* [meta-virtualization][scarthgap][PATCH 1/3] podman: fix CVE-2024-9341
@ 2025-08-08 15:39 Praveen Kumar
2025-08-08 15:39 ` [meta-virtualization][scarthgap][PATCH 2/3] buildah: " Praveen Kumar
2025-08-08 15:39 ` [meta-virtualization][scarthgap][PATCH 3/3] podman: remove ptest Praveen Kumar
0 siblings, 2 replies; 3+ messages in thread
From: Praveen Kumar @ 2025-08-08 15:39 UTC (permalink / raw)
To: meta-virtualization; +Cc: Praveen Kumar
A flaw was found in Go. When FIPS mode is enabled on a system,
container runtimes may incorrectly handle certain file paths due to
improper validation in the containers/common Go library. This flaw
allows an attacker to exploit symbolic links and trick the system
into mounting sensitive host directories inside a container. This
issue also allows attackers to access critical host files, bypassing
the intended isolation between containers and the host system.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-9341
Upstream-patch:
https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
.../podman/podman/CVE-2024-9341.patch | 45 +++++++++++++++++++
recipes-containers/podman/podman_git.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 recipes-containers/podman/podman/CVE-2024-9341.patch
diff --git a/recipes-containers/podman/podman/CVE-2024-9341.patch b/recipes-containers/podman/podman/CVE-2024-9341.patch
new file mode 100644
index 00000000..b5bdd9eb
--- /dev/null
+++ b/recipes-containers/podman/podman/CVE-2024-9341.patch
@@ -0,0 +1,45 @@
+From e7db06585c32e1a782c1d9aa3b71ccd708f5e23f Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Fri, 27 Sep 2024 14:01:56 +0200
+Subject: [PATCH] pkg/subscriptions: use securejoin for the container path
+
+If we join a path from the container image we must always use securejoin
+to prevent us from following a symlink onto the host.
+
+Fixes CVE-2024-9341
+
+CVE: CVE-2024-9341
+
+Upstream-Status: Backport [https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ .../containers/common/pkg/subscriptions/subscriptions.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index 6845914aa2..04cf6deaa8 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -10,6 +10,7 @@ import (
+
+ "github.com/containers/common/pkg/umask"
+ "github.com/containers/storage/pkg/idtools"
++ securejoin "github.com/cyphar/filepath-securejoin"
+ rspec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/sirupsen/logrus"
+@@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+
+ srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ destDir := "/etc/crypto-policies/back-ends"
+- srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++ srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
++ if err != nil {
++ return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
++ }
+ if _, err := os.Stat(srcOnHost); err != nil {
+ if errors.Is(err, os.ErrNotExist) {
+ return nil
+--
+2.40.0
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 2018c74d..d3fa38ed 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -24,6 +24,7 @@ SRC_URI = " \
file://run-ptest \
file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
file://CVE-2025-6032.patch;patchdir=src/import \
+ file://CVE-2024-9341.patch;patchdir=src/import \
"
LICENSE = "Apache-2.0"
--
2.40.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [meta-virtualization][scarthgap][PATCH 2/3] buildah: fix CVE-2024-9341
2025-08-08 15:39 [meta-virtualization][scarthgap][PATCH 1/3] podman: fix CVE-2024-9341 Praveen Kumar
@ 2025-08-08 15:39 ` Praveen Kumar
2025-08-08 15:39 ` [meta-virtualization][scarthgap][PATCH 3/3] podman: remove ptest Praveen Kumar
1 sibling, 0 replies; 3+ messages in thread
From: Praveen Kumar @ 2025-08-08 15:39 UTC (permalink / raw)
To: meta-virtualization; +Cc: Praveen Kumar
A flaw was found in Go. When FIPS mode is enabled on a system,
container runtimes may incorrectly handle certain file paths due to
improper validation in the containers/common Go library. This flaw
allows an attacker to exploit symbolic links and trick the system
into mounting sensitive host directories inside a container. This
issue also allows attackers to access critical host files, bypassing
the intended isolation between containers and the host system.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-9341
Upstream-patch:
https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
.../buildah/buildah/CVE-2024-9341.patch | 45 +++++++++++++++++++
recipes-containers/buildah/buildah_git.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 recipes-containers/buildah/buildah/CVE-2024-9341.patch
diff --git a/recipes-containers/buildah/buildah/CVE-2024-9341.patch b/recipes-containers/buildah/buildah/CVE-2024-9341.patch
new file mode 100644
index 00000000..0dcd5b87
--- /dev/null
+++ b/recipes-containers/buildah/buildah/CVE-2024-9341.patch
@@ -0,0 +1,45 @@
+From e7db06585c32e1a782c1d9aa3b71ccd708f5e23f Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Fri, 27 Sep 2024 14:01:56 +0200
+Subject: [PATCH] pkg/subscriptions: use securejoin for the container path
+
+If we join a path from the container image we must always use securejoin
+to prevent us from following a symlink onto the host.
