[meta-virtualization][scarthgap][PATCH 1/2] podman: fix CVE-2024-9407

[meta-virtualization][scarthgap][PATCH 1/2] podman: fix CVE-2024-9407

[yurade]

From: Yogita Urade <yogita.urade@windriver.com>

A vulnerability exists in the bind-propagation option of the
Dockerfile RUN --mount instruction. The system does not properly
validate the input passed to this option, allowing users to pass
arbitrary parameters to the mount instruction. This issue can be
exploited to mount sensitive directories from the host into a
container during the build process and, in some cases, modify the
contents of those mounted files. Even if SELinux is used, this
vulnerability can bypass its protection by allowing the source
directory to be relabeled to give the container access to host files.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-9407

Upstream patch:
https://github.com/containers/podman/commit/2b2c7a89586d0e495b6bc5cc5687bab79162118e

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../podman/podman/CVE-2024-9407.patch         | 58 +++++++++++++++++++
 recipes-containers/podman/podman_git.bb       |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 recipes-containers/podman/podman/CVE-2024-9407.patch

diff --git a/recipes-containers/podman/podman/CVE-2024-9407.patch b/recipes-containers/podman/podman/CVE-2024-9407.patch
new file mode 100644
index 00000000..397cd362
--- /dev/null
+++ b/recipes-containers/podman/podman/CVE-2024-9407.patch
@@ -0,0 +1,58 @@
+From 2b2c7a89586d0e495b6bc5cc5687bab79162118e Mon Sep 17 00:00:00 2001
+From: Matt Heon <mheon@redhat.com>
+Date: Tue, 1 Oct 2024 12:38:45 -0400
+Subject: [PATCH] Validate the bind-propagation option to `--mount`
+
+Similar to github.com/containers/buildah/pull/5761 but not
+security critical as Podman does not have an expectation that
+mounts are scoped (the ability to write a --mount option is
+already the ability to mount arbitrary content into the container
+so sneaking arbitrary options into the mount doesn't have
+security implications). Still, bad practice to let users inject
+anything into the mount command line so let's not do that.
+
+Signed-off-by: Matt Heon <mheon@redhat.com>
+
+CVE: CVE-2024-9407
+Upstream-Status: Backport [https://github.com/containers/podman/commit/2b2c7a89586d0e495b6bc5cc5687bab79162118e]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ pkg/specgenutil/volumes.go  | 6 ++++++
+ test/e2e/run_volume_test.go | 4 ++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/pkg/specgenutil/volumes.go b/pkg/specgenutil/volumes.go
+index c481867163..5618b2d342 100644
+--- a/pkg/specgenutil/volumes.go
++++ b/pkg/specgenutil/volumes.go
+@@ -272,6 +272,12 @@ func parseMountOptions(mountType string, args []string) (*spec.Mount, error) {
+			if !hasValue {
+				return nil, fmt.Errorf("%v: %w", name, errOptionArg)
+			}
++                        switch value {
++			case "shared", "rshared", "private", "rprivate", "slave", "rslave", "unbindable", "runbindable":
++				// Do nothing, sane value
++			default:
++				return nil, fmt.Errorf("invalid value %q", arg)
++			}
+			mnt.Options = append(mnt.Options, value)
+		case "consistency":
+			// Often used on MACs and mistakenly on Linux platforms.
+diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go
+index 4e777d62ef..5b256c9255 100644
+--- a/test/e2e/run_volume_test.go
++++ b/test/e2e/run_volume_test.go
+@@ -112,6 +112,10 @@ var _ = Describe("Podman run with volumes", func() {
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(ExitWithError())
+
++		session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=bind,src=/tmp,target=/tmp,bind-propagation=fake", ALPINE, "true"})
++		session.WaitWithDefaultTimeout()
++		Expect(session).To(ExitWithError())
++
+		session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=tmpfs,target=/etc/ssl,notmpcopyup", ALPINE, "ls", "/etc/ssl"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+--
+2.40.0
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index ef9798f0..4086298f 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -24,6 +24,7 @@ SRC_URI = " \
     file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
     file://CVE-2025-6032.patch;patchdir=src/import \
     file://CVE-2024-9341.patch;patchdir=src/import \
+    file://CVE-2024-9407.patch;patchdir=src/import \
 "
 
 LICENSE = "Apache-2.0"
-- 
2.40.0

[meta-virtualization][scarthgap][PATCH 2/2] buildah: fix CVE-2024-9407

[yurade]

From: Yogita Urade <yogita.urade@windriver.com>

A vulnerability exists in the bind-propagation option of the
Dockerfile RUN --mount instruction. The system does not properly
validate the input passed to this option, allowing users to pass
arbitrary parameters to the mount instruction. This issue can be
exploited to mount sensitive directories from the host into a
container during the build process and, in some cases, modify the
contents of those mounted files. Even if SELinux is used, this
vulnerability can bypass its protection by allowing the source
directory to be relabeled to give the container access to host files.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-9407

Upstream patch:
https://github.com/containers/buildah/commit/e289e285dc8b68873b6c16f58f2fdb4a1c7cca0c

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../buildah/buildah/CVE-2024-9407.patch       | 92 +++++++++++++++++++
 recipes-containers/buildah/buildah_git.bb     |  1 +
 2 files changed, 93 insertions(+)
 create mode 100644 recipes-containers/buildah/buildah/CVE-2024-9407.patch

diff --git a/recipes-containers/buildah/buildah/CVE-2024-9407.patch b/recipes-containers/buildah/buildah/CVE-2024-9407.patch
new file mode 100644
index 00000000..ec93e7b8
--- /dev/null
+++ b/recipes-containers/buildah/buildah/CVE-2024-9407.patch
@@ -0,0 +1,92 @@
+From e289e285dc8b68873b6c16f58f2fdb4a1c7cca0c Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Tue, 1 Oct 2024 11:01:45 -0400
+Subject: [PATCH] CVE-2024-9407: validate "bind-propagation" flag settings
+
+CVE-2024-9407: validate that the value for the "bind-propagation" flag
+when handling "bind" and "cache" mounts in `buildah run` or in RUN
+instructions is one of the values that we would accept without the
+"bind-propagation=" prefix.
+
+Paul: fix merged conflict in tests (cherry-picked from 732f770648)
+
+Fixes https://issues.redhat.com/browse/RHEL-61147
+Fixes https://issues.redhat.com/browse/RHEL-61145
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+
+CVE: CVE-2024-9407
+Upstream-Status: Backport [https://github.com/containers/buildah/commit/e289e285dc8b68873b6c16f58f2fdb4a1c7cca0c]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ internal/volumes/volumes.go | 12 ++++++++++++
+ tests/bud.bats              | 25 +++++++++++++++++++++++++
+ 2 files changed, 37 insertions(+)
+
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index c6d6e3545..871006099 100644
+--- a/internal/volumes/volumes.go
++++ b/internal/volumes/volumes.go
+@@ -106,6 +106,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+			if !hasArgValue {
+				return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
+			}
++                       switch argValue {
++                       default:
++                           return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
++                       case "shared", "rshared", "private", "rprivate", "slave", "rslave":
++                           // this should be the relevant parts of the same list of options we accepted above
++                       }
+			newMount.Options = append(newMount.Options, argValue)
+		case "src", "source":
+			if !hasArgValue {
+@@ -278,6 +284,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+			if !hasArgValue {
+				return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
+			}
++                       switch argValue {
++                       default:
++                           return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
++                       case "shared", "rshared", "private", "rprivate", "slave", "rslave":
++                           // this should be the relevant parts of the same list of options we accepted above
++                       }
+			newMount.Options = append(newMount.Options, argValue)
+		case "id":
+			if !hasArgValue {
+diff --git a/tests/bud.bats b/tests/bud.bats
+index 9e3930f52..15165953f 100644
+--- a/tests/bud.bats
++++ b/tests/bud.bats
+@@ -6682,3 +6682,28 @@ EOF
+   run_buildah 1 build --security-opt label=disable --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ --no-cache ${TEST_SCRATCH_DIR}/cve20249675/
+   expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
+ }
++
++@test "build-validates-bind-bind-propagation" {
++  _prefetch alpine
++
++  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
++FROM alpine as base
++FROM alpine
++RUN --mount=type=bind,from=base,source=/,destination=/var/empty,rw,bind-propagation=suid pwd
++_EOF
++
++  run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
++  expect_output --substring "invalid mount option"
++}
++
++@test "build-validates-cache-bind-propagation" {
++  _prefetch alpine
++
++  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
++FROM alpine
++RUN --mount=type=cache,destination=/var/empty,rw,bind-propagation=suid pwd
++_EOF
++
++  run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
++  expect_output --substring "invalid mount option"
++}
+--
+2.40.0
diff --git a/recipes-containers/buildah/buildah_git.bb b/recipes-containers/buildah/buildah_git.bb
index 22cf3605..3abd1227 100644
--- a/recipes-containers/buildah/buildah_git.bb
+++ b/recipes-containers/buildah/buildah_git.bb
@@ -36,6 +36,7 @@ SRC_URI = " \
     file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/vendor/github.com/containers/storage \
     file://CVE-2024-9675.patch;patchdir=src/github.com/containers/buildah \
     file://CVE-2024-9341.patch;patchdir=src/github.com/containers/buildah \
+    file://CVE-2024-9407.patch;patchdir=src/github.com/containers/buildah \
     "
 
