[release-1.26] backport fix for CVE-2024-11218 #5931
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allow cache mounts (RUN --mount=type=cache) to refer to other stages or additional build contexts. Update the build-check-cve-2024-9675 integration test to use different directories for its main build context and the additional build context that it uses for its final run. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: David Shea <[email protected]>
Add a package that lets us open a directory in a chroot, pass its descriptor up, and then bind mount that directory to a specified location. Signed-off-by: Nalin Dahyabhai <[email protected]>
Add a helper that uses the new internal/open package to bind mount a location inside of a chroot direct to a new temporary location, for ensuring that the latter is not bind-mounted from outside of the chroot. Signed-off-by: Nalin Dahyabhai <[email protected]>
Add a ForceMount flag to pkg/overlay.Options that forces mounting the overlay filesystem and returning a bind mount to it instead of trying to leave that for later in cases where we're able to have the kernel do it. This is mainly for the sake of callers that want to do more things with the mounted overlay filesystem before passing them to the (presumably) OCI runtime. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: David Shea <[email protected]>
Add a way to pass a "set the SELinux contexts" labels to MountWithOptions. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: David Shea <[email protected]>
|
This branch predates the splitup in pkg/overlay, so I don't think we'll need 44e2788 |
|
/retitle [release-1.26] backport fix for CVE-2024-11218 |
openshift-ci
bot
changed the title
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dashea, nalind The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
dashea
force-pushed
the
dshea-1.26-CVE-2024-11218
branch
2 times, most recently
from
ce3be90 to
8673136
Compare
|
I think we're missing an equivalent for 7320f49#diff-88267013462361b7dd8d8bde4c038ce82c090a9c72936d14bcd6c368aa91323bR526-R530 from 8673136 |
dashea
force-pushed
the
dshea-1.26-CVE-2024-11218
branch
from
8673136 to
2fee799
Compare
Thanks, added |
nalind
reviewed
Jan 22, 2025
nalind
reviewed
Jan 22, 2025
nalind
reviewed
Jan 22, 2025
nalind
reviewed
Jan 22, 2025
nalind
reviewed
Jan 22, 2025
nalind
reviewed
Jan 22, 2025
dashea
force-pushed
the
dshea-1.26-CVE-2024-11218
branch
2 times, most recently
from
d70c3ab to
8b8b588
Compare
When handling RUN --mount=type=bind, where the mount is read-write, instead of a simple bind mount, create an overlay mount with an upper directory that will be discarded after the overlay mount is unmounted. This brings us in line with the expected behavior, wherein writes to bind mounts should be discarded. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: David Shea <[email protected]>
dashea
force-pushed
the
dshea-1.26-CVE-2024-11218
branch
from
990c324 to
6475964
Compare
Ensure that the temporary directory that we create is never itself the top-level directory of the content that we're downloading, in case it's an archive which includes a "." with weird permissions. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: David Shea <[email protected]>
Fix a time-of-check/time-of-use error when mounting type=bind and type=cache directories that use a "src" flag. A hostile writer could use a concurrently-running stage or build to replace that "src" location between the point when we had resolved possible symbolic links and when runc/crun/whatever actually went to create the bind mount (CVE-2024-11218). Stop ignoring the "src" option for cache mounts when there's no "from" option. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: David Shea <[email protected]>
Signed-off-by: David Shea <[email protected]>
Append to the lock list instead of replacing it. Signed-off-by: David Shea <[email protected]>
dashea
force-pushed
the
dshea-1.26-CVE-2024-11218
branch
from
6475964 to
138ad69
Compare
|
Found the problem with the |
nalind
reviewed
Jan 23, 2025
nalind
reviewed
Jan 23, 2025
nalind
reviewed
Jan 23, 2025
Signed-off-by: David Shea <[email protected]>
dashea
force-pushed
the
dshea-1.26-CVE-2024-11218
branch
from
6ff8b71 to
a313689
Compare
|
/lgtm |
openshift-merge-bot
bot
merged commit a4ab900
into
containers:release-1.26
22 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind bug
What this PR does / why we need it:
Backport the changes for GHSA-5vpc-35f4-r8w6 to the 1.26 branch.
How to verify it
Which issue(s) this PR fixes:
RHEL-67609
Special notes for your reviewer:
Does this PR introduce a user-facing change?