Overview

File 0003-CVE-2024-9407-validate-bind-propagation-flag-setting.patch of Package podman.36126

From 5aebc47dcd2b90460967cea48b713a4a88f93657 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh>
Date: Wed, 16 Oct 2024 14:49:01 +0530
Subject: [PATCH 3/5] CVE-2024-9407: validate "bind-propagation" flag settings

CVE-2024-9407: validate that the value for the "bind-propagation" flag
when handling "bind" and "cache" mounts in `buildah run` or in RUN
instructions is one of the values that we would accept without the
"bind-propagation=" prefix.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
 .../containers/buildah/internal/volumes/volumes.go   | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
index fd1ff7f98592..554c9ac0debc 100644
--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
@@ -101,6 +101,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
 			if len(kv) == 1 {
 				return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
 			}
+			switch kv[1] {
+			default:
+				return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
 			newMount.Options = append(newMount.Options, kv[1])
 		case "src", "source":
 			if len(kv) == 1 {
@@ -276,6 +282,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 			if len(kv) == 1 {
 				return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
 			}
+			switch kv[1] {
+			default:
+				return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
 			newMount.Options = append(newMount.Options, kv[1])
 		case "id":
 			if len(kv) == 1 {
-- 
2.46.0
openSUSE Build Service is sponsored by
Places