 DEPENDS = "libdevmapper btrfs-tools gpgme"
-- 
2.40.0

Re: [meta-virtualization][scarthgap][PATCH 1/2] podman: fix CVE-2024-9407

[Bruce Ashfield]

The same question needs to be answered for all of these CVE
patches (send a v2).

What release was the fix/commit introduced, and show that
you've checked to see if there's a release branch equivalent
for the version we are patching.

Version bumps (within the -stable branch policy of 3rd digit
or no major updates) are much preferred to patches.

Bruce

In message: [meta-virtualization][scarthgap][PATCH 1/2] podman: fix CVE-2024-9407
on 16/09/2025 Urade, Yogita via lists.yoctoproject.org wrote:

> From: Yogita Urade <yogita.urade@windriver.com>
> 
> A vulnerability exists in the bind-propagation option of the
> Dockerfile RUN --mount instruction. The system does not properly
> validate the input passed to this option, allowing users to pass
> arbitrary parameters to the mount instruction. This issue can be
> exploited to mount sensitive directories from the host into a
> container during the build process and, in some cases, modify the
> contents of those mounted files. Even if SELinux is used, this
> vulnerability can bypass its protection by allowing the source
> directory to be relabeled to give the container access to host files.
> 
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2024-9407
> 
> Upstream patch:
> https://github.com/containers/podman/commit/2b2c7a89586d0e495b6bc5cc5687bab79162118e
> 
> Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> ---
>  .../podman/podman/CVE-2024-9407.patch         | 58 +++++++++++++++++++
>  recipes-containers/podman/podman_git.bb       |  1 +
>  2 files changed, 59 insertions(+)
>  create mode 100644 recipes-containers/podman/podman/CVE-2024-9407.patch
> 
> diff --git a/recipes-containers/podman/podman/CVE-2024-9407.patch b/recipes-containers/podman/podman/CVE-2024-9407.patch
> new file mode 100644
> index 00000000..397cd362
> --- /dev/null
> +++ b/recipes-containers/podman/podman/CVE-2024-9407.patch
> @@ -0,0 +1,58 @@
> +From 2b2c7a89586d0e495b6bc5cc5687bab79162118e Mon Sep 17 00:00:00 2001
> +From: Matt Heon <mheon@redhat.com>
> +Date: Tue, 1 Oct 2024 12:38:45 -0400
> +Subject: [PATCH] Validate the bind-propagation option to `--mount`
> +
> +Similar to github.com/containers/buildah/pull/5761 but not
> +security critical as Podman does not have an expectation that
> +mounts are scoped (the ability to write a --mount option is
> +already the ability to mount arbitrary content into the container
> +so sneaking arbitrary options into the mount doesn't have
> +security implications). Still, bad practice to let users inject
> +anything into the mount command line so let's not do that.
> +
> +Signed-off-by: Matt Heon <mheon@redhat.com>
> +
> +CVE: CVE-2024-9407
> +Upstream-Status: Backport [https://github.com/containers/podman/commit/2b2c7a89586d0e495b6bc5cc5687bab79162118e]
> +
> +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> +---
> + pkg/specgenutil/volumes.go  | 6 ++++++
> + test/e2e/run_volume_test.go | 4 ++++
> + 2 files changed, 10 insertions(+)
> +
> +diff --git a/pkg/specgenutil/volumes.go b/pkg/specgenutil/volumes.go
> +index c481867163..5618b2d342 100644
> +--- a/pkg/specgenutil/volumes.go
> ++++ b/pkg/specgenutil/volumes.go
> +@@ -272,6 +272,12 @@ func parseMountOptions(mountType string, args []string) (*spec.Mount, error) {
> +			if !hasValue {
> +				return nil, fmt.Errorf("%v: %w", name, errOptionArg)
> +			}
> ++                        switch value {
> ++			case "shared", "rshared", "private", "rprivate", "slave", "rslave", "unbindable", "runbindable":
> ++				// Do nothing, sane value
> ++			default:
> ++				return nil, fmt.Errorf("invalid value %q", arg)
> ++			}
> +			mnt.Options = append(mnt.Options, value)
> +		case "consistency":
> +			// Often used on MACs and mistakenly on Linux platforms.
> +diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go
> +index 4e777d62ef..5b256c9255 100644
> +--- a/test/e2e/run_volume_test.go
> ++++ b/test/e2e/run_volume_test.go
> +@@ -112,6 +112,10 @@ var _ = Describe("Podman run with volumes", func() {
> +		session.WaitWithDefaultTimeout()
> +		Expect(session).To(ExitWithError())
> +
> ++		session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=bind,src=/tmp,target=/tmp,bind-propagation=fake", ALPINE, "true"})
> ++		session.WaitWithDefaultTimeout()
> ++		Expect(session).To(ExitWithError())
> ++
> +		session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=tmpfs,target=/etc/ssl,notmpcopyup", ALPINE, "ls", "/etc/ssl"})
> +		session.WaitWithDefaultTimeout()
> +		Expect(session).Should(ExitCleanly())
> +--
> +2.40.0
> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> index ef9798f0..4086298f 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -24,6 +24,7 @@ SRC_URI = " \
>      file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
>      file://CVE-2025-6032.patch;patchdir=src/import \
>      file://CVE-2024-9341.patch;patchdir=src/import \
> +    file://CVE-2024-9407.patch;patchdir=src/import \
>  "
>  
>  LICENSE = "Apache-2.0"
> -- 
> 2.40.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9394): https://lists.yoctoproject.org/g/meta-virtualization/message/9394
> Mute This Topic: https://lists.yoctoproject.org/mt/115268579/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [meta-virtualization][scarthgap][PATCH 1/2] podman: fix CVE-2024-9407

[Urade, Yogita]

[-- Attachment #1: Type: text/plain, Size: 6534 bytes --]

Current podman recipe version is 5.0.1.

The latest stable version of 5.0.x is 5.0.3 which did not contain the 
fix for this issue.

Earliest fixed version is 5.2.4.
So should I do upgrade from 5.0.1 to 5.2.4 (Changelog: 
https://github.com/containers/podman/compare/v5.0.1...v5.2.4)

