File 0008-CVE-2025-6032-machine-init-fix-tls-check.patch of Package podman.40147

From 26492ea0dc6c7a8e7568cecd287a41ead9e0c6c8 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh>
Date: Wed, 13 Aug 2025 17:41:10 +0530
Subject: [PATCH 8/8] CVE-2025-6032: machine init: fix tls check

Ensure we verify the TLS connection when pulling the OCI image.

Bugs: bsc#1245320
Fixes: CVE-2025-6032

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
 pkg/machine/ocipull/pull.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go
index 1f0b97a562a0..d2c36b4d407e 100644
--- a/pkg/machine/ocipull/pull.go
+++ b/pkg/machine/ocipull/pull.go
@@ -18,8 +18,8 @@ import (
 // PullOptions includes data to alter certain knobs when pulling a source
 // image.
 type PullOptions struct {
-	// Require HTTPS and verify certificates when accessing the registry.
-	TLSVerify bool
+	// Skip TLS verification when accessing the registry.
+	SkipTLSVerify types.OptionalBool
 	// [username[:password] to use when connecting to the registry.
 	Credentials string
 	// Quiet the progress bars when pushing.
@@ -42,7 +42,7 @@ func Pull(ctx context.Context, imageInput string, sourcePath string, options Pul
 	}
 
 	sysCtx := &types.SystemContext{
-		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
+		DockerInsecureSkipTLSVerify: options.SkipTLSVerify,
 	}
 	if options.Credentials != "" {
 		authConf, err := parse.AuthConfig(options.Credentials)
-- 
2.49.0