fix CVE-2024-9676,CVE-2024-9675, CVE-2024-9407, and CVE-2024-9341

2025-01-10 15:29:56 +08:00 · 2025-01-10 15:29:56 +08:00 · 484c247e80
commit 484c247e80
parent b8fcf2ff21
2 changed files with 574 additions and 1 deletions
--- a/0006-fix-CVE-2024-9676-CVE-2024-9675-CVE-2024-9407-CVE-2024-9341.patch
+++ b/0006-fix-CVE-2024-9676-CVE-2024-9675-CVE-2024-9407-CVE-2024-9341.patch
@ -0,0 +1,565 @@
+From 41b0d431e1d5df30149add3713ac54d1f43f7f6d Mon Sep 17 00:00:00 2001
+From: duyiwei <duyiwei@kylinos.cn>
+Date: Fri, 10 Jan 2025 17:06:36 +0800
+Subject: [PATCH] test
+
+Signed-off-by: duyiwei <duyiwei@kylinos.cn>
+---
+ go.mod                                        |  8 +-
+ go.sum                                        | 16 ++--
+ .../github.com/containers/buildah/.cirrus.yml |  8 +-
+ .../containers/buildah/define/types.go        |  2 +-
+ .../buildah/internal/volumes/volumes.go       | 31 ++++++-
+ .../common/pkg/subscriptions/subscriptions.go |  6 +-
+ .../containers/common/version/version.go      |  2 +-
+ .../image/v5/docker/docker_image.go           | 22 ++++-
+ .../containers/image/v5/version/version.go    |  2 +-
+ .../github.com/containers/storage/.cirrus.yml |  2 +-
+ vendor/github.com/containers/storage/VERSION  |  2 +-
+ .../storage/drivers/overlay/overlay.go        | 41 +++++++--
+ .../github.com/containers/storage/userns.go   | 92 +++++++++++++------
+ .../containers/storage/userns_unsupported.go  | 14 +++
+ vendor/modules.txt                            |  8 +-
+ 15 files changed, 186 insertions(+), 70 deletions(-)
+ create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go
+
+diff --git a/go.mod b/go.mod
+index b1e2758..1ef9ab7 100644
+--- a/go.mod
+++ b/go.mod
+@@ -11,15 +11,15 @@ require (
+ 	github.com/checkpoint-restore/go-criu/v7 v7.0.0
+ 	github.com/containernetworking/cni v1.1.2
+ 	github.com/containernetworking/plugins v1.3.0
+-	github.com/containers/buildah v1.33.7
+-	github.com/containers/common v0.57.4
+	github.com/containers/buildah v1.33.11
+	github.com/containers/common v0.57.7
+ 	github.com/containers/conmon v2.0.20+incompatible
+ 	github.com/containers/gvisor-tap-vsock v0.7.2
+-	github.com/containers/image/v5 v5.29.2
+	github.com/containers/image/v5 v5.29.4
+ 	github.com/containers/libhvee v0.5.0
+ 	github.com/containers/ocicrypt v1.1.9
+ 	github.com/containers/psgo v1.8.0
+-	github.com/containers/storage v1.51.0
+	github.com/containers/storage v1.51.2
+ 	github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
+ 	github.com/coreos/stream-metadata-go v0.4.4
+ 	github.com/crc-org/vfkit v0.1.2-0.20231030102423-f3c783d34420
+diff --git a/go.sum b/go.sum
+index 42178b0..92b443a 100644
+--- a/go.sum
+++ b/go.sum
+@@ -258,16 +258,16 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV
+ github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
+ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q6mVDp5H1HnjM=
+ github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
+-github.com/containers/buildah v1.33.7 h1:Y2kNea+hNNyZ74ppYFWmD0cLc/DwZ5A4NEUPQWPj5Zw=
+-github.com/containers/buildah v1.33.7/go.mod h1:pphfdjrwtTWkuIy1aDyZMEVyMfmm0DsbvxLGxxEU1cM=
+-github.com/containers/common v0.57.4 h1:kmfBad92kUjP5X44BPpOwMe+eZQqaKETfS+ASeL0g+g=
+-github.com/containers/common v0.57.4/go.mod h1:o3L3CyOI9yr+JC8l4dZgvqTxcjs3qdKmkek00uchgvw=
+github.com/containers/buildah v1.33.11 h1:WhEw4xD251utfeb3Huijb/yiTY62tqh8IzchcbnQ2rA=
+github.com/containers/buildah v1.33.11/go.mod h1:MtL+0XpZL5csljQDshjeQfvjzyTV0hgZsSoExmO3eu8=
+github.com/containers/common v0.57.7 h1:xA6/dXNbScnaytcFNQKTFGn6VDxwvDlCngJtfdGAf7g=
+github.com/containers/common v0.57.7/go.mod h1:GRtgIWNPc8zmo/vcA7VoZfLWpgQRH01/kzQbeNZH8WQ=
+ github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
+ github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
+ github.com/containers/gvisor-tap-vsock v0.7.2 h1:6CyU5D85C0/DciRRd7W0bPljK4FAS+DPrrHEQMHfZKY=
+ github.com/containers/gvisor-tap-vsock v0.7.2/go.mod h1:6NiTxh2GCVxZQLPzfuEB78/Osp2Usd9uf6nLdd6PiUY=
+-github.com/containers/image/v5 v5.29.2 h1:b8U0XYWhaQbKucK73IbmSm8WQyKAhKDbAHQc45XlsOw=
+-github.com/containers/image/v5 v5.29.2/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E=
+github.com/containers/image/v5 v5.29.4 h1:EbYrwOscTvzeCXt4149OtU74T/ZuohEottcs/hz47O4=
+github.com/containers/image/v5 v5.29.4/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E=
+ github.com/containers/libhvee v0.5.0 h1:rDhfG2NI8Q+VgeXht2dXezanxEdpj9pHqYX3vWfOGUw=
+ github.com/containers/libhvee v0.5.0/go.mod h1:yvU3Em2u1ZLl2VLd2glMIBWriBwfhWsDaRJsvixUIB0=
+ github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
+@@ -282,8 +282,8 @@ github.com/containers/ocicrypt v1.1.9/go.mod h1:dTKx1918d8TDkxXvarscpNVY+lyPakPN
+ github.com/containers/psgo v1.8.0 h1:2loGekmGAxM9ir5OsXWEfGwFxorMPYnc6gEDsGFQvhY=
+ github.com/containers/psgo v1.8.0/go.mod h1:T8ZxnX3Ur4RvnhxFJ7t8xJ1F48RhiZB4rSrOaR/qGHc=
+ github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s=
+-github.com/containers/storage v1.51.0 h1:AowbcpiWXzAjHosKz7MKvPEqpyX+ryZA/ZurytRrFNA=
+-github.com/containers/storage v1.51.0/go.mod h1:ybl8a3j1PPtpyaEi/5A6TOFs+5TrEyObeKJzVtkUlfc=
+github.com/containers/storage v1.51.2 h1:Xw8p1AG1A+Nh6dCsb1UOB3YKF5uzlCkI3uAP4fsFup4=
+github.com/containers/storage v1.51.2/go.mod h1:ybl8a3j1PPtpyaEi/5A6TOFs+5TrEyObeKJzVtkUlfc=
+ github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
+ github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+ github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+diff --git a/vendor/github.com/containers/buildah/.cirrus.yml b/vendor/github.com/containers/buildah/.cirrus.yml
+index ac12d66..5d99964 100644
+--- a/vendor/github.com/containers/buildah/.cirrus.yml
+++ b/vendor/github.com/containers/buildah/.cirrus.yml
+@@ -138,14 +138,10 @@ cross_build_task:
+     only_if: >-
+         $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+ 
+-    osx_instance:
+-        image: ghcr.io/cirruslabs/macos-ventura-base:latest
+    env:
+        HOME: /root
+ 
+     script:
+-        - brew update
+-        - brew install go
+-        - brew install go-md2man
+-        - brew install gpgme
+         - go version
+         - make cross CGO_ENABLED=0
+ 
+diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go
+index 50adce0..0e1e963 100644
+--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
+@@ -29,7 +29,7 @@ const (
+ 	// identify working containers.
+ 	Package = "buildah"
+ 	// Version for the Package. Also used by .packit.sh for Packit builds.
+-	Version = "1.33.7"
+	Version = "1.33.11"
+ 
+ 	// DefaultRuntime if containers.conf fails.
