* [meta-virtualization][walnascar][PATCH 2/2] podman: fix CVE-2025-9566
2025-10-13 11:47 [meta-virtualization][walnascar][PATCH 1/2] podman: remove ptest dchellam
@ 2025-10-13 11:47 ` dchellam
2025-10-14 1:59 ` [meta-virtualization][walnascar][PATCH 1/2] podman: remove ptest Bruce Ashfield
1 sibling, 0 replies; 3+ messages in thread
From: dchellam @ 2025-10-13 11:47 UTC (permalink / raw)
To: meta-virtualization
From: Divya Chellam <divya.chellam@windriver.com>
There's a vulnerability in podman where an attacker may use the kube play
command to overwrite host files when the kube file container a Secrete or
a ConfigMap volume mount and such volume contains a symbolic link to a host
file path. In a successful attack, the attacker can only control the target
file to be overwritten but not the content to be written into the file.
[EOL][EOL]Binary-Affected: podman[EOL]Upstream-version-introduced:
v4.0.0[EOL]Upstream-version-fixed: v5.6.1
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-9566
Upstream-patch:
https://github.com/containers/podman/commit/ca994186f07822b9048fe711b6903e51614d3e15
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
.../podman/podman/CVE-2025-9566.patch | 152 ++++++++++++++++++
recipes-containers/podman/podman_git.bb | 1 +
2 files changed, 153 insertions(+)
create mode 100644 recipes-containers/podman/podman/CVE-2025-9566.patch
diff --git a/recipes-containers/podman/podman/CVE-2025-9566.patch b/recipes-containers/podman/podman/CVE-2025-9566.patch
new file mode 100644
index 00000000..7e5cbe8b
--- /dev/null
+++ b/recipes-containers/podman/podman/CVE-2025-9566.patch
@@ -0,0 +1,152 @@
+From ca994186f07822b9048fe711b6903e51614d3e15 Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Fri, 29 Aug 2025 15:39:38 +0200
+Subject: [PATCH] kube play: don't follow volume symlinks onto the host
+
+For ConfigMap and Secret kube play volumes podman populates the data
+from the yaml. However the volume content is not controlled by us and we
+can be tricked following a symlink to a file on the host instead.
+
+Fixes: CVE-2025-9566
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+(cherry picked from commit 43fbde4e665fe6cee6921868f04b7ccd3de5ad89)
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+
+CVE: CVE-2025-9566
+
+Upstream-Status: Backport [https://github.com/containers/podman/commit/ca994186f07822b9048fe711b6903e51614d3e15]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ pkg/domain/infra/abi/play.go | 5 ++-
+ pkg/domain/infra/abi/play_linux.go | 18 +++++++++++
+ pkg/domain/infra/abi/play_unsupported.go | 13 ++++++++
+ pkg/domain/infra/abi/play_utils.go | 39 +++++++++++++++++++++++-
+ 4 files changed, 71 insertions(+), 4 deletions(-)
+ create mode 100644 pkg/domain/infra/abi/play_linux.go
+ create mode 100644 pkg/domain/infra/abi/play_unsupported.go
+
+diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
+index 6ffbf4cf54..2fa2752d7c 100644
+--- a/pkg/domain/infra/abi/play.go
++++ b/pkg/domain/infra/abi/play.go
+@@ -808,8 +808,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
+ defaultMode := v.DefaultMode
+ // Create files and add data to the volume mountpoint based on the Items in the volume
+ for k, v := range v.Items {
+- dataPath := filepath.Join(mountPoint, k)
+- f, err := os.Create(dataPath)
++ f, err := openPathSafely(mountPoint, k)
+ if err != nil {
+ return nil, nil, fmt.Errorf("cannot create file %q at volume mountpoint %q: %w", k, mountPoint, err)
+ }
+@@ -819,7 +818,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
+ return nil, nil, err
+ }
+ // Set file permissions
+- if err := os.Chmod(f.Name(), os.FileMode(defaultMode)); err != nil {
++ if err := f.Chmod(os.FileMode(defaultMode)); err != nil {
+ return nil, nil, err
+ }
+ }
+diff --git a/pkg/domain/infra/abi/play_linux.go b/pkg/domain/infra/abi/play_linux.go
+new file mode 100644
+index 0000000000..a0f9811516
+--- /dev/null
++++ b/pkg/domain/infra/abi/play_linux.go
+@@ -0,0 +1,18 @@
++//go:build !remote
++
++package abi
++
++import (
++ "os"
++
++ securejoin "github.com/cyphar/filepath-securejoin"
++)
++
++// openSymlinkPath opens the path under root using securejoin.OpenatInRoot().