+
+Fixes CVE-2024-9341
+
+CVE: CVE-2024-9341
+
+Upstream-Status: Backport [https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ .../containers/common/pkg/subscriptions/subscriptions.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index 6ba2154a7..d976329f7 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -10,6 +10,7 @@ import (
+
+ "github.com/containers/common/pkg/umask"
+ "github.com/containers/storage/pkg/idtools"
++ securejoin "github.com/cyphar/filepath-securejoin"
+ rspec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/sirupsen/logrus"
+@@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+
+ srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ destDir := "/etc/crypto-policies/back-ends"
+- srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++ srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
++ if err != nil {
++ return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
++ }
+ if _, err := os.Stat(srcOnHost); err != nil {
+ if errors.Is(err, os.ErrNotExist) {
+ return nil
+--
+2.40.0
diff --git a/recipes-containers/buildah/buildah_git.bb b/recipes-containers/buildah/buildah_git.bb
index 83d861cb..22cf3605 100644
--- a/recipes-containers/buildah/buildah_git.bb
+++ b/recipes-containers/buildah/buildah_git.bb
@@ -35,6 +35,7 @@ SRC_URI = " \
git://github.com/containers/buildah;branch=release-1.34;name=buildah;protocol=https \
file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/vendor/github.com/containers/storage \
file://CVE-2024-9675.patch;patchdir=src/github.com/containers/buildah \
+ file://CVE-2024-9341.patch;patchdir=src/github.com/containers/buildah \
"
DEPENDS = "libdevmapper btrfs-tools gpgme"
--
2.40.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [meta-virtualization][scarthgap][PATCH 3/3] podman: remove ptest
2025-08-08 15:39 [meta-virtualization][scarthgap][PATCH 1/3] podman: fix CVE-2024-9341 Praveen Kumar
2025-08-08 15:39 ` [meta-virtualization][scarthgap][PATCH 2/3] buildah: " Praveen Kumar
@ 2025-08-08 15:39 ` Praveen Kumar
1 sibling, 0 replies; 3+ messages in thread
From: Praveen Kumar @ 2025-08-08 15:39 UTC (permalink / raw)
To: meta-virtualization; +Cc: Chen Qi, Bruce Ashfield, Praveen Kumar
From: Chen Qi <Qi.Chen@windriver.com>
The ptest was added almost three years ago and since then nobody
ever fixed anything. It's almost impossible that the ptest never
failed. As an evidence, for the current version, the test cases
cannot even run.
Remove this ptest. People who care about podman ptest should be
maintaining it.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
(cherry picked from commit a8175deded4decb9b889901caabb48bf8c4edc73)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
recipes-containers/podman/podman/run-ptest | 13 -----------
recipes-containers/podman/podman_git.bb | 27 +---------------------
2 files changed, 1 insertion(+), 39 deletions(-)
delete mode 100644 recipes-containers/podman/podman/run-ptest
diff --git a/recipes-containers/podman/podman/run-ptest b/recipes-containers/podman/podman/run-ptest
deleted file mode 100644
index 108ff451..00000000
--- a/recipes-containers/podman/podman/run-ptest
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: Huawei Inc.
-#
-# SPDX-License-Identifier: MIT
-
-#
-# Podman system tests
-#
-
-# The system tests don't need any go related variables. Dummy-define them to
-# avoid useless warnings/errors.
-GOOS=undefined GO=true BUILDTAGS= make localsystem
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index d3fa38ed..36c44dc6 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -21,7 +21,6 @@ SRCREV = "bb81e85a430fa95d23a15b77c717fd68bf06ebf2"
SRC_URI = " \
git://github.com/containers/libpod.git;branch=v5.0;protocol=https \
${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
- file://run-ptest \
file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
file://CVE-2025-6032.patch;patchdir=src/import \
file://CVE-2024-9341.patch;patchdir=src/import \
@@ -58,7 +57,7 @@ TOOLCHAIN = "gcc"
export BUILDFLAGS="${GOBUILDFLAGS}"
inherit go goarch
-inherit systemd pkgconfig ptest
+inherit systemd pkgconfig
do_configure[noexec] = "1"
@@ -123,17 +122,6 @@ do_install() {
fi
}
-do_install_ptest () {
- cp ${S}/src/import/Makefile ${D}${PTEST_PATH}
- install -d ${D}${PTEST_PATH}/test
- cp -r ${S}/src/import/test/system ${D}${PTEST_PATH}/test
-
- # Some compatibility links for the Makefile assumptions.
- install -d ${D}${PTEST_PATH}/bin
- ln -s ${bindir}/podman ${D}${PTEST_PATH}/bin/podman
- ln -s ${bindir}/podman-remote ${D}${PTEST_PATH}/bin/podman-remote
-}
-
FILES:${PN} += " \
${systemd_unitdir}/system/* \
${nonarch_libdir}/systemd/* \
@@ -164,16 +152,3 @@ RRECOMMENDS:${PN} += "slirp4netns \
kernel-module-xt-tcpudp \
"
RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"
-
-RDEPENDS:${PN}-ptest += " \
- bash \
- bats \
- buildah \
- catatonit \
- coreutils \
- file \
- gnupg \
- jq \
- make \
- tar \
-"
--
2.40.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-08-08 15:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-08 15:39 [meta-virtualization][scarthgap][PATCH 1/3] podman: fix CVE-2024-9341 Praveen Kumar
2025-08-08 15:39 ` [meta-virtualization][scarthgap][PATCH 2/3] buildah: " Praveen Kumar
2025-08-08 15:39 ` [meta-virtualization][scarthgap][PATCH 3/3] podman: remove ptest Praveen Kumar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).