+ 	DefaultRuntime = "runc"
+diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+index fd1ff7f..f20b254 100644
+--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+@@ -23,6 +23,7 @@ import (
+ 	"github.com/containers/storage/pkg/idtools"
+ 	"github.com/containers/storage/pkg/lockfile"
+ 	"github.com/containers/storage/pkg/unshare"
+	digest "github.com/opencontainers/go-digest"
+ 	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	selinux "github.com/opencontainers/selinux/go-selinux"
+ )
+@@ -101,6 +102,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 			if len(kv) == 1 {
+ 				return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
+ 			}
+			switch kv[1] {
+			default:
+				return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
+ 			newMount.Options = append(newMount.Options, kv[1])
+ 		case "src", "source":
+ 			if len(kv) == 1 {
+@@ -276,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			if len(kv) == 1 {
+ 				return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
+ 			}
+			switch kv[1] {
+			default:
+				return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
+ 			newMount.Options = append(newMount.Options, kv[1])
+ 		case "id":
+ 			if len(kv) == 1 {
+@@ -361,7 +374,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
+ 		}
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
+		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
+		if err != nil {
+			return newMount, nil, err
+		}
+		newMount.Source = evaluated
+ 	} else {
+ 		// we need to create cache on host if no image is being used
+ 
+@@ -378,11 +395,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 		}
+ 
+ 		if id != "" {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
+			// Don't let the user control where we place the directory.
+			dirID := digest.FromString(id).Encoded()[:16]
+			newMount.Source = filepath.Join(cacheParent, dirID)
+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		} else {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
+			// Don't let the user control where we place the directory.
+			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+			newMount.Source = filepath.Join(cacheParent, dirID)
+			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		}
+ 		idPair := idtools.IDPair{
+ 			UID: uid,
+diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+index 6ba2154..d976329 100644
+--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+@@ -10,6 +10,7 @@ import (
+ 
+ 	"github.com/containers/common/pkg/umask"
+ 	"github.com/containers/storage/pkg/idtools"
+	securejoin "github.com/cyphar/filepath-securejoin"
+ 	rspec "github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+ 	"github.com/sirupsen/logrus"
+@@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
+ 
+ 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ 	destDir := "/etc/crypto-policies/back-ends"
+-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
+	if err != nil {
+		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
+	}
+ 	if _, err := os.Stat(srcOnHost); err != nil {
+ 		if errors.Is(err, os.ErrNotExist) {
+ 			return nil
+diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
+index 19ba92c..131d5bb 100644
+--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
+@@ -1,4 +1,4 @@
+ package version
+ 
+ // Version is the version of the build.
+-const Version = "0.57.4"
+const Version = "0.57.7"
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go
+index 9316048..74f559d 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image.go
+@@ -14,6 +14,7 @@ import (
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/types"
+ 	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+ )
+ 
+ // Image is a Docker-specific implementation of types.ImageCloser with a few extra methods
+@@ -88,7 +89,26 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
+ 		if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil {
+ 			return nil, err
+ 		}
+-		tags = append(tags, tagsHolder.Tags...)
+		for _, tag := range tagsHolder.Tags {
+			if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values
+				// Per https://github.com/containers/skopeo/issues/2409 , Sonatype Nexus 3.58, contrary
+				// to the spec, may include JSON null values in the list; and Go silently parses them as "".
+				if tag == "" {
+					logrus.Debugf("Ignoring invalid empty tag")
+					continue
+				}
+				// Per https://github.com/containers/skopeo/issues/2346 , unknown versions of JFrog Artifactory,
+				// contrary to the tag format specified in
+				// https://github.com/opencontainers/distribution-spec/blob/8a871c8234977df058f1a14e299fe0a673853da2/spec.md?plain=1#L160 ,
+				// include digests in the list.
+				if _, err := digest.Parse(tag); err == nil {
+					logrus.Debugf("Ignoring invalid tag %q matching a digest format", tag)
+					continue
+				}
+				return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err)
+			}
+			tags = append(tags, tag)
+		}
+ 
+ 		link := res.Header.Get("Link")
+ 		if link == "" {
+diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go
+index b24ee88..441e467 100644
+--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
+@@ -8,7 +8,7 @@ const (
+ 	// VersionMinor is for functionality in a backwards-compatible manner
+ 	VersionMinor = 29
+ 	// VersionPatch is for backwards-compatible bug fixes
+-	VersionPatch = 2
+	VersionPatch = 4
+ 
+ 	// VersionDev indicates development branch. Releases will be empty string.
+ 	VersionDev = ""
+diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml
+index c41dd5d..9e61509 100644
+--- a/vendor/github.com/containers/storage/.cirrus.yml
+++ b/vendor/github.com/containers/storage/.cirrus.yml
+@@ -119,7 +119,7 @@ lint_task:
+     env:
+         CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage"
+     container:
+-        image: golang
+        image: golang:1.19
+     modules_cache:
+         fingerprint_script: cat go.sum
+         folder: $GOPATH/pkg/mod
+diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION
+index ba0a719..aa618f0 100644
+--- a/vendor/github.com/containers/storage/VERSION
+++ b/vendor/github.com/containers/storage/VERSION
+@@ -1 +1 @@
+-1.51.0
+1.51.2
+diff --git a/vendor/github.com/containers/storage/drivers/overlay/overlay.go b/vendor/github.com/containers/storage/drivers/overlay/overlay.go
+index 04ecf87..d618d14 100644
+--- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go
+++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go
+@@ -1670,13 +1670,21 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
+ 	}
+ 
+ 	if err := idtools.MkdirAllAs(diffDir, perms, rootUID, rootGID); err != nil {
+-		return "", err
+		if !inAdditionalStore {
+			return "", err
+		}
+		// if it is in an additional store, do not fail if the directory already exists
+		if _, err2 := os.Stat(diffDir); err2 != nil {
+			return "", err
+		}
+ 	}
+ 
+ 	mergedDir := path.Join(workDirBase, "merged")
+-	// Create the driver merged dir
+-	if err := idtools.MkdirAs(mergedDir, 0o700, rootUID, rootGID); err != nil && !os.IsExist(err) {
+-		return "", err
+	// Attempt to create the merged dir only if it doesn't exist.
+	if _, err := os.Stat(mergedDir); err != nil && os.IsNotExist(err) {
+		if err := idtools.MkdirAs(mergedDir, 0o700, rootUID, rootGID); err != nil && !os.IsExist(err) {
+			return "", err
+		}
+ 	}
+ 	if count := d.ctr.Increment(mergedDir); count > 1 {
+ 		return mergedDir, nil
+@@ -1841,7 +1849,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
+ 
+ // Put unmounts the mount path created for the give id.
+ func (d *Driver) Put(id string) error {
+-	dir := d.dir(id)
+	dir, _, inAdditionalStore := d.dir2(id)
+ 	if _, err := os.Stat(dir); err != nil {
+ 		return err
+ 	}
+@@ -1902,11 +1910,26 @@ func (d *Driver) Put(id string) error {
+ 		}
+ 	}
+ 
+-	if err := unix.Rmdir(mountpoint); err != nil && !os.IsNotExist(err) {
+-		logrus.Debugf("Failed to remove mountpoint %s overlay: %s - %v", id, mountpoint, err)
+-		return fmt.Errorf("removing mount point %q: %w", mountpoint, err)
+	if !inAdditionalStore {
+		uid, gid := int(0), int(0)
+		fi, err := os.Stat(mountpoint)
+		if err != nil {
+			return err
+		}
+		if stat, ok := fi.Sys().(*syscall.Stat_t); ok {
+			uid, gid = int(stat.Uid), int(stat.Gid)
+		}
+		tmpMountpoint := path.Join(dir, "merged.1")
+		if err := idtools.MkdirAs(tmpMountpoint, 0o700, uid, gid); err != nil && !errors.Is(err, os.ErrExist) {
+			return err
+		}
+		// rename(2) can be used on an empty directory, as it is the mountpoint after umount, and it retains
+		// its atomic semantic.  In this way the "merged" directory is never removed.
+		if err := unix.Rename(tmpMountpoint, mountpoint); err != nil {
+			logrus.Debugf("Failed to replace mountpoint %s overlay: %s - %v", id, mountpoint, err)
+			return fmt.Errorf("replacing mount point %q: %w", mountpoint, err)
+		}
+ 	}
+-
+ 	return nil
+ }
+ 
+diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go
+index 32ae830..2c855da 100644
+--- a/vendor/github.com/containers/storage/userns.go
+++ b/vendor/github.com/containers/storage/userns.go
+@@ -1,18 +1,21 @@
+//go:build linux
+
+ package storage
+ 
+ import (
+ 	"fmt"
+ 	"os"
+ 	"os/user"
+-	"path/filepath"
+ 	"strconv"
+ 
+ 	drivers "github.com/containers/storage/drivers"
+ 	"github.com/containers/storage/pkg/idtools"
+ 	"github.com/containers/storage/pkg/unshare"
+ 	"github.com/containers/storage/types"
+	securejoin "github.com/cyphar/filepath-securejoin"
+ 	libcontainerUser "github.com/opencontainers/runc/libcontainer/user"
+ 	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+ )
+ 
+ // getAdditionalSubIDs looks up the additional IDs configured for
+@@ -85,40 +88,59 @@ const nobodyUser = 65534
+ // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
+ // /etc/group files.
+ func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
+	var (
+		passwd *os.File
+		group  *os.File
+		size   int
+		err    error
+	)
+ 	if passwdFile == "" {
+-		passwdFile = filepath.Join(containerMount, "etc/passwd")
+-	}
+-	if groupFile == "" {
+-		groupFile = filepath.Join(groupFile, "etc/group")
+		passwd, err = secureOpen(containerMount, "/etc/passwd")
+	} else {
+		// User-specified override from a volume. Will not be in
+		// container root.
+		passwd, err = os.Open(passwdFile)
+ 	}
+-
+-	size := 0
+-
+-	users, err := libcontainerUser.ParsePasswdFile(passwdFile)
+ 	if err == nil {
+-		for _, u := range users {
+-			// Skip the "nobody" user otherwise we end up with 65536
+-			// ids with most images
+-			if u.Name == "nobody" {
+-				continue
+-			}
+-			if u.Uid > size && u.Uid != nobodyUser {
+-				size = u.Uid
+-			}
+-			if u.Gid > size && u.Gid != nobodyUser {
+-				size = u.Gid
+		defer passwd.Close()
+
+		users, err := libcontainerUser.ParsePasswd(passwd)
+		if err == nil {
+			for _, u := range users {
+				// Skip the "nobody" user otherwise we end up with 65536
+				// ids with most images
+				if u.Name == "nobody" || u.Name == "nogroup" {
+					continue
+				}
+				if u.Uid > size && u.Uid != nobodyUser {
+					size = u.Uid + 1
+				}
+				if u.Gid > size && u.Gid != nobodyUser {
+					size = u.Gid + 1
+				}
+ 			}
+ 		}
+ 	}
+ 
+-	groups, err := libcontainerUser.ParseGroupFile(groupFile)
+	if groupFile == "" {
+		group, err = secureOpen(containerMount, "/etc/group")
+	} else {
+		// User-specified override from a volume. Will not be in
+		// container root.
+		group, err = os.Open(groupFile)
+	}
+ 	if err == nil {
+-		for _, g := range groups {
+-			if g.Name == "nobody" {
+-				continue
+-			}
+-			if g.Gid > size && g.Gid != nobodyUser {
+-				size = g.Gid
+		defer group.Close()
+
+		groups, err := libcontainerUser.ParseGroup(group)
+		if err == nil {
+			for _, g := range groups {
+				if g.Name == "nobody" || g.Name == "nogroup" {
+					continue
+				}
+				if g.Gid > size && g.Gid != nobodyUser {
+					size = g.Gid + 1
+				}
+ 			}
+ 		}
+ 	}
+@@ -309,3 +331,19 @@ func getAutoUserNSIDMappings(
+ 	gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
+ 	return uidMap, gidMap, nil
+ }
+
+// Securely open (read-only) a file in a container mount.
+func secureOpen(containerMount, file string) (*os.File, error) {
+	filePath, err := securejoin.SecureJoin(containerMount, file)
+	if err != nil {
+		return nil, err
+	}
+
+	flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY
+	fileHandle, err := os.OpenFile(filePath, flags, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	return fileHandle, nil
+}
+diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go
+new file mode 100644
+index 0000000..e37c18f
+--- /dev/null
+++ b/vendor/github.com/containers/storage/userns_unsupported.go
+@@ -0,0 +1,14 @@
+//go:build !linux
+
+package storage
+
+import (
+	"errors"
+
+	"github.com/containers/storage/pkg/idtools"
+	"github.com/containers/storage/types"
+)
+
+func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
+	return nil, nil, errors.New("user namespaces are not supported on this platform")
+}
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index c261d97..f7fe104 100644
+--- a/vendor/modules.txt
+++ b/vendor/modules.txt
+@@ -147,7 +147,7 @@ github.com/containernetworking/cni/pkg/version
+ # github.com/containernetworking/plugins v1.3.0
+ ## explicit; go 1.20
+ github.com/containernetworking/plugins/pkg/ns
+-# github.com/containers/buildah v1.33.7
+# github.com/containers/buildah v1.33.11
+ ## explicit; go 1.20
+ github.com/containers/buildah
+ github.com/containers/buildah/bind
+@@ -176,7 +176,7 @@ github.com/containers/buildah/pkg/sshagent
+ github.com/containers/buildah/pkg/util
+ github.com/containers/buildah/pkg/volumes
+ github.com/containers/buildah/util
+-# github.com/containers/common v0.57.4
+# github.com/containers/common v0.57.7
+ ## explicit; go 1.18
+ github.com/containers/common/internal/attributedstring
+ github.com/containers/common/libimage
+@@ -243,7 +243,7 @@ github.com/containers/conmon/runner/config
+ # github.com/containers/gvisor-tap-vsock v0.7.2
+ ## explicit; go 1.20
+ github.com/containers/gvisor-tap-vsock/pkg/types
+-# github.com/containers/image/v5 v5.29.2
+# github.com/containers/image/v5 v5.29.4
+ ## explicit; go 1.19
+ github.com/containers/image/v5/copy
+ github.com/containers/image/v5/directory
+@@ -353,7 +353,7 @@ github.com/containers/psgo/internal/dev
+ github.com/containers/psgo/internal/host
+ github.com/containers/psgo/internal/proc
+ github.com/containers/psgo/internal/process
+-# github.com/containers/storage v1.51.0
+# github.com/containers/storage v1.51.2
+ ## explicit; go 1.19
+ github.com/containers/storage
+ github.com/containers/storage/drivers
+-- 
+2.33.0
+
--- a/podman.spec
+++ b/podman.spec
@ -2,7 +2,7 @@

 Name:          podman
 Version:       4.9.4
-Release:       10
+Release:       11
 Summary:       A tool for managing OCI containers and pods.
 Epoch:         1
 License:       Apache-2.0 and MIT
@ -17,6 +17,7 @@ Patch0002:    0002-fix-CVE-2023-3978.patch
 Patch0003:    0003-fix-CVE-2023-48795.patch
 Patch0004:    0004-fix-CVE-2022-3064.patch
 Patch0005:    0005-fix-CVE-2024-28180.patch
+Patch0006:    0006-fix-CVE-2024-9676-CVE-2024-9675-CVE-2024-9407-CVE-2024-9341.patch

 BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
 BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel
@ -132,6 +133,7 @@ tar zxf %{SOURCE3}
 %patch0003 -p1
 %patch0004 -p1
 %patch0005 -p1
+%patch0006 -p1

 %ifarch loongarch64
 cd dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84
@ -306,6 +308,12 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
 %{_bindir}/%{name}sh

 %changelog
+* Fri Jan 10 2025 duyiwei <duyiwei@kylinos.cn> - 1:4.9.4-11
+- Type:bugfix
+- CVE:CVE-2024-9676,CVE-2024-9675, CVE-2024-9407,CVE-2024-9341
+- SUG:NA
+- DESC: fix CVE-2024-9676,CVE-2024-9675, CVE-2024-9407, and CVE-2024-9341
+
 * Thu Jan 09 2025 duyiwei <duyiwei@kylinos.cn> - 1:4.9.4-10
 - Type:bugfix
 - CVE:CVE-2024-9355、CVE-2019-9514、CVE-2024-24791、CVE-2022-32189、CVE-2022-41715、CVE-2022-2880、CVE-2022-1962、CVE-2023-45290、CVE-2024-24783、CVE-2024-24785