File 0002-CVE-2024-1753-container-escape-fix.patch of Package buildah.37504

From d370c199db7b5a5ba7f67f981748b973c78bc22f Mon Sep 17 00:00:00 2001
From: Tom Sweeney <tsweeney@redhat.com>
Date: Tue, 19 Mar 2024 13:35:33 +0100
Subject: [PATCH 2/4] CVE-2024-1753 container escape fix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Addresses CVE-2024-1753 which allowed a user to write files to the `/` directory
of the host machine if selinux was not enabled.

Backported from 4304d618f32783a52b2da1cf953dddbb6dc9c3fe

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Signed-off-by: Dan Čermák <dcermak@suse.com>
---
 internal/parse/parse.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/parse/parse.go b/internal/parse/parse.go
index 832b2b9ab..3c2f241ed 100644
--- a/internal/parse/parse.go
+++ b/internal/parse/parse.go
@@ -8,6 +8,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/containers/buildah/copier"
 	"github.com/containers/buildah/internal"
 	internalUtil "github.com/containers/buildah/internal/util"
 	"github.com/containers/common/pkg/parse"
@@ -151,7 +152,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
 	// buildkit parity: support absolute path for sources from current build context
 	if contextDir != "" {
 		// path should be /contextDir/specified path
-		newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
+		evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
+		if err != nil {
+			return newMount, "", err
+		}
+		newMount.Source = evaluated
 	} else {
 		// looks like its coming from `build run --mount=type=bind` allow using absolute path
 		// error out if no source is set
-- 
2.49.0