[meta-virtualization][walnascar][PATCH 1/1] podman: fix CVE-2025-6032

[meta-virtualization][walnascar][PATCH 1/1] podman: fix CVE-2025-6032

[Praveen Kumar]

A flaw was found in Podman. The podman machine init command fails to
verify the TLS certificate when downloading the VM images from an OCI
registry. This issue results in a Man In The Middle attack.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-6032

Upstream-patch:
https://github.com/containers/podman/commit/1569c209829530b1f42e8c2fce851de8003ab3fe

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
 .../podman/podman/CVE-2025-6032.patch         | 61 +++++++++++++++++++
 recipes-containers/podman/podman_git.bb       |  1 +
 2 files changed, 62 insertions(+)
 create mode 100644 recipes-containers/podman/podman/CVE-2025-6032.patch

diff --git a/recipes-containers/podman/podman/CVE-2025-6032.patch b/recipes-containers/podman/podman/CVE-2025-6032.patch
new file mode 100644
index 00000000..c1272266
--- /dev/null
+++ b/recipes-containers/podman/podman/CVE-2025-6032.patch
@@ -0,0 +1,61 @@
+From 1569c209829530b1f42e8c2fce851de8003ab3fe Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Tue, 10 Jun 2025 14:16:46 +0200
+Subject: [PATCH] machine init: fix tls check
+
+Ensure we verify the TLS connection when pulling the OCI image.
+
+Fixes: CVE-2025-6032
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+(cherry picked from commit 726b506acc8a00d99f1a3a1357ecf619a1f798c3)
+
+CVE: CVE-2025-6032
+
+Upstream-Status: Backport [https://github.com/containers/podman/commit/1569c209829530b1f42e8c2fce851de8003ab3fe]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ pkg/machine/ocipull/ociartifact.go | 2 +-
+ pkg/machine/ocipull/pull.go        | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/pkg/machine/ocipull/ociartifact.go b/pkg/machine/ocipull/ociartifact.go
+index e144689ffe..75154437e9 100644
+--- a/pkg/machine/ocipull/ociartifact.go
++++ b/pkg/machine/ocipull/ociartifact.go
+@@ -224,7 +224,7 @@ func (o *OCIArtifactDisk) getDestArtifact() (types.ImageReference, digest.Digest
+	}
+	fmt.Printf("Looking up Podman Machine image at %s to create VM\n", imgRef.DockerReference())
+	sysCtx := &types.SystemContext{
+-		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!o.pullOptions.TLSVerify),
++		DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify,
+	}
+	imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx)
+	if err != nil {
+diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go
+index 0822578e8a..85cf5c18ec 100644
+--- a/pkg/machine/ocipull/pull.go
++++ b/pkg/machine/ocipull/pull.go
+@@ -21,8 +21,8 @@ import (
+ // PullOptions includes data to alter certain knobs when pulling a source
+ // image.
+ type PullOptions struct {
+-	// Require HTTPS and verify certificates when accessing the registry.
+-	TLSVerify bool
++	// Skip TLS verification when accessing the registry.
++	SkipTLSVerify types.OptionalBool
+	// [username[:password] to use when connecting to the registry.
+	Credentials string
+	// Quiet the progress bars when pushing.
+@@ -46,7 +46,7 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d
+	}
+
+	sysCtx := &types.SystemContext{
+-		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
++		DockerInsecureSkipTLSVerify: options.SkipTLSVerify,
+	}
+	if options.Credentials != "" {
+		authConf, err := parse.AuthConfig(options.Credentials)
+--
+2.40.0
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 46c6c969..d98521ba 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -21,6 +21,7 @@ SRC_URI = " \
     git://github.com/containers/libpod.git;branch=v5.4;protocol=https;destsuffix=${GO_SRCURI_DESTSUFFIX} \
     ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
     file://run-ptest \
+    file://CVE-2025-6032.patch;patchdir=src/import \
 "
 
 LICENSE = "Apache-2.0"
-- 
2.40.0