[release-1.26] CVE-2024-1753, Bump to Buildah v1.26.7 #5450
Conversation
Addresses CVE-2024-1753 which allowed a user to write files to the `/` directory of the host machine if selinux was not enabled. Signed-off-by: tomsweeneyredhat <[email protected]>
... in layer blobs When analyzing a layer blob's contents, don't break if the blob has more zeroes padding it out even after the tar reader thinks it's hit the end of the archive. Add more detail to the diagnostic error we print when there's a digest or length mismatch, too, in case it's triggered by something other than zero padding. Don't ignore errors which might be encountered when we try to use skopeo to copy an image to a directory. Signed-off-by: Nalin Dahyabhai <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: TomSweeneyRedHat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
TomSweeneyRedHat
changed the title
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-1.26
branch
from
187b6ff to
35ce108
Compare
|
At least one of the failures in the test was a network hiccup. I've rerun them. |
|
@edsantiago or @nalind Any advice on the breaking conformance tests? This is the only branch that I have run into this. I'm seeing errors like: But I'm not finding a |
|
buildah/tests/conformance/conformance_test.go Lines 1286 to 1290 in 35ce108 but I have no idea what the test is or what a failure means |
|
Many of the errors I see were fixed by #5257 |
|
Thanks @edsantiago I'll try adding that tomorrow. |
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-1.26
branch
from
35ce108 to
83d4a59
Compare
|
Repushed with #5257 included |
When comparing layer payloads during conformance tests, mask off any file type bits that the tar headers in the layers might have included. Signed-off-by: Nalin Dahyabhai <[email protected]>
As the title says. This will fix Buldah for CVE-2024-1753. [NO NEW TESTS NEEDED] Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-1.26
branch
from
83d4a59 to
301b7b0
Compare
|
The "Unit tests w/ vfs" failed. The only error was a timeout that I could see, restarted with fingers crossed. However, it looks like the conformance tests are happy now. |
|
Hallejuah! Finally, happy green test buttons on this. Can I get a LGTM or two on this please? |
|
/lgtm |
openshift-merge-bot
bot
merged commit 2399bbf
into
containers:release-1.26
This Bumps Buildah to v1.26.7 and addresses CVE-2024-1753
https://issues.redhat.com/browse/RHEL-26773
https://issues.redhat.com/browse/RHEL-26770
What type of PR is this?
What this PR does / why we need it:
How to verify it
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?