++func openSymlinkPath(root *os.File, unsafePath string, flags int) (*os.File, error) {
++ file, err := securejoin.OpenatInRoot(root, unsafePath)
++ if err != nil {
++ return nil, err
++ }
++ return securejoin.Reopen(file, flags)
++}
+diff --git a/pkg/domain/infra/abi/play_unsupported.go b/pkg/domain/infra/abi/play_unsupported.go
+new file mode 100644
+index 0000000000..3ecbae7cc1
+--- /dev/null
++++ b/pkg/domain/infra/abi/play_unsupported.go
+@@ -0,0 +1,13 @@
++//go:build !linux && !remote
++
++package abi
++
++import (
++ "errors"
++ "os"
++)
++
++// openSymlinkPath is not supported on this platform.
++func openSymlinkPath(root *os.File, unsafePath string, flags int) (*os.File, error) {
++ return nil, errors.New("cannot safely open symlink on this platform")
++}
+diff --git a/pkg/domain/infra/abi/play_utils.go b/pkg/domain/infra/abi/play_utils.go
+index 7285d9c9b9..217b656997 100644
+--- a/pkg/domain/infra/abi/play_utils.go
++++ b/pkg/domain/infra/abi/play_utils.go
+@@ -2,7 +2,14 @@
+
+ package abi
+
+-import "github.com/containers/podman/v5/libpod/define"
++import (
++ "fmt"
++ "os"
++ "strings"
++
++ "github.com/containers/podman/v5/libpod/define"
++ "golang.org/x/sys/unix"
++)
+
+ // getSdNotifyMode returns the `sdNotifyAnnotation/$name` for the specified
+ // name. If name is empty, it'll only look for `sdNotifyAnnotation`.
+@@ -16,3 +23,33 @@ func getSdNotifyMode(annotations map[string]string, name string) (string, error)
+ }
+ return mode, define.ValidateSdNotifyMode(mode)
+ }
++
++// openPathSafely opens the given name under the trusted root path, the unsafeName
++// must be a single path component and not contain "/".
++// The resulting path will be opened or created if it does not exists.
++// Following of symlink is done within staying under root, escapes outsides
++// of root are not allowed and prevent.
++//
++// This custom function is needed because securejoin.SecureJoin() is not race safe
++// and the volume might be mounted in another container that could swap in a symlink
++// after the function ahs run. securejoin.OpenInRoot() doesn't work either because
++// it cannot create files and doesn't work on freebsd.
++func openPathSafely(root, unsafeName string) (*os.File, error) {
++ if strings.Contains(unsafeName, "/") {
++ return nil, fmt.Errorf("name %q must not contain path separator", unsafeName)
++ }
++ fdDir, err := os.OpenFile(root, unix.O_RDONLY, 0)
++ if err != nil {
++ return nil, err
++ }
++ defer fdDir.Close()
++ flags := unix.O_CREAT | unix.O_WRONLY | unix.O_TRUNC | unix.O_CLOEXEC
++ fd, err := unix.Openat(int(fdDir.Fd()), unsafeName, flags|unix.O_NOFOLLOW, 0o644)
++ if err == nil {
++ return os.NewFile(uintptr(fd), unsafeName), nil
++ }
++ if err == unix.ELOOP {
++ return openSymlinkPath(fdDir, unsafeName, flags)
++ }
++ return nil, &os.PathError{Op: "openat", Path: unsafeName, Err: err}
++}
+--
+2.40.0
+
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index a83764fc..fc7a01d2 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -21,6 +21,7 @@ SRC_URI = " \
git://github.com/containers/libpod.git;branch=v5.4;protocol=https;destsuffix=${GO_SRCURI_DESTSUFFIX} \
${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
file://CVE-2025-6032.patch;patchdir=src/import \
+ file://CVE-2025-9566.patch;patchdir=src/import \
"
LICENSE = "Apache-2.0"
--
2.40.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [meta-virtualization][walnascar][PATCH 1/2] podman: remove ptest
2025-10-13 11:47 [meta-virtualization][walnascar][PATCH 1/2] podman: remove ptest dchellam
2025-10-13 11:47 ` [meta-virtualization][walnascar][PATCH 2/2] podman: fix CVE-2025-9566 dchellam
@ 2025-10-14 1:59 ` Bruce Ashfield
1 sibling, 0 replies; 3+ messages in thread
From: Bruce Ashfield @ 2025-10-14 1:59 UTC (permalink / raw)
To: Divya.Chellam; +Cc: meta-virtualization
The tests don't do anything, but shouldn't actually break a build, etc.
