Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:Update
podman
0003-CVE-2024-9407-validate-bind-propagation-fl...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-CVE-2024-9407-validate-bind-propagation-flag-setting.patch of Package podman
From 5aebc47dcd2b90460967cea48b713a4a88f93657 Mon Sep 17 00:00:00 2001 From: Danish Prakash <contact@danishpraka.sh> Date: Wed, 16 Oct 2024 14:49:01 +0530 Subject: [PATCH 3/5] CVE-2024-9407: validate "bind-propagation" flag settings CVE-2024-9407: validate that the value for the "bind-propagation" flag when handling "bind" and "cache" mounts in `buildah run` or in RUN instructions is one of the values that we would accept without the "bind-propagation=" prefix. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: Danish Prakash <contact@danishpraka.sh> --- .../containers/buildah/internal/volumes/volumes.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go index fd1ff7f98592..554c9ac0debc 100644 --- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go +++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go @@ -101,6 +101,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st if len(kv) == 1 { return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg) } + switch kv[1] { + default: + return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption) + case "shared", "rshared", "private", "rprivate", "slave", "rslave": + // this should be the relevant parts of the same list of options we accepted above + } newMount.Options = append(newMount.Options, kv[1]) case "src", "source": if len(kv) == 1 { @@ -276,6 +282,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a if len(kv) == 1 { return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg) } + switch kv[1] { + default: + return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption) + case "shared", "rshared", "private", "rprivate", "slave", "rslave": + // this should be the relevant parts of the same list of options we accepted above + } newMount.Options = append(newMount.Options, kv[1]) case "id": if len(kv) == 1 { -- 2.46.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor