[release-1.29] Fix CVE-2024-11218 #5953
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allow cache mounts (RUN --mount=type=cache) to refer to other stages or additional build contexts. Update the build-check-cve-2024-9675 integration test to use different directories for its main build context and the additional build context that it uses for its final run. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: David Shea <[email protected]> Signed-off-by: Vivek Naruka <[email protected]>
Add a package that lets us open a directory in a chroot, pass its descriptor up, and then bind mount that directory to a specified location. Signed-off-by: Nalin Dahyabhai <[email protected]>
Add a helper that uses the new internal/open package to bind mount a location inside of a chroot direct to a new temporary location, for ensuring that the latter is not bind-mounted from outside of the chroot. Signed-off-by: Nalin Dahyabhai <[email protected]>
Add a ForceMount flag to pkg/overlay.Options that forces mounting the overlay filesystem and returning a bind mount to it instead of trying to leave that for later in cases where we're able to have the kernel do it. This is mainly for the sake of callers that want to do more things with the mounted overlay filesystem before passing them to the (presumably) OCI runtime. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: David Shea <[email protected]>
Add a way to pass a "set the SELinux contexts" labels to MountWithOptions. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: David Shea <[email protected]> Signed-off-by: Vivek Naruka <[email protected]>
When handling RUN --mount=type=bind, where the mount is read-write, instead of a simple bind mount, create an overlay mount with an upper directory that will be discarded after the overlay mount is unmounted. This brings us in line with the expected behavior, wherein writes to bind mounts should be discarded. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Vivek Naruka <[email protected]>
Ensure that the temporary directory that we create is never itself the top-level directory of the content that we're downloading, in case it's an archive which includes a "." with weird permissions. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: David Shea <[email protected]>
Fix a time-of-check/time-of-use error when mounting type=bind and type=cache directories that use a "src" flag. A hostile writer could use a concurrently-running stage or build to replace that "src" location between the point when we had resolved possible symbolic links and when runc/crun/whatever actually went to create the bind mount (CVE-2024-11218). Stop ignoring the "src" option for cache mounts when there's no "from" option. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Vivek Naruka <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: vnaruka The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Append to the lock list instead of replacing it. Signed-off-by: Vivek Naruka <[email protected]>
Signed-off-by: Vivek Naruka <[email protected]>
vnaruka
force-pushed
the
vnaruka-1.29-CVE-2024-11218
branch
from
d3209bb to
f8e299c
Compare
Signed-off-by: Vivek Naruka <[email protected]>
|
Please see my commits in #5955, esp. FIXME: These changes should go someplace else represents what was needed to get things compiling based on this PR (at 0bb4065). |
|
Closing as discussed. We'll use #5955 instead. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What this PR does / why we need it:
Backport the changes for [GHSA-5vpc-35f4-r8w6] to the 1.29 branch.
How to verify it
Which issue(s) this PR fixes:
Fixes RHEL-67614 RHEL-67608
Special notes for your reviewer:
Does this PR introduce a user-facing change?