buildah icon indicating copy to clipboard operation
buildah copied to clipboard
verified publisher icon containers

[release-1.26] Properly validate cache IDs and sources

Open dashea opened this issue 1 year ago • 4 comments

Backport the changes from https://github.com/containers/buildah/pull/5778 to release-1.26

The --mount type=cache argument to the RUN instruction in Dockerfiles was using filepath.Join on user input, allowing crafted paths to be used to gain access to paths on the host, when the command should normally be limited only to Buildah;s own cache and context directories. Switch to filepath.SecureJoin to resolve the issue.

Fixes CVE-2024-9675

What type of PR is this?

/kind bug

What this PR does / why we need it:

How to verify it

Includes the new test from the original change, build-check-cve-2024-9675

Which issue(s) this PR fixes:

https://issues.redhat.com/browse/RHEL-62366 https://issues.redhat.com/browse/RHEL-62371

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fixed CVE-2024-9675 which allowed arbitrary paths from the host to be mounted into a build container using the `--mount type=cache` argument to the `RUN` instruction in Dockerfiles.

dashea avatar Oct 21 '24 16:10 dashea

Changes LGTM.

The older variants of Buildah version themselves slightly differently. I'm not sure what's out of whack on this one, I'd try running ./tests/version.bats from the command line to see if that detects anything.

TomSweeneyRedHat avatar Oct 21 '24 19:10 TomSweeneyRedHat

Forgot to add a new changelog entry to the spec file. Updated.

dashea avatar Oct 21 '24 22:10 dashea

@dashea I re-ran two tests that had flakes - "quay: 503 gateway timeout". Quay is notoriously flaky on these older branches. In podman CI too.

cevich avatar Oct 23 '24 20:10 cevich

Just to summarize the changes since Tom's approval: @cevich disabled selinux on the new test since selinux was preventing access to /var/tmp with or without the code change, and I added a pre-fetch on busybox in run check --from with arg due to a failure in that test to find the image.

dashea avatar Oct 24 '24 13:10 dashea

/approve /lgtm

nalind avatar Oct 24 '24 17:10 nalind

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dashea, nalind

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Oct 24 '24 17:10 openshift-ci[bot]