As such, I don't think we really need to backport this to walnascar.
I've grabbed the CVE fix though.
Bruce
In message: [meta-virtualization][walnascar][PATCH 1/2] podman: remove ptest
on 13/10/2025 dchellam via lists.yoctoproject.org wrote:
> From: Divya Chellam <divya.chellam@windriver.com>
>
> The ptest was added almost three years ago and since then nobody
> ever fixed anything. It's almost impossible that the ptest never
> failed. As an evidence, for the current version, the test cases
> cannot even run.
>
> Remove this ptest. People who care about podman ptest should be
> maintaining it.
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
> (master rev: a8175deded4decb9b889901caabb48bf8c4edc73)
>
> Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
> ---
> recipes-containers/podman/podman/run-ptest | 13 -----------
> recipes-containers/podman/podman_git.bb | 27 +---------------------
> 2 files changed, 1 insertion(+), 39 deletions(-)
> delete mode 100644 recipes-containers/podman/podman/run-ptest
>
> diff --git a/recipes-containers/podman/podman/run-ptest b/recipes-containers/podman/podman/run-ptest
> deleted file mode 100644
> index 108ff451..00000000
> --- a/recipes-containers/podman/podman/run-ptest
> +++ /dev/null
> @@ -1,13 +0,0 @@
> -#!/bin/sh
> -
> -# SPDX-FileCopyrightText: Huawei Inc.
> -#
> -# SPDX-License-Identifier: MIT
> -
> -#
> -# Podman system tests
> -#
> -
> -# The system tests don't need any go related variables. Dummy-define them to
> -# avoid useless warnings/errors.
> -GOOS=undefined GO=true BUILDTAGS= make localsystem
> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> index d98521ba..a83764fc 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -20,7 +20,6 @@ SRCREV = "227df90eb7c021097c9ba5f8000c83648a598028"
> SRC_URI = " \
> git://github.com/containers/libpod.git;branch=v5.4;protocol=https;destsuffix=${GO_SRCURI_DESTSUFFIX} \
> ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
> - file://run-ptest \
> file://CVE-2025-6032.patch;patchdir=src/import \
> "
>
> @@ -56,7 +55,7 @@ export BUILDFLAGS = "${GOBUILDFLAGS}"
>
> inherit go goarch
> inherit container-host
> -inherit systemd pkgconfig ptest
> +inherit systemd pkgconfig
>
> do_configure[noexec] = "1"
>
> @@ -129,17 +128,6 @@ do_install() {
> fi
> }
>
> -do_install_ptest () {
> - cp ${S}/src/import/Makefile ${D}${PTEST_PATH}
> - install -d ${D}${PTEST_PATH}/test
> - cp -r ${S}/src/import/test/system ${D}${PTEST_PATH}/test
> -
> - # Some compatibility links for the Makefile assumptions.
> - install -d ${D}${PTEST_PATH}/bin
> - ln -s ${bindir}/podman ${D}${PTEST_PATH}/bin/podman
> - ln -s ${bindir}/podman-remote ${D}${PTEST_PATH}/bin/podman-remote
> -}
> -
> FILES:${PN} += " \
> ${systemd_unitdir}/system/* \
> ${nonarch_libdir}/systemd/* \
> @@ -170,16 +158,3 @@ RRECOMMENDS:${PN} += "slirp4netns \
> kernel-module-xt-tcpudp \
> "
> RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"
> -
> -RDEPENDS:${PN}-ptest += " \
> - bash \
> - bats \
> - buildah \
> - coreutils \
> - file \
> - gnupg \
> - jq \
> - make \
> - skopeo \
> - tar \
> -"
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9414): https://lists.yoctoproject.org/g/meta-virtualization/message/9414
> Mute This Topic: https://lists.yoctoproject.org/mt/115732681/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 3+ messages in thread