitrary content into the container
> +so sneaking arbitrary options into the mount doesn't have
> +security implications). Still, bad practice to let users inject
> +anything into the mount command line so let's not do that.
> +
> +Signed-off-by: Matt Heon <mheon@redhat.com>
> +
> +CVE: CVE-2024-9407
> +Upstream-Status: Backport [https://github.com/containers/podman/commit/2b2c7a89586d0e495b6bc5cc5687bab79162118e]
> +
> +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> +---
> + pkg/specgenutil/volumes.go  | 6 ++++++
> + test/e2e/run_volume_test.go | 4 ++++
> + 2 files changed, 10 insertions(+)
> +
> +diff --git a/pkg/specgenutil/volumes.go b/pkg/specgenutil/volumes.go
> +index c481867163..5618b2d342 100644
> +--- a/pkg/specgenutil/volumes.go
> ++++ b/pkg/specgenutil/volumes.go
> +@@ -272,6 +272,12 @@ func parseMountOptions(mountType string, args []string) (*spec.Mount, error) {
> +			if !hasValue {
> +				return nil, fmt.Errorf("%v: %w", name, errOptionArg)
> +			}
> ++                        switch value {
> ++			case "shared", "rshared", "private", "rprivate", "slave", "rslave", "unbindable", "runbindable":
> ++				// Do nothing, sane value
> ++			default:
> ++				return nil, fmt.Errorf("invalid value %q", arg)
> ++			}
> +			mnt.Options = append(mnt.Options, value)
> +		case "consistency":
> +			// Often used on MACs and mistakenly on Linux platforms.
> +diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go
> +index 4e777d62ef..5b256c9255 100644
> +--- a/test/e2e/run_volume_test.go
> ++++ b/test/e2e/run_volume_test.go
> +@@ -112,6 +112,10 @@ var _ = Describe("Podman run with volumes", func() {
> +		session.WaitWithDefaultTimeout()
> +		Expect(session).To(ExitWithError())
> +
> ++		session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=bind,src=/tmp,target=/tmp,bind-propagation=fake", ALPINE, "true"})
> ++		session.WaitWithDefaultTimeout()
> ++		Expect(session).To(ExitWithError())
> ++
> +		session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=tmpfs,target=/etc/ssl,notmpcopyup", ALPINE, "ls", "/etc/ssl"})
> +		session.WaitWithDefaultTimeout()
> +		Expect(session).Should(ExitCleanly())
> +--
> +2.40.0
> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> index ef9798f0..4086298f 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -24,6 +24,7 @@ SRC_URI = " \
>      file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
>      file://CVE-2025-6032.patch;patchdir=src/import \
>      file://CVE-2024-9341.patch;patchdir=src/import \
> +    file://CVE-2024-9407.patch;patchdir=src/import \
>  "
>  
>  LICENSE = "Apache-2.0"
> -- 
> 2.40.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9394): https://lists.yoctoproject.org/g/meta-virtualization/message/9394
> Mute This Topic: https://lists.yoctoproject.org/mt/115268579/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>