../Yogita

On 19-09-2025 08:11, Bruce Ashfield wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> The same question needs to be answered for all of these CVE
> patches (send a v2).
>
> What release was the fix/commit introduced, and show that
> you've checked to see if there's a release branch equivalent
> for the version we are patching.
>
> Version bumps (within the -stable branch policy of 3rd digit
> or no major updates) are much preferred to patches.
>
> Bruce
>
> In message: [meta-virtualization][scarthgap][PATCH 1/2] podman: fix CVE-2024-9407
> on 16/09/2025 Urade, Yogita via lists.yoctoproject.org wrote:
>
>> From: Yogita Urade<yogita.urade@windriver.com>
>>
>> A vulnerability exists in the bind-propagation option of the
>> Dockerfile RUN --mount instruction. The system does not properly
>> validate the input passed to this option, allowing users to pass
>> arbitrary parameters to the mount instruction. This issue can be
>> exploited to mount sensitive directories from the host into a
>> container during the build process and, in some cases, modify the
>> contents of those mounted files. Even if SELinux is used, this
>> vulnerability can bypass its protection by allowing the source
>> directory to be relabeled to give the container access to host files.
>>
>> Reference:
>> https://nvd.nist.gov/vuln/detail/CVE-2024-9407
>>
>> Upstream patch:
>> https://github.com/containers/podman/commit/2b2c7a89586d0e495b6bc5cc5687bab79162118e
>>
>> Signed-off-by: Yogita Urade<yogita.urade@windriver.com>
>> ---
>>   .../podman/podman/CVE-2024-9407.patch         | 58 +++++++++++++++++++
>>   recipes-containers/podman/podman_git.bb       |  1 +
>>   2 files changed, 59 insertions(+)
>>   create mode 100644 recipes-containers/podman/podman/CVE-2024-9407.patch
>>
>> diff --git a/recipes-containers/podman/podman/CVE-2024-9407.patch b/recipes-containers/podman/podman/CVE-2024-9407.patch
>> new file mode 100644
>> index 00000000..397cd362
>> --- /dev/null
>> +++ b/recipes-containers/podman/podman/CVE-2024-9407.patch
>> @@ -0,0 +1,58 @@
>> +From 2b2c7a89586d0e495b6bc5cc5687bab79162118e Mon Sep 17 00:00:00 2001
>> +From: Matt Heon<mheon@redhat.com>
>> +Date: Tue, 1 Oct 2024 12:38:45 -0400
>> +Subject: [PATCH] Validate the bind-propagation option to `--mount`
>> +
>> +Similar to github.com/containers/buildah/pull/5761 but not
>> +security critical as Podman does not have an expectation that
>> +mounts are scoped (the ability to write a --mount option is
>> +already the ability to mount arbitrary content into the container
>> +so sneaking arbitrary options into the mount doesn't have
>> +security implications). Still, bad practice to let users inject
>> +anything into the mount command line so let's not do that.
>> +
>> +Signed-off-by: Matt Heon<mheon@redhat.com>
>> +
>> +CVE: CVE-2024-9407
>> +Upstream-Status: Backport [https://github.com/containers/podman/commit/2b2c7a89586d0e495b6bc5cc5687bab79162118e]
>> +
>> +Signed-off-by: Yogita Urade<yogita.urade@windriver.com>
>> +---
>> + pkg/specgenutil/volumes.go  | 6 ++++++
>> + test/e2e/run_volume_test.go | 4 ++++
>> + 2 files changed, 10 insertions(+)
>> +
>> +diff --git a/pkg/specgenutil/volumes.go b/pkg/specgenutil/volumes.go
>> +index c481867163..5618b2d342 100644
>> +--- a/pkg/specgenutil/volumes.go
>> ++++ b/pkg/specgenutil/volumes.go
>> +@@ -272,6 +272,12 @@ func parseMountOptions(mountType string, args []string) (*spec.Mount, error) {
>> +                     if !hasValue {
>> +                             return nil, fmt.Errorf("%v: %w", name, errOptionArg)
>> +                     }
>> ++                        switch value {
>> ++                    case "shared", "rshared", "private", "rprivate", "slave", "rslave", "unbindable", "runbindable":
>> ++                            // Do nothing, sane value
>> ++                    default:
>> ++                            return nil, fmt.Errorf("invalid value %q", arg)
>> ++                    }
>> +                     mnt.Options = append(mnt.Options, value)
>> +             case "consistency":
>> +                     // Often used on MACs and mistakenly on Linux platforms.
>> +diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go
>> +index 4e777d62ef..5b256c9255 100644
>> +--- a/test/e2e/run_volume_test.go
>> ++++ b/test/e2e/run_volume_test.go
>> +@@ -112,6 +112,10 @@ var _ = Describe("Podman run with volumes", func() {
>> +             session.WaitWithDefaultTimeout()
>> +             Expect(session).To(ExitWithError())
>> +
>> ++            session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=bind,src=/tmp,target=/tmp,bind-propagation=fake", ALPINE, "true"})
>> ++            session.WaitWithDefaultTimeout()
>> ++            Expect(session).To(ExitWithError())
>> ++
>> +             session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=tmpfs,target=/etc/ssl,notmpcopyup", ALPINE, "ls", "/etc/ssl"})
>> +             session.WaitWithDefaultTimeout()
>> +             Expect(session).Should(ExitCleanly())
>> +--
>> +2.40.0
>> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
>> index ef9798f0..4086298f 100644
>> --- a/recipes-containers/podman/podman_git.bb
>> +++ b/recipes-containers/podman/podman_git.bb
>> @@ -24,6 +24,7 @@ SRC_URI = " \
>>       file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
>>       file://CVE-2025-6032.patch;patchdir=src/import \
>>       file://CVE-2024-9341.patch;patchdir=src/import \
>> +file://CVE-2024-9407.patch;patchdir=src/import \
>>   "
>>
>>   LICENSE = "Apache-2.0"
>> --
>> 2.40.0
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#9394):https://lists.yoctoproject.org/g/meta-virtualization/message/9394
>> Mute This Topic:https://lists.yoctoproject.org/mt/115268579/1050810
>> Group Owner:meta-virtualization+owner@lists.yoctoproject.org
>> Unsubscribe:https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>

