[release-1.55] backport fix for CVE-2024-9676 #2135
Conversation
fix the detection for the maximum userns size from an image. If the maximum ID used in an image is X, we need to use a user namespace with size X+1 to include UID=X. Closes: containers#2104 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the alpine image defines a "nogroup": $ podman run --rm alpine grep nogroup /etc/group nogroup:x:65533: ignore it as we are already doing for the "nobody" user. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We need to read /etc/passwd and /etc/group in the container to get an idea of how many UIDs and GIDs we need to allocate for a user namespace when `--userns=auto` is specified. We were forming paths for these using filepath.Join, which is not safe for paths within a container, resulting in this CVE allowing crafted symlinks in the container to access paths on the host instead. Addresses CVE-2024-9676 Signed-off-by: Matt Heon <mheon@redhat.com>
|
This takes care of release-1.55 which takes care of the current Podman and Buildah release branches |
|
@nalind Any idea what's going on with lint over here? I'm seeing the same locally, but I'm pretty sure they aren't caused by this PR either. |
|
I'm not sure why, but |
|
Do we have a minimum supported Go version of 1.21 for the branch? My preliminary investigation suggests 1.22 might pass. |
|
It tends to be dictated by its consumers. Organization-wide, I think we tend to either use "the oldest currently supported golang", or "the version available on the distributions where we still need to be able to build". The buildah 1.37 branch and podman 5.2 branches appear to be using 1.21, fwiw. |
|
/retitle [release-1.55] backport fix for CVE-2026-9676 |
openshift-ci
bot
changed the title
|
A lot of these seem completely erroneous. It's complaining that |
Matches what we're compiling with. Signed-off-by: Matt Heon <mheon@redhat.com>
|
Well, whatever I was doing locally was clearly incorrect, because 1.21 failed locally but seems to pass here. Fascinating. |
|
LGTM |
|
@containers/storage-maintainers PTAL |
|
I guess there's a typo and it should be CVE-2024-9676. |
|
That is indeed a typo. At least I got the identifier within the year correct. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 465d8c0
into
containers:release-1.55
|
Need a new release cut with this and vendored into the usual places. |
|
Ack, I'll start vendoring this afternoon. |
|
It would be helpful to retitle this to CVE-2024-9676 for those trying to search for this CVE in the repo. |
mheon
changed the title
Also drags in a backport of #2105 to make the diff apply cleanly. I don't think there's harm in doing so.