Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:Update
buildah
0001-CVE-2024-1753-container-escape-fix.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-CVE-2024-1753-container-escape-fix.patch of Package buildah
From ac3978fec1bbf0753b1cd1918305e17ea9844e6c Mon Sep 17 00:00:00 2001 From: tomsweeneyredhat <tsweeney@redhat.com> Date: Mon, 18 Mar 2024 10:47:43 -0400 Subject: [PATCH] CVE-2024-1753 container escape fix Addresses CVE-2024-1753 which allowed a user to write files to the `/` directory of the host machine if selinux was not enabled. Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com> (cherry picked from commit 4304d618f32783a52b2da1cf953dddbb6dc9c3fe) --- internal/volumes/volumes.go | 7 ++++++- tests/bud.bats | 23 +++++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go index f7ac14a59..c07c67ebe 100644 --- a/internal/volumes/volumes.go +++ b/internal/volumes/volumes.go @@ -11,6 +11,7 @@ import ( "errors" + "github.com/containers/buildah/copier" "github.com/containers/buildah/define" "github.com/containers/buildah/internal" internalParse "github.com/containers/buildah/internal/parse" @@ -189,7 +190,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st // buildkit parity: support absolute path for sources from current build context if contextDir != "" { // path should be /contextDir/specified path - newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source)) + evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{}) + if err != nil { + return newMount, "", err + } + newMount.Source = evaluated } else { // looks like its coming from `build run --mount=type=bind` allow using absolute path // error out if no source is set diff --git a/tests/bud.bats b/tests/bud.bats index 0b9aed7b6..2d9acc2d0 100644 --- a/tests/bud.bats +++ b/tests/bud.bats @@ -6625,3 +6625,26 @@ _EOF expect_output --substring "$podman_files" expect_output --substring "$podman_processes" } + +@test "build no write file on host - CVE-2024-1753" { + _prefetch alpine + cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF +FROM alpine as base + +RUN ln -s / /rootdir + +FROM alpine + +RUN echo "With exploit show host root, not the container's root, and create /BIND_BREAKOUT in / on the host" +RUN --mount=type=bind,from=base,source=/rootdir,destination=/exploit,rw ls -l /exploit; touch /exploit/BIND_BREAKOUT; ls -l /exploit + +_EOF + + run_buildah build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR} + expect_output --substring "/BIND_BREAKOUT" + + run ls /BIND_BREAKOUT + rm -f /BIND_BREAKOUT + assert "$status" -eq 2 "exit code from ls" + expect_output --substring "No such file or directory" +} -- 2.44.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor