User/bfjelds/buildah CVE 2022 2990 (#6174)

* add patch for CVE-2022-2990 * add changelog and fix date * fix version * try fixing patch
2023-09-06 07:48:27 -07:00 · 2023-09-06 07:48:27 -07:00 · 1769d0f5b2
--- a/SPECS-EXTENDED/buildah/CVE-2022-2990.patch
+++ b/SPECS-EXTENDED/buildah/CVE-2022-2990.patch
@ -0,0 +1,113 @@
+From 7b961bf8391a7692468c46175ab30e03e8d777b5 Mon Sep 17 00:00:00 2001
+From: Aditya R <arajan@redhat.com>
+Date: Wed, 24 Aug 2022 08:42:23 +0530
+Subject: [PATCH] run: add container gid to additional groups
+
+When container is created with specific uid and gid also add container
+gid to supplementary/additional group.
+
+Signed-off-by: Aditya R <arajan@redhat.com>
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ run_linux.go                             |  1 +
+ tests/bud.bats                           | 16 ++++++++++++
+ tests/bud/supplemental-groups/Dockerfile |  3 +++
+ tests/run.bats                           | 33 ++++++++++++++++++++++++
+ 4 files changed, 53 insertions(+)
+ create mode 100644 tests/bud/supplemental-groups/Dockerfile
+
+diff --git a/run_linux.go b/run_linux.go
+index d907941ed..452d62a3c 100644
+--- a/run_linux.go
+++ b/run_linux.go
+@@ -1942,6 +1942,7 @@ func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, opti
+ 	}
+ 	g.SetProcessUID(user.UID)
+ 	g.SetProcessGID(user.GID)
+	g.AddProcessAdditionalGid(user.GID)
+ 	for _, gid := range user.AdditionalGids {
+ 		g.AddProcessAdditionalGid(gid)
+ 	}
+diff --git a/tests/bud.bats b/tests/bud.bats
+index ff9db0609..40b847e10 100644
+--- a/tests/bud.bats
+++ b/tests/bud.bats
+@@ -108,6 +108,22 @@ symlink(subdir)"
+   check_options_flag_err "--userns=cnt1"
+ }
+ 
+@test "build test has gid in supplemental groups" {
+  _prefetch alpine
+  run_buildah build $WITH_POLICY_JSON -t source -f ${TESTSDIR}/bud/supplemental-groups/Dockerfile
+  # gid 1000 must be in supplemental groups
+  expect_output --substring "Groups:	1000"
+}
+
+@test "build test if supplemental groups has gid with --isolation chroot" {
+  test -z "${BUILDAH_ISOLATION}" || skip "BUILDAH_ISOLATION=${BUILDAH_ISOLATION} overrides --isolation"
+
+  _prefetch alpine
+  run_buildah build --isolation chroot $WITH_POLICY_JSON -t source -f ${TESTSDIR}/bud/supplemental-groups/Dockerfile
+  # gid 1000 must be in supplemental groups
+  expect_output --substring "Groups:	1000"
+}
+
+ @test "bud with --layers and --no-cache flags" {
+   _prefetch alpine
+   cp -a ${TESTSDIR}/bud/use-layers ${TESTDIR}/use-layers
+diff --git a/tests/bud/supplemental-groups/Dockerfile b/tests/bud/supplemental-groups/Dockerfile
+new file mode 100644
+index 000000000..462d9ea7a
+--- /dev/null
+++ b/tests/bud/supplemental-groups/Dockerfile
+@@ -0,0 +1,3 @@
+FROM alpine
+USER 1000:1000
+RUN cat /proc/$$/status
+diff --git a/tests/run.bats b/tests/run.bats
+index c22a671dc..ba26c350f 100644
+--- a/tests/run.bats
+++ b/tests/run.bats
+@@ -252,6 +252,39 @@ function configure_and_check_user() {
+ 	run_buildah run -v ${TESTDIR}/was-empty/testfile:/var/different-multi-level/subdirectory/testfile        $cid touch /var/different-multi-level/subdirectory/testfile
+ }
+ 
+@test "run --volume with U flag" {
+  skip_if_no_runtime
+
+  # Create source volume.
+  mkdir ${TESTDIR}/testdata
+
+  # Create the container.
+  _prefetch alpine
+  run_buildah from --signature-policy ${TESTSDIR}/policy.json alpine
+  ctr="$output"
+
+  # Test user can create file in the mounted volume.
+  run_buildah run --user 888:888 --volume ${TESTDIR}/testdata:/mnt:z,U "$ctr" touch /mnt/testfile1.txt
+
+  # Test created file has correct UID and GID ownership.
+  run_buildah run --user 888:888 --volume ${TESTDIR}/testdata:/mnt:z,U "$ctr" stat -c "%u:%g" /mnt/testfile1.txt
+  expect_output "888:888"
+}
+
+@test "run --user and verify gid in supplemental groups" {
+  skip_if_no_runtime
+
+  # Create the container.
+  _prefetch alpine
+  run_buildah from $WITH_POLICY_JSON alpine
+  ctr="$output"
+
+  # Run with uid:gid 1000:1000 and verify if gid is present in additional groups
+  run_buildah run --user 1000:1000 "$ctr" cat /proc/self/status
+  # gid 1000 must be in additional/supplemental groups
+  expect_output --substring "Groups:	1000 "
+}
+
+ @test "run --mount" {
+ 	skip_if_no_runtime
+ 
+-- 
+2.17.1
+
--- a/SPECS-EXTENDED/buildah/buildah.spec
+++ b/SPECS-EXTENDED/buildah/buildah.spec
@ -21,12 +21,13 @@
 Summary:        A command line tool used for creating OCI Images
 Name:           buildah
 Version:        1.18.0
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://%{name}.io
 Source:         %{download_url}#/%{name}-%{version}.tar.gz
+Patch0:         CVE-2022-2990.patch
 BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  git
@ -73,7 +74,7 @@ Requires:       podman
 This package contains system tests for %{name}

 %prep
-%autosetup -Sgit -n %{name}-%{built_tag_strip}
+%autosetup -Sgit -n %{name}-%{built_tag_strip} -p1
 sed -i 's/GOMD2MAN =/GOMD2MAN ?=/' docs/Makefile
 sed -i '/docs install/d' Makefile

@ -122,10 +123,13 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 %{_datadir}/%{name}/test

 %changelog
+* Tue Sep 05 2023 Brian Fjeldstad <bfjelds@microsoft.com> - 1.18.0-17
+- Address CVE-2022-2990
+
 * Mon Aug 07 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.18.0-16
 - Bump release to rebuild with go 1.19.12

-* Wed Jul 14 2023 Andrew Phelps <anphel@microsoft.com> - 1.18.0-15
+* Fri Jul 14 2023 Andrew Phelps <anphel@microsoft.com> - 1.18.0-15
 - Bump release to rebuild against glibc 2.35-4

 * Thu Jul 13 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.18.0-14