Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.29] Properly validate cache IDs and sources #5787

Merged
merged 2 commits into from
Oct 18, 2024
Merged

[release-1.29] Properly validate cache IDs and sources #5787

merged 2 commits into from
Oct 18, 2024

Conversation

dashea
Copy link

@dashea dashea commented Oct 17, 2024

This is the change from #5778 backported to 1.29.

The --mount type=cache argument to the RUN instruction in Dockerfiles was using filepath.Join on user input, allowing crafted paths to be used to gain access to paths on the host, when the command should normally be limited only to Buildah;s own cache and context directories. Switch to filepath.SecureJoin to resolve the issue.

Fixes CVE-2024-9675

What type of PR is this?

/kind api-change
/kind bug
/kind cleanup
/kind deprecation
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake
/kind other

What this PR does / why we need it:

How to verify it

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

mheon and others added 2 commits October 17, 2024 14:49
@mheon @dashea
Properly validate cache IDs and sources
a5e4893 
The `--mount type=cache` argument to the `RUN` instruction in
Dockerfiles was using `filepath.Join` on user input, allowing
crafted paths to be used to gain access to paths on the host,
when the command should normally be limited only to Buildah;s own
cache and context directories. Switch to `filepath.SecureJoin` to
resolve the issue.

Fixes CVE-2024-9675

Signed-off-by: Matt Heon <mheon@redhat.com>
Signed-off-by: David Shea <dshea@redhat.com>
@dashea
[release-1.29] Bump to v1.29.4
0175881 
Signed-off-by: David Shea <dshea@redhat.com>
@TomSweeneyRedHat
Copy link
Member

Changes LGTM. I know you noted the CVE this fixes, but can you also add the particular Jira card(s) too please? Then if you have not, please add a comment to the cards with a pointer to this PR.

@dashea
Copy link
Author

dashea commented Oct 17, 2024
edited
Loading

Fixes:

@cevich
Copy link
Member

cevich commented Oct 18, 2024

@mheon you did the original backport for this, would you mind taking a peek and merging if appropriate? We're (unfortunately) on a clock to get this packaged up and released. TIA.

@nalind
Copy link
Member

nalind commented Oct 18, 2024

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 18, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 18, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dashea, nalind

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit b294434 into containers:release-1.29 Oct 18, 2024
22 checks passed
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Jan 17, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@nalind nalind

Labels
approved lgtm locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dashea @TomSweeneyRedHat @cevich @nalind @mheon