[-- Attachment #2: Type: text/html, Size: 8996 bytes --]

Re: [meta-virtualization][scarthgap][PATCH 1/2] podman: fix CVE-2024-9407

[Urade, Yogita]

[-- Attachment #1: Type: text/plain, Size: 6956 bytes --]

For buildah, current recipe version is 1.34.3.

Earliest fixed version is 1.37.3
So should I upgrade from 1.34.4 to 1.37.3 (Changelog: 
https://github.com/containers/buildah/compare/v1.34.3...v1.37.4)

../Yogita

On 19-09-2025 15:21, Urade, Yogita via lists.yoctoproject.org wrote:
>
> Current podman recipe version is 5.0.1.
>
> The latest stable version of 5.0.x is 5.0.3 which did not contain the 
> fix for this issue.
>
> Earliest fixed version is 5.2.4.
> So should I do upgrade from 5.0.1 to 5.2.4 (Changelog: 
> https://github.com/containers/podman/compare/v5.0.1...v5.2.4)
>
> ../Yogita
>
> On 19-09-2025 08:11, Bruce Ashfield wrote:
>> CAUTION: This email comes from a non Wind River email account!
>> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>> The same question needs to be answered for all of these CVE
>> patches (send a v2).
>>
>> What release was the fix/commit introduced, and show that
>> you've checked to see if there's a release branch equivalent
>> for the version we are patching.
>>
>> Version bumps (within the -stable branch policy of 3rd digit
>> or no major updates) are much preferred to patches.
>>
>> Bruce
>>
>> In message: [meta-virtualization][scarthgap][PATCH 1/2] podman: fix CVE-2024-9407
>> on 16/09/2025 Urade, Yogita via lists.yoctoproject.org wrote:
>>
>>> From: Yogita Urade<yogita.urade@windriver.com>
>>>
>>> A vulnerability exists in the bind-propagation option of the
>>> Dockerfile RUN --mount instruction. The system does not properly
>>> validate the input passed to this option, allowing users to pass
>>> arbitrary parameters to the mount instruction. This issue can be
>>> exploited to mount sensitive directories from the host into a
>>> container during the build process and, in some cases, modify the
>>> contents of those mounted files. Even if SELinux is used, this
>>> vulnerability can bypass its protection by allowing the source
>>> directory to be relabeled to give the container access to host files.
>>>
>>> Reference:
>>> https://nvd.nist.gov/vuln/detail/CVE-2024-9407
>>>
>>> Upstream patch:
>>> https://github.com/containers/podman/commit/2b2c7a89586d0e495b6bc5cc5687bab79162118e
>>>
>>> Signed-off-by: Yogita Urade<yogita.urade@windriver.com>
>>> ---
>>>   .../podman/podman/CVE-2024-9407.patch         | 58 +++++++++++++++++++
>>>   recipes-containers/podman/podman_git.bb       |  1 +
>>>   2 files changed, 59 insertions(+)
>>>   create mode 100644 recipes-containers/podman/podman/CVE-2024-9407.patch
>>>
>>> diff --git a/recipes-containers/podman/podman/CVE-2024-9407.patch b/recipes-containers/podman/podman/CVE-2024-9407.patch
>>> new file mode 100644
>>> index 00000000..397cd362
>>> --- /dev/null
>>> +++ b/recipes-containers/podman/podman/CVE-2024-9407.patch
>>> @@ -0,0 +1,58 @@
>>> +From 2b2c7a89586d0e495b6bc5cc5687bab79162118e Mon Sep 17 00:00:00 2001
>>> +From: Matt Heon<mheon@redhat.com>
>>> +Date: Tue, 1 Oct 2024 12:38:45 -0400
>>> +Subject: [PATCH] Validate the bind-propagation option to `--mount`
>>> +
>>> +Similar to github.com/containers/buildah/pull/5761 but not
>>> +security critical as Podman does not have an expectation that
>>> +mounts are scoped (the ability to write a --mount option is
>>> +already the ability to mount arbitrary content into the container
