Overview

File 0001-CVE-2024-1753-container-escape-fix.patch of Package buildah.32911

From ac3978fec1bbf0753b1cd1918305e17ea9844e6c Mon Sep 17 00:00:00 2001
From: tomsweeneyredhat <tsweeney@redhat.com>
Date: Mon, 18 Mar 2024 10:47:43 -0400
Subject: [PATCH] CVE-2024-1753 container escape fix

Addresses CVE-2024-1753 which allowed a user to write files to the
`/` directory of the host machine if selinux was not enabled.

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
(cherry picked from commit 4304d618f32783a52b2da1cf953dddbb6dc9c3fe)
---
 internal/volumes/volumes.go |  7 ++++++-
 tests/bud.bats              | 23 +++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
index f7ac14a59..c07c67ebe 100644
--- a/internal/volumes/volumes.go
+++ b/internal/volumes/volumes.go
@@ -11,6 +11,7 @@ import (
 
 	"errors"
 
+	"github.com/containers/buildah/copier"
 	"github.com/containers/buildah/define"
 	"github.com/containers/buildah/internal"
 	internalParse "github.com/containers/buildah/internal/parse"
@@ -189,7 +190,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
 	// buildkit parity: support absolute path for sources from current build context
 	if contextDir != "" {
 		// path should be /contextDir/specified path
-		newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
+		evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
+		if err != nil {
+			return newMount, "", err
+		}
+		newMount.Source = evaluated
 	} else {
 		// looks like its coming from `build run --mount=type=bind` allow using absolute path
 		// error out if no source is set
diff --git a/tests/bud.bats b/tests/bud.bats
index 0b9aed7b6..2d9acc2d0 100644
--- a/tests/bud.bats
+++ b/tests/bud.bats
@@ -6625,3 +6625,26 @@ _EOF
   expect_output --substring "$podman_files"
   expect_output --substring "$podman_processes"
 }
+
+@test "build no write file on host - CVE-2024-1753" {
+  _prefetch alpine
+  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
+FROM alpine as base
+
+RUN ln -s / /rootdir
+
+FROM alpine
+
+RUN echo "With exploit show host root, not the container's root, and create /BIND_BREAKOUT in / on the host"
+RUN --mount=type=bind,from=base,source=/rootdir,destination=/exploit,rw ls -l /exploit; touch /exploit/BIND_BREAKOUT; ls -l /exploit
+
+_EOF
+
+  run_buildah build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
+  expect_output --substring "/BIND_BREAKOUT"
+
+  run ls /BIND_BREAKOUT
+  rm -f /BIND_BREAKOUT
+  assert "$status" -eq 2 "exit code from ls"
+  expect_output --substring "No such file or directory"
+}
-- 
2.44.0
openSUSE Build Service is sponsored by
Places