[release-1.35] CVE-2024-1753 fix, bump to v1.35.1, then v1.35.2-dev

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 # Changelog
 
+## v1.35.1 (2024-03-18)
+
+    [release-1.35] CVE-2024-1753 container escape fix
+
 ## v1.35.0 (2024-03-06)
 
     fix(deps): update module github.com/stretchr/testify to v1.9.0

changelog.txt

@@ -1,3 +1,6 @@
+- Changelog for v1.35.1 (2024-03-18)
+  * [release-1.35] CVE-2024-1753 container escape fix
+
 - Changelog for v1.35.0 (2024-03-06)
   * fix(deps): update module github.com/stretchr/testify to v1.9.0
   * cgroups: reuse version check from c/common

define/types.go

@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.35.0"
+	Version = "1.35.2-dev"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"

internal/volumes/volumes.go

@@ -11,6 +11,7 @@ import (
 
 	"errors"
 
+	"github.com/containers/buildah/copier"
 	"github.com/containers/buildah/define"
 	"github.com/containers/buildah/internal"
 	internalParse "github.com/containers/buildah/internal/parse"
@@ -189,7 +190,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
 	// buildkit parity: support absolute path for sources from current build context
 	if contextDir != "" {
 		// path should be /contextDir/specified path
-		newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
+		evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
+		if err != nil {
+			return newMount, "", err
+		}
+		newMount.Source = evaluated
 	} else {
 		// looks like its coming from `build run --mount=type=bind` allow using absolute path
 		// error out if no source is set

tests/bud.bats

@@ -6628,3 +6628,26 @@ _EOF
   expect_output --substring "$podman_files"
   expect_output --substring "$podman_processes"
 }
+
+@test "build no write file on host - CVE-2024-1753" {
+  _prefetch alpine
+  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
+FROM alpine as base
+
+RUN ln -s / /rootdir
+
+FROM alpine
+
+# With exploit show host root, not the container's root, and create /BIND_BREAKOUT in / on the host
+RUN --mount=type=bind,from=base,source=/rootdir,destination=/exploit,rw ls -l /exploit; touch /exploit/BIND_BREAKOUT; ls -l /exploit
+
+_EOF
+
+  run_buildah build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
+  expect_output --substring "/BIND_BREAKOUT"
+
+  run ls /BIND_BREAKOUT
+  rm -f /BIND_BREAKOUT
+  assert "$status" -eq 2 "exit code from ls"
+  expect_output --substring "No such file or directory"
+}