>>> +so sneaking arbitrary options into the mount doesn't have
>>> +security implications). Still, bad practice to let users inject
>>> +anything into the mount command line so let's not do that.
>>> +
>>> +Signed-off-by: Matt Heon<mheon@redhat.com>
>>> +
>>> +CVE: CVE-2024-9407
>>> +Upstream-Status: Backport [https://github.com/containers/podman/commit/2b2c7a89586d0e495b6bc5cc5687bab79162118e]
>>> +
>>> +Signed-off-by: Yogita Urade<yogita.urade@windriver.com>
>>> +---
>>> + pkg/specgenutil/volumes.go  | 6 ++++++
>>> + test/e2e/run_volume_test.go | 4 ++++
>>> + 2 files changed, 10 insertions(+)
>>> +
>>> +diff --git a/pkg/specgenutil/volumes.go b/pkg/specgenutil/volumes.go
>>> +index c481867163..5618b2d342 100644
>>> +--- a/pkg/specgenutil/volumes.go
>>> ++++ b/pkg/specgenutil/volumes.go
>>> +@@ -272,6 +272,12 @@ func parseMountOptions(mountType string, args []string) (*spec.Mount, error) {
>>> +                     if !hasValue {
>>> +                             return nil, fmt.Errorf("%v: %w", name, errOptionArg)
>>> +                     }
>>> ++                        switch value {
>>> ++                    case "shared", "rshared", "private", "rprivate", "slave", "rslave", "unbindable", "runbindable":
>>> ++                            // Do nothing, sane value
>>> ++                    default:
>>> ++                            return nil, fmt.Errorf("invalid value %q", arg)
>>> ++                    }
>>> +                     mnt.Options = append(mnt.Options, value)
>>> +             case "consistency":
>>> +                     // Often used on MACs and mistakenly on Linux platforms.
>>> +diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go
>>> +index 4e777d62ef..5b256c9255 100644
>>> +--- a/test/e2e/run_volume_test.go
>>> ++++ b/test/e2e/run_volume_test.go
>>> +@@ -112,6 +112,10 @@ var _ = Describe("Podman run with volumes", func() {
>>> +             session.WaitWithDefaultTimeout()
>>> +             Expect(session).To(ExitWithError())
>>> +
>>> ++            session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=bind,src=/tmp,target=/tmp,bind-propagation=fake", ALPINE, "true"})
>>> ++            session.WaitWithDefaultTimeout()
>>> ++            Expect(session).To(ExitWithError())
>>> ++
>>> +             session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=tmpfs,target=/etc/ssl,notmpcopyup", ALPINE, "ls", "/etc/ssl"})
>>> +             session.WaitWithDefaultTimeout()
>>> +             Expect(session).Should(ExitCleanly())
>>> +--
>>> +2.40.0
>>> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
>>> index ef9798f0..4086298f 100644
>>> --- a/recipes-containers/podman/podman_git.bb
>>> +++ b/recipes-containers/podman/podman_git.bb
>>> @@ -24,6 +24,7 @@ SRC_URI = " \
>>>       file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
>>>       file://CVE-2025-6032.patch;patchdir=src/import \
>>>       file://CVE-2024-9341.patch;patchdir=src/import \
>>> +file://CVE-2024-9407.patch;patchdir=src/import \
>>>   "
>>>
>>>   LICENSE = "Apache-2.0"
>>> --
>>> 2.40.0
>>>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9407):https://lists.yoctoproject.org/g/meta-virtualization/message/9407
> Mute This Topic:https://lists.yoctoproject.org/mt/115268579/7312273
> Group Owner:meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe:https://lists.yoctoproject.org/g/meta-virtualization/unsub [Yogita.Urade@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

[-- Attachment #2: Type: text/html, Size: 9899 bytes --]