packages/buildah
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!9 [sync] PR-8: Fix CVE-2024-1753

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @jianli-97 
Signed-off-by: @jianli-97
This commit is contained in:
openeuler-ci-bot 2024-04-11 09:30:38 +00:00 committed by Gitee
commit 782faf4516
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 46 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
0002-fix-CVE-2024-1753.patch Normal file
View File

@ -0,0 +1,37 @@
From 6417891690fc0bc85ca4335d7c6ecf8d19ead121 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Thu, 11 Apr 2024 13:53:33 +0800
Subject: [PATCH] fix CVE-2024-1753
---
internal/volumes/volumes.go | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
index f7ac14a..c07c67e 100644
--- a/internal/volumes/volumes.go
+++ b/internal/volumes/volumes.go
@@ -11,6 +11,7 @@ import (
"errors"
+ "github.com/containers/buildah/copier"
"github.com/containers/buildah/define"
"github.com/containers/buildah/internal"
internalParse "github.com/containers/buildah/internal/parse"
@@ -189,7 +190,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
// buildkit parity: support absolute path for sources from current build context
if contextDir != "" {
// path should be /contextDir/specified path
- newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
+ evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
+ if err != nil {
+ return newMount, "", err
+ }
+ newMount.Source = evaluated
} else {
// looks like its coming from `build run --mount=type=bind` allow using absolute path
// error out if no source is set
--
2.20.1

11
buildah.spec
View File

@ -22,7 +22,7 @@
Name: buildah Name: buildah
Version: 1.34.1 Version: 1.34.1
Release: 2 Release: 3
Summary: A command line tool used for creating OCI Images Summary: A command line tool used for creating OCI Images
License: Apache-2.0 and BSD-2-Clause and BSD-3-Clause and ISC and MIT and MPL-2.0 License: Apache-2.0 and BSD-2-Clause and BSD-3-Clause and ISC and MIT and MPL-2.0
URL: https://%{name}.io URL: https://%{name}.io
@ -30,6 +30,7 @@ Source: %{git0}/archive/refs/tags/v%{version}.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.2.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.2.tar.gz
Patch0001: 0001-fix-CVE-2024-24786.patch Patch0001: 0001-fix-CVE-2024-24786.patch
Patch0002: 0002-fix-CVE-2024-1753.patch
BuildRequires: device-mapper-devel BuildRequires: device-mapper-devel
BuildRequires: git-core BuildRequires: git-core
@ -77,7 +78,7 @@ Requires: git-daemon
This package contains system tests for %{name} This package contains system tests for %{name}
%prep %prep
%autosetup -Sgit -n %{name}-%{version} %autosetup -Sgit -n %{name}-%{version} -p1
tar -xf %SOURCE1 tar -xf %SOURCE1
%build %build
@ -145,6 +146,12 @@ rm %{buildroot}%{_datadir}/%{name}/test/system/tools/build/*
%{_datadir}/%{name}/test %{_datadir}/%{name}/test
%changelog %changelog
* Thu Apr 11 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-3
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2024-1753
* Wed Apr 10 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-2 * Wed Apr 10 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-2
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA