diff --git a/SPECS/libcontainers-common/CVE-2024-3727.patch b/SPECS/libcontainers-common/CVE-2024-3727.patch new file mode 100644 index 0000000000..53efa09536 --- /dev/null +++ b/SPECS/libcontainers-common/CVE-2024-3727.patch @@ -0,0 +1,536 @@ +From f20a95cee488de958f42db02bb5121ba52981a1d Mon Sep 17 00:00:00 2001 +From: Sudipta Pandit +Date: Thu, 12 Sep 2024 17:08:02 +0530 +Subject: [PATCH] Backport upstream patch for containers/image + +--- + .../image/v5/directory/directory_dest.go | 23 ++++++++-- + .../image/v5/directory/directory_src.go | 18 ++++++-- + .../image/v5/directory/directory_transport.go | 25 ++++++---- + .../image/v5/docker/docker_client.go | 4 ++ + .../image/v5/docker/docker_image.go | 7 ++- + .../image/v5/docker/docker_image_dest.go | 4 ++ + .../image/v5/docker/docker_image_src.go | 6 +++ + .../image/v5/docker/internal/tarfile/dest.go | 12 ++++- + .../v5/docker/internal/tarfile/writer.go | 34 +++++++++++--- + .../containers/image/v5/ostree/ostree_dest.go | 10 ++++ + .../containers/image/v5/ostree/ostree_src.go | 4 +- + .../image/v5/storage/storage_image.go | 46 +++++++++++++++---- + .../image/v5/storage/storage_reference.go | 10 +++- + 13 files changed, 165 insertions(+), 38 deletions(-) + +diff --git a/vendor/github.com/containers/image/v5/directory/directory_dest.go b/vendor/github.com/containers/image/v5/directory/directory_dest.go +index ea20e7c5..72ec5a70 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_dest.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_dest.go +@@ -188,7 +188,11 @@ func (d *dirImageDestination) PutBlob(ctx context.Context, stream io.Reader, inp + } + } + +- blobPath := d.ref.layerPath(blobDigest) ++ // Custom backport for CVE-2024-3727 ++ blobPath, err := d.ref.layerPath(blobDigest) ++ if err != nil { ++ return types.BlobInfo{}, err ++ } + // need to explicitly close the file, since a rename won't otherwise not work on Windows + blobFile.Close() + explicitClosed = true +@@ -212,7 +216,10 @@ func (d *dirImageDestination) TryReusingBlob(ctx context.Context, info types.Blo + if info.Digest == "" { + return false, types.BlobInfo{}, errors.Errorf(`"Can not check for a blob with unknown digest`) + } +- blobPath := d.ref.layerPath(info.Digest) ++ blobPath, err := d.ref.layerPath(info.Digest) ++ if err != nil { ++ return false, types.BlobInfo{}, err ++ } + finfo, err := os.Stat(blobPath) + if err != nil && os.IsNotExist(err) { + return false, types.BlobInfo{}, nil +@@ -232,7 +239,11 @@ func (d *dirImageDestination) TryReusingBlob(ctx context.Context, info types.Blo + // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema), + // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError. + func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte, instanceDigest *digest.Digest) error { +- return ioutil.WriteFile(d.ref.manifestPath(instanceDigest), manifest, 0644) ++ manifestPath, err := d.ref.manifestPath(instanceDigest) ++ if err != nil { ++ return err ++ } ++ return ioutil.WriteFile(manifestPath, manifest, 0644) + } + + // PutSignatures writes a set of signatures to the destination. +@@ -240,7 +251,11 @@ func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte, + // (when the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list. + func (d *dirImageDestination) PutSignatures(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error { + for i, sig := range signatures { +- if err := ioutil.WriteFile(d.ref.signaturePath(i, instanceDigest), sig, 0644); err != nil { ++ signaturePath, err := d.ref.signaturePath(i, instanceDigest) ++ if err != nil { ++ return err ++ } ++ if err := ioutil.WriteFile(signaturePath, sig, 0644); err != nil { + return err + } + } +diff --git a/vendor/github.com/containers/image/v5/directory/directory_src.go b/vendor/github.com/containers/image/v5/directory/directory_src.go +index ad9129d4..420cee2f 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_src.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_src.go +@@ -37,7 +37,11 @@ func (s *dirImageSource) Close() error { + // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list); + // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). + func (s *dirImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { +- m, err := ioutil.ReadFile(s.ref.manifestPath(instanceDigest)) ++ path, err := s.ref.manifestPath(instanceDigest) ++ if err != nil { ++ return nil, "", err ++ } ++ m, err := ioutil.ReadFile(path) + if err != nil { + return nil, "", err + } +@@ -53,7 +57,11 @@ func (s *dirImageSource) HasThreadSafeGetBlob() bool { + // The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided. + // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location. + func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) { +- r, err := os.Open(s.ref.layerPath(info.Digest)) ++ path, err := s.ref.layerPath(info.Digest) ++ if err != nil { ++ return nil, -1, err ++ } ++ r, err := os.Open(path) + if err != nil { + return nil, -1, err + } +@@ -71,7 +79,11 @@ func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache + func (s *dirImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) { + signatures := [][]byte{} + for i := 0; ; i++ { +- signature, err := ioutil.ReadFile(s.ref.signaturePath(i, instanceDigest)) ++ path, err := s.ref.signaturePath(i, instanceDigest) ++ if err != nil { ++ return nil, err ++ } ++ signature, err := ioutil.ReadFile(path) + if err != nil { + if os.IsNotExist(err) { + break +diff --git a/vendor/github.com/containers/image/v5/directory/directory_transport.go b/vendor/github.com/containers/image/v5/directory/directory_transport.go +index e542d888..ea280707 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_transport.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_transport.go +@@ -162,25 +162,34 @@ func (ref dirReference) DeleteImage(ctx context.Context, sys *types.SystemContex + } + + // manifestPath returns a path for the manifest within a directory using our conventions. +-func (ref dirReference) manifestPath(instanceDigest *digest.Digest) string { ++func (ref dirReference) manifestPath(instanceDigest *digest.Digest) (string, error) { + if instanceDigest != nil { +- return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json") ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } ++ return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json"), nil + } +- return filepath.Join(ref.path, "manifest.json") ++ return filepath.Join(ref.path, "manifest.json"), nil + } + + // layerPath returns a path for a layer tarball within a directory using our conventions. +-func (ref dirReference) layerPath(digest digest.Digest) string { ++func (ref dirReference) layerPath(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } + // FIXME: Should we keep the digest identification? +- return filepath.Join(ref.path, digest.Encoded()) ++ return filepath.Join(ref.path, digest.Encoded()), nil + } + + // signaturePath returns a path for a signature within a directory using our conventions. +-func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) string { ++func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) (string, error) { + if instanceDigest != nil { +- return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)) ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } ++ return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)), nil + } +- return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)) ++ return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)), nil + } + + // versionPath returns a path for the version file within a directory using our conventions. +diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go +index 3fe9a11d..08f5d66e 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_client.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go +@@ -796,6 +796,10 @@ func (c *dockerClient) detectProperties(ctx context.Context) error { + // getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension, + // using the original data structures. + func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) { ++ // Custom patch for CVE-2024-3727 ++ if err := manifestDigest.Validate(); err != nil { // Make sure manifestDigest.String() does not contain any unexpected characters ++ return nil, err ++ } + path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest) + res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil) + if err != nil { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go +index c84bb37d..284b39f5 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image.go +@@ -83,7 +83,12 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types. + if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil { + return nil, err + } +- tags = append(tags, tagsHolder.Tags...) ++ for _, tag := range tagsHolder.Tags { ++ if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values ++ return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err) ++ } ++ tags = append(tags, tag) ++ } + + link := res.Header.Get("Link") + if link == "" { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +index 80701a76..ce08333c 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +@@ -215,6 +215,9 @@ func (d *dockerImageDestination) PutBlob(ctx context.Context, stream io.Reader, + // If the destination does not contain the blob, or it is unknown, blobExists ordinarily returns (false, -1, nil); + // it returns a non-nil error only on an unexpected failure. + func (d *dockerImageDestination) blobExists(ctx context.Context, repo reference.Named, digest digest.Digest, extraScope *authScope) (bool, int64, error) { ++ if err := digest.Validate(); err != nil { // Make sure digest.String() does not contain any unexpected characters ++ return false, -1, err ++ } + checkPath := fmt.Sprintf(blobsPath, reference.Path(repo), digest.String()) + logrus.Debugf("Checking %s", checkPath) + res, err := d.c.makeRequest(ctx, http.MethodHead, checkPath, nil, nil, v2Auth, extraScope) +@@ -641,6 +644,7 @@ sigExists: + return err + } + ++ // manifestDigest is known to be valid because it was not rejected by getExtensionsSignatures above. + path := fmt.Sprintf(extensionsSignaturePath, reference.Path(d.ref.ref), manifestDigest.String()) + res, err := d.c.makeRequest(ctx, http.MethodPut, path, nil, bytes.NewReader(body), v2Auth, nil) + if err != nil { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +index 1333cf9e..1c3cf448 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +@@ -178,6 +178,9 @@ func simplifyContentType(contentType string) string { + // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). + func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { + if instanceDigest != nil { ++ if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters ++ return nil, "", err ++ } + return s.fetchManifest(ctx, instanceDigest.String()) + } + err := s.ensureManifestIsLoaded(ctx) +@@ -364,6 +367,9 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo, + return nil, nil, fmt.Errorf("external URLs not supported with GetBlobAt") + } + ++ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters ++ return nil, nil, err ++ } + path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String()) + logrus.Debugf("Downloading %s", path) + res, err := s.c.makeRequest(ctx, http.MethodGet, path, headers, nil, v2Auth, nil) +diff --git a/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go +index 44b0af11..e9162668 100644 +--- a/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go ++++ b/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go +@@ -141,11 +141,19 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t + return types.BlobInfo{}, errors.Wrap(err, "reading Config file stream") + } + d.config = buf +- if err := d.archive.sendFileLocked(d.archive.configPath(inputInfo.Digest), inputInfo.Size, bytes.NewReader(buf)); err != nil { ++ configPath, err := d.archive.configPath(inputInfo.Digest) ++ if err != nil { ++ return types.BlobInfo{}, errors.Wrap(err, "getting config path") ++ } ++ if err := d.archive.sendFileLocked(configPath, inputInfo.Size, bytes.NewReader(buf)); err != nil { + return types.BlobInfo{}, errors.Wrap(err, "writing Config file") + } + } else { +- if err := d.archive.sendFileLocked(d.archive.physicalLayerPath(inputInfo.Digest), inputInfo.Size, stream); err != nil { ++ layerPath, err := d.archive.physicalLayerPath(inputInfo.Digest) ++ if err != nil { ++ return types.BlobInfo{}, err ++ } ++ if err := d.archive.sendFileLocked(layerPath, inputInfo.Size, stream); err != nil { + return types.BlobInfo{}, err + } + } +diff --git a/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go b/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go +index 255f0d35..742f977c 100644 +--- a/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go ++++ b/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go +@@ -92,7 +92,10 @@ func (w *Writer) ensureSingleLegacyLayerLocked(layerID string, layerDigest diges + if _, ok := w.legacyLayers[layerID]; !ok { + // Create a symlink for the legacy format, where there is one subdirectory per layer ("image"). + // See also the comment in physicalLayerPath. +- physicalLayerPath := w.physicalLayerPath(layerDigest) ++ physicalLayerPath, err := w.physicalLayerPath(layerDigest) ++ if err != nil { ++ return err ++ } + if err := w.sendSymlinkLocked(filepath.Join(layerID, legacyLayerFileName), filepath.Join("..", physicalLayerPath)); err != nil { + return errors.Wrap(err, "creating layer symbolic link") + } +@@ -136,6 +139,9 @@ func (w *Writer) writeLegacyMetadataLocked(layerDescriptors []manifest.Schema2De + } + + // This chainID value matches the computation in docker/docker/layer.CreateChainID … ++ if err := l.Digest.Validate(); err != nil { // This should never fail on this code path, still: make sure the chainID computation is unambiguous. ++ return err ++ } + if chainID == "" { + chainID = l.Digest + } else { +@@ -206,12 +212,20 @@ func checkManifestItemsMatch(a, b *ManifestItem) error { + func (w *Writer) ensureManifestItemLocked(layerDescriptors []manifest.Schema2Descriptor, configDigest digest.Digest, repoTags []reference.NamedTagged) error { + layerPaths := []string{} + for _, l := range layerDescriptors { +- layerPaths = append(layerPaths, w.physicalLayerPath(l.Digest)) ++ p, err := w.physicalLayerPath(l.Digest) ++ if err != nil { ++ return err ++ } ++ layerPaths = append(layerPaths, p) + } + + var item *ManifestItem ++ configPath, err := w.configPath(configDigest) ++ if err != nil { ++ return err ++ } + newItem := ManifestItem{ +- Config: w.configPath(configDigest), ++ Config: configPath, + RepoTags: []string{}, + Layers: layerPaths, + Parent: "", // We don’t have this information +@@ -296,21 +310,27 @@ func (w *Writer) Close() error { + // configPath returns a path we choose for storing a config with the specified digest. + // NOTE: This is an internal implementation detail, not a format property, and can change + // any time. +-func (w *Writer) configPath(configDigest digest.Digest) string { +- return configDigest.Hex() + ".json" ++func (w *Writer) configPath(configDigest digest.Digest) (string, error) { ++ if err := configDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in unexpected paths, so validate explicitly. ++ return "", err ++ } ++ return configDigest.Hex() + ".json", nil + } + + // physicalLayerPath returns a path we choose for storing a layer with the specified digest + // (the actual path, i.e. a regular file, not a symlink that may be used in the legacy format). + // NOTE: This is an internal implementation detail, not a format property, and can change + // any time. +-func (w *Writer) physicalLayerPath(layerDigest digest.Digest) string { ++func (w *Writer) physicalLayerPath(layerDigest digest.Digest) (string, error) { ++ if err := layerDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in unexpected paths, so validate explicitly. ++ return "", err ++ } + // Note that this can't be e.g. filepath.Join(l.Digest.Hex(), legacyLayerFileName); due to the way + // writeLegacyMetadata constructs layer IDs differently from inputinfo.Digest values (as described + // inside it), most of the layers would end up in subdirectories alone without any metadata; (docker load) + // tries to load every subdirectory as an image and fails if the config is missing. So, keep the layers + // in the root of the tarball. +- return layerDigest.Hex() + ".tar" ++ return layerDigest.Hex() + ".tar", nil + } + + type tarFI struct { +diff --git a/vendor/github.com/containers/image/v5/ostree/ostree_dest.go b/vendor/github.com/containers/image/v5/ostree/ostree_dest.go +index 3eb2a2cb..02115a26 100644 +--- a/vendor/github.com/containers/image/v5/ostree/ostree_dest.go ++++ b/vendor/github.com/containers/image/v5/ostree/ostree_dest.go +@@ -352,6 +352,10 @@ func (d *ostreeImageDestination) TryReusingBlob(ctx context.Context, info types. + } + d.repo = repo + } ++ ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, so validate explicitly. ++ return false, types.BlobInfo{}, err ++ } + branch := fmt.Sprintf("ociimage/%s", info.Digest.Hex()) + + found, data, err := readMetadata(d.repo, branch, "docker.uncompressed_digest") +@@ -472,12 +476,18 @@ func (d *ostreeImageDestination) Commit(context.Context, types.UnparsedImage) er + return nil + } + for _, layer := range d.schema.LayersDescriptors { ++ if err := layer.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return err ++ } + hash := layer.Digest.Hex() + if err = checkLayer(hash); err != nil { + return err + } + } + for _, layer := range d.schema.FSLayers { ++ if err := layer.BlobSum.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return err ++ } + hash := layer.BlobSum.Hex() + if err = checkLayer(hash); err != nil { + return err +diff --git a/vendor/github.com/containers/image/v5/ostree/ostree_src.go b/vendor/github.com/containers/image/v5/ostree/ostree_src.go +index d30c764a..f60cbcf7 100644 +--- a/vendor/github.com/containers/image/v5/ostree/ostree_src.go ++++ b/vendor/github.com/containers/image/v5/ostree/ostree_src.go +@@ -273,7 +273,9 @@ func (s *ostreeImageSource) HasThreadSafeGetBlob() bool { + // The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided. + // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location. + func (s *ostreeImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) { +- ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return nil, -1, err ++ } + blob := info.Digest.Hex() + + // Ensure s.compressed is initialized. It is build by LayerInfosForCopy. +diff --git a/vendor/github.com/containers/image/v5/storage/storage_image.go b/vendor/github.com/containers/image/v5/storage/storage_image.go +index 7329ef6e..a40d7f1a 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_image.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_image.go +@@ -100,14 +100,21 @@ type storageImageCloser struct { + // manifestBigDataKey returns a key suitable for recording a manifest with the specified digest using storage.Store.ImageBigData and related functions. + // If a specific manifest digest is explicitly requested by the user, the key returned by this function should be used preferably; + // for compatibility, if a manifest is not available under this key, check also storage.ImageDigestBigDataKey +-func manifestBigDataKey(digest digest.Digest) string { +- return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String() ++func manifestBigDataKey(digest digest.Digest) (string, error) { ++ // return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String() ++ if err := digest.Validate(); err != nil { // Make sure info.Digest.String() uses the expected format and does not collide with other BigData keys. ++ return "", err ++ } ++ return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String(), nil + } + + // signatureBigDataKey returns a key suitable for recording the signatures associated with the manifest with the specified digest using storage.Store.ImageBigData and related functions. + // If a specific manifest digest is explicitly requested by the user, the key returned by this function should be used preferably; +-func signatureBigDataKey(digest digest.Digest) string { +- return "signature-" + digest.Encoded() ++func signatureBigDataKey(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return "", err ++ } ++ return "signature-" + digest.Encoded(), nil + } + + // newImageSource sets up an image for reading. +@@ -243,8 +250,12 @@ func (s *storageImageSource) getBlobAndLayerID(info types.BlobInfo) (rc io.ReadC + + // GetManifest() reads the image's manifest. + func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) (manifestBlob []byte, MIMEType string, err error) { ++ // Custom patch for CVE-2024-3727 + if instanceDigest != nil { +- key := manifestBigDataKey(*instanceDigest) ++ key, err := manifestBigDataKey(*instanceDigest) ++ if err != nil { ++ return nil, "", errors.Wrapf(err, "generating manifest big data key for image instance %q", *instanceDigest) ++ } + blob, err := s.imageRef.transport.store.ImageBigData(s.image.ID, key) + if err != nil { + return nil, "", errors.Wrapf(err, "reading manifest for image instance %q", *instanceDigest) +@@ -256,7 +267,10 @@ func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *di + // Prefer the manifest corresponding to the user-specified digest, if available. + if s.imageRef.named != nil { + if digested, ok := s.imageRef.named.(reference.Digested); ok { +- key := manifestBigDataKey(digested.Digest()) ++ key, err := manifestBigDataKey(digested.Digest()) ++ if err != nil { ++ return nil, "", err ++ } + blob, err := s.imageRef.transport.store.ImageBigData(s.image.ID, key) + if err != nil && !os.IsNotExist(err) { // os.IsNotExist is true if the image exists but there is no data corresponding to key + return nil, "", err +@@ -369,7 +383,10 @@ func (s *storageImageSource) GetSignatures(ctx context.Context, instanceDigest * + instance := "default instance" + if instanceDigest != nil { + signatureSizes = s.SignaturesSizes[*instanceDigest] +- key = signatureBigDataKey(*instanceDigest) ++ key, err = signatureBigDataKey(*instanceDigest) ++ if err != nil { ++ return nil, errors.Wrapf(err, "generating signature big data key for image instance %q", *instanceDigest) ++ } + instance = instanceDigest.Encoded() + } + if len(signatureSizes) > 0 { +@@ -1146,7 +1163,10 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + if err != nil { + return errors.Wrapf(err, "digesting top-level manifest") + } +- key := manifestBigDataKey(manifestDigest) ++ key, err := manifestBigDataKey(manifestDigest) ++ if err != nil { ++ return errors.Wrapf(err, "getting manifest big data key for image %q", img.ID) ++ } + if err := s.imageRef.transport.store.SetImageBigData(img.ID, key, toplevelManifest, manifest.Digest); err != nil { + logrus.Debugf("error saving top-level manifest for image %q: %v", img.ID, err) + return errors.Wrapf(err, "saving top-level manifest for image %q", img.ID) +@@ -1155,7 +1175,10 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + // Save the image's manifest. Allow looking it up by digest by using the key convention defined by the Store. + // Record the manifest twice: using a digest-specific key to allow references to that specific digest instance, + // and using storage.ImageDigestBigDataKey for future users that don’t specify any digest and for compatibility with older readers. +- key := manifestBigDataKey(s.manifestDigest) ++ key, err := manifestBigDataKey(s.manifestDigest) ++ if err != nil { ++ return errors.Wrapf(err, "getting manifest big data key for image %q", img.ID) ++ } + if err := s.imageRef.transport.store.SetImageBigData(img.ID, key, s.manifest, manifest.Digest); err != nil { + logrus.Debugf("error saving manifest for image %q: %v", img.ID, err) + return errors.Wrapf(err, "saving manifest for image %q", img.ID) +@@ -1173,7 +1196,10 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + } + } + for instanceDigest, signatures := range s.signatureses { +- key := signatureBigDataKey(instanceDigest) ++ key, err := signatureBigDataKey(instanceDigest) ++ if err != nil { ++ return err ++ } + if err := s.imageRef.transport.store.SetImageBigData(img.ID, key, signatures, manifest.Digest); err != nil { + logrus.Debugf("error saving signatures for image %q: %v", img.ID, err) + return errors.Wrapf(err, "saving signatures for image %q", img.ID) +diff --git a/vendor/github.com/containers/image/v5/storage/storage_reference.go b/vendor/github.com/containers/image/v5/storage/storage_reference.go +index 7c6da112..ac1d1e42 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_reference.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_reference.go +@@ -73,7 +73,10 @@ func multiArchImageMatchesSystemContext(store storage.Store, img *storage.Image, + // We don't need to care about storage.ImageDigestBigDataKey because + // manifests lists are only stored into storage by c/image versions + // that know about manifestBigDataKey, and only using that key. +- key := manifestBigDataKey(manifestDigest) ++ key, err := manifestBigDataKey(manifestDigest) ++ if err != nil { ++ return false // This should never happen, manifestDigest comes from a reference.Digested, and that validates the format. ++ } + manifestBytes, err := store.ImageBigData(img.ID, key) + if err != nil { + return false +@@ -95,7 +98,10 @@ func multiArchImageMatchesSystemContext(store storage.Store, img *storage.Image, + if err != nil { + return false + } +- key = manifestBigDataKey(chosenInstance) ++ key, err = manifestBigDataKey(chosenInstance) ++ if err != nil { ++ return false ++ } + _, err = store.ImageBigData(img.ID, key) + return err == nil // true if img.ID is based on chosenInstance. + } +-- +2.34.1 + diff --git a/SPECS/libcontainers-common/libcontainers-common.spec b/SPECS/libcontainers-common/libcontainers-common.spec index 5ca2932f14..29646d86fc 100644 --- a/SPECS/libcontainers-common/libcontainers-common.spec +++ b/SPECS/libcontainers-common/libcontainers-common.spec @@ -26,7 +26,7 @@ Summary: Configuration files common to github.com/containers Name: libcontainers-common Version: 20210626 -Release: 6%{?dist} +Release: 7%{?dist} License: ASL 2.0 AND GPLv3 Vendor: Microsoft Corporation Distribution: Mariner @@ -52,6 +52,8 @@ Patch0: CVE-2021-44716.patch Patch1: CVE-2024-37298.patch Patch2: CVE-2021-43565.patch Patch3: CVE-2022-32149.patch +Patch4: CVE-2024-3727.patch +Patch5: podman-CVE-2024-3727.patch BuildRequires: go-go-md2man Requires(post): grep Requires(post): util-linux @@ -65,15 +67,19 @@ github.com/containers libraries, such as Buildah, CRI-O, Podman and Skopeo. %prep %setup -q -T -D -b 0 -n image-%{imagever} +%patch 4 -p6 + %setup -q -T -D -b 1 -n storage-%{storagever} %setup -q -T -D -b 7 -n podman-%{podmanver} +%patch 5 -p1 %patch 1 -p1 %patch 3 -p1 %setup -q -T -D -b 9 -n common-%{commonver} %patch 0 -p1 %patch 3 -p1 +%patch 4 -p1 # copy the LICENSE file in the build root %patch 2 -p1 -d ../podman-%{podmanver} @@ -171,6 +177,9 @@ fi %license LICENSE %changelog +* Thu Sep 12 2024 Sudipta Pandit - 20210626-7 +- Backport CVE-2024-3727 for all sources from upstream + * Tue Aug 27 2024 Sindhu Karri - 20210626-6 - Patch CVE-2022-32149 diff --git a/SPECS/libcontainers-common/podman-CVE-2024-3727.patch b/SPECS/libcontainers-common/podman-CVE-2024-3727.patch new file mode 100644 index 0000000000..616116a207 --- /dev/null +++ b/SPECS/libcontainers-common/podman-CVE-2024-3727.patch @@ -0,0 +1,524 @@ +From 5a593b2736e49ab2b449a9ab6100a9d44c9fc967 Mon Sep 17 00:00:00 2001 +From: Sudipta Pandit +Date: Thu, 12 Sep 2024 19:37:38 +0530 +Subject: [PATCH] Backport upstream patch of vendored containers/image of + podman + +--- + .../image/v5/directory/directory_dest.go | 17 +++++-- + .../image/v5/directory/directory_src.go | 18 ++++++-- + .../image/v5/directory/directory_transport.go | 25 ++++++---- + .../image/v5/docker/docker_client.go | 4 ++ + .../image/v5/docker/docker_image.go | 7 ++- + .../image/v5/docker/docker_image_dest.go | 4 ++ + .../image/v5/docker/docker_image_src.go | 6 +++ + .../image/v5/docker/internal/tarfile/dest.go | 12 ++++- + .../v5/docker/internal/tarfile/writer.go | 34 +++++++++++--- + .../containers/image/v5/ostree/ostree_dest.go | 10 ++++ + .../containers/image/v5/ostree/ostree_src.go | 4 +- + .../image/v5/storage/storage_image.go | 46 +++++++++++++++---- + .../image/v5/storage/storage_reference.go | 10 +++- + 13 files changed, 160 insertions(+), 37 deletions(-) + +diff --git a/vendor/github.com/containers/image/v5/directory/directory_dest.go b/vendor/github.com/containers/image/v5/directory/directory_dest.go +index e3280aa2b..9cf88175d 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_dest.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_dest.go +@@ -213,7 +213,10 @@ func (d *dirImageDestination) TryReusingBlob(ctx context.Context, info types.Blo + if info.Digest == "" { + return false, types.BlobInfo{}, errors.Errorf(`"Can not check for a blob with unknown digest`) + } +- blobPath := d.ref.layerPath(info.Digest) ++ blobPath, err := d.ref.layerPath(info.Digest) ++ if err != nil { ++ return false, types.BlobInfo{}, err ++ } + finfo, err := os.Stat(blobPath) + if err != nil && os.IsNotExist(err) { + return false, types.BlobInfo{}, nil +@@ -233,7 +236,11 @@ func (d *dirImageDestination) TryReusingBlob(ctx context.Context, info types.Blo + // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema), + // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError. + func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte, instanceDigest *digest.Digest) error { +- return ioutil.WriteFile(d.ref.manifestPath(instanceDigest), manifest, 0644) ++ manifestPath, err := d.ref.manifestPath(instanceDigest) ++ if err != nil { ++ return err ++ } ++ return ioutil.WriteFile(manifestPath, manifest, 0644) + } + + // PutSignatures writes a set of signatures to the destination. +@@ -241,7 +248,11 @@ func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte, + // (when the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list. + func (d *dirImageDestination) PutSignatures(ctx context.Context, signatures [][]byte, instanceDigest *digest.Digest) error { + for i, sig := range signatures { +- if err := ioutil.WriteFile(d.ref.signaturePath(i, instanceDigest), sig, 0644); err != nil { ++ signaturePath, err := d.ref.signaturePath(i, instanceDigest) ++ if err != nil { ++ return err ++ } ++ if err := ioutil.WriteFile(signaturePath, sig, 0644); err != nil { + return err + } + } +diff --git a/vendor/github.com/containers/image/v5/directory/directory_src.go b/vendor/github.com/containers/image/v5/directory/directory_src.go +index ad9129d40..420cee2fd 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_src.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_src.go +@@ -37,7 +37,11 @@ func (s *dirImageSource) Close() error { + // If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list); + // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). + func (s *dirImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { +- m, err := ioutil.ReadFile(s.ref.manifestPath(instanceDigest)) ++ path, err := s.ref.manifestPath(instanceDigest) ++ if err != nil { ++ return nil, "", err ++ } ++ m, err := ioutil.ReadFile(path) + if err != nil { + return nil, "", err + } +@@ -53,7 +57,11 @@ func (s *dirImageSource) HasThreadSafeGetBlob() bool { + // The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided. + // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location. + func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) { +- r, err := os.Open(s.ref.layerPath(info.Digest)) ++ path, err := s.ref.layerPath(info.Digest) ++ if err != nil { ++ return nil, -1, err ++ } ++ r, err := os.Open(path) + if err != nil { + return nil, -1, err + } +@@ -71,7 +79,11 @@ func (s *dirImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache + func (s *dirImageSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) { + signatures := [][]byte{} + for i := 0; ; i++ { +- signature, err := ioutil.ReadFile(s.ref.signaturePath(i, instanceDigest)) ++ path, err := s.ref.signaturePath(i, instanceDigest) ++ if err != nil { ++ return nil, err ++ } ++ signature, err := ioutil.ReadFile(path) + if err != nil { + if os.IsNotExist(err) { + break +diff --git a/vendor/github.com/containers/image/v5/directory/directory_transport.go b/vendor/github.com/containers/image/v5/directory/directory_transport.go +index e542d888c..ea2807070 100644 +--- a/vendor/github.com/containers/image/v5/directory/directory_transport.go ++++ b/vendor/github.com/containers/image/v5/directory/directory_transport.go +@@ -162,25 +162,34 @@ func (ref dirReference) DeleteImage(ctx context.Context, sys *types.SystemContex + } + + // manifestPath returns a path for the manifest within a directory using our conventions. +-func (ref dirReference) manifestPath(instanceDigest *digest.Digest) string { ++func (ref dirReference) manifestPath(instanceDigest *digest.Digest) (string, error) { + if instanceDigest != nil { +- return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json") ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } ++ return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json"), nil + } +- return filepath.Join(ref.path, "manifest.json") ++ return filepath.Join(ref.path, "manifest.json"), nil + } + + // layerPath returns a path for a layer tarball within a directory using our conventions. +-func (ref dirReference) layerPath(digest digest.Digest) string { ++func (ref dirReference) layerPath(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } + // FIXME: Should we keep the digest identification? +- return filepath.Join(ref.path, digest.Encoded()) ++ return filepath.Join(ref.path, digest.Encoded()), nil + } + + // signaturePath returns a path for a signature within a directory using our conventions. +-func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) string { ++func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest) (string, error) { + if instanceDigest != nil { +- return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)) ++ if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. ++ return "", err ++ } ++ return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)), nil + } +- return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)) ++ return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)), nil + } + + // versionPath returns a path for the version file within a directory using our conventions. +diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go +index 3fe9a11d0..08f5d66e4 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_client.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go +@@ -796,6 +796,10 @@ func (c *dockerClient) detectProperties(ctx context.Context) error { + // getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension, + // using the original data structures. + func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) { ++ // Custom patch for CVE-2024-3727 ++ if err := manifestDigest.Validate(); err != nil { // Make sure manifestDigest.String() does not contain any unexpected characters ++ return nil, err ++ } + path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest) + res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil) + if err != nil { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go +index c84bb37d2..284b39f50 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image.go +@@ -83,7 +83,12 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types. + if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil { + return nil, err + } +- tags = append(tags, tagsHolder.Tags...) ++ for _, tag := range tagsHolder.Tags { ++ if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values ++ return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err) ++ } ++ tags = append(tags, tag) ++ } + + link := res.Header.Get("Link") + if link == "" { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +index 360a7122e..323a42a86 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +@@ -213,6 +213,9 @@ func (d *dockerImageDestination) PutBlob(ctx context.Context, stream io.Reader, + // If the destination does not contain the blob, or it is unknown, blobExists ordinarily returns (false, -1, nil); + // it returns a non-nil error only on an unexpected failure. + func (d *dockerImageDestination) blobExists(ctx context.Context, repo reference.Named, digest digest.Digest, extraScope *authScope) (bool, int64, error) { ++ if err := digest.Validate(); err != nil { // Make sure digest.String() does not contain any unexpected characters ++ return false, -1, err ++ } + checkPath := fmt.Sprintf(blobsPath, reference.Path(repo), digest.String()) + logrus.Debugf("Checking %s", checkPath) + res, err := d.c.makeRequest(ctx, http.MethodHead, checkPath, nil, nil, v2Auth, extraScope) +@@ -639,6 +642,7 @@ sigExists: + return err + } + ++ // manifestDigest is known to be valid because it was not rejected by getExtensionsSignatures above. + path := fmt.Sprintf(extensionsSignaturePath, reference.Path(d.ref.ref), manifestDigest.String()) + res, err := d.c.makeRequest(ctx, http.MethodPut, path, nil, bytes.NewReader(body), v2Auth, nil) + if err != nil { +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +index 5dc8e7b1f..1d79c56bd 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +@@ -178,6 +178,9 @@ func simplifyContentType(contentType string) string { + // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). + func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { + if instanceDigest != nil { ++ if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters ++ return nil, "", err ++ } + return s.fetchManifest(ctx, instanceDigest.String()) + } + err := s.ensureManifestIsLoaded(ctx) +@@ -362,6 +365,9 @@ func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca + return s.getExternalBlob(ctx, info.URLs) + } + ++ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters ++ return nil, 0, err ++ } + path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String()) + logrus.Debugf("Downloading %s", path) + res, err := s.c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil) +diff --git a/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go +index a558657b6..bb093032a 100644 +--- a/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go ++++ b/vendor/github.com/containers/image/v5/docker/internal/tarfile/dest.go +@@ -143,11 +143,19 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t + return types.BlobInfo{}, errors.Wrap(err, "reading Config file stream") + } + d.config = buf +- if err := d.archive.sendFileLocked(d.archive.configPath(inputInfo.Digest), inputInfo.Size, bytes.NewReader(buf)); err != nil { ++ configPath, err := d.archive.configPath(inputInfo.Digest) ++ if err != nil { ++ return types.BlobInfo{}, errors.Wrap(err, "getting config path") ++ } ++ if err := d.archive.sendFileLocked(configPath, inputInfo.Size, bytes.NewReader(buf)); err != nil { + return types.BlobInfo{}, errors.Wrap(err, "writing Config file") + } + } else { +- if err := d.archive.sendFileLocked(d.archive.physicalLayerPath(inputInfo.Digest), inputInfo.Size, stream); err != nil { ++ layerPath, err := d.archive.physicalLayerPath(inputInfo.Digest) ++ if err != nil { ++ return types.BlobInfo{}, err ++ } ++ if err := d.archive.sendFileLocked(layerPath, inputInfo.Size, stream); err != nil { + return types.BlobInfo{}, err + } + } +diff --git a/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go b/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go +index 255f0d354..742f977c0 100644 +--- a/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go ++++ b/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go +@@ -92,7 +92,10 @@ func (w *Writer) ensureSingleLegacyLayerLocked(layerID string, layerDigest diges + if _, ok := w.legacyLayers[layerID]; !ok { + // Create a symlink for the legacy format, where there is one subdirectory per layer ("image"). + // See also the comment in physicalLayerPath. +- physicalLayerPath := w.physicalLayerPath(layerDigest) ++ physicalLayerPath, err := w.physicalLayerPath(layerDigest) ++ if err != nil { ++ return err ++ } + if err := w.sendSymlinkLocked(filepath.Join(layerID, legacyLayerFileName), filepath.Join("..", physicalLayerPath)); err != nil { + return errors.Wrap(err, "creating layer symbolic link") + } +@@ -136,6 +139,9 @@ func (w *Writer) writeLegacyMetadataLocked(layerDescriptors []manifest.Schema2De + } + + // This chainID value matches the computation in docker/docker/layer.CreateChainID … ++ if err := l.Digest.Validate(); err != nil { // This should never fail on this code path, still: make sure the chainID computation is unambiguous. ++ return err ++ } + if chainID == "" { + chainID = l.Digest + } else { +@@ -206,12 +212,20 @@ func checkManifestItemsMatch(a, b *ManifestItem) error { + func (w *Writer) ensureManifestItemLocked(layerDescriptors []manifest.Schema2Descriptor, configDigest digest.Digest, repoTags []reference.NamedTagged) error { + layerPaths := []string{} + for _, l := range layerDescriptors { +- layerPaths = append(layerPaths, w.physicalLayerPath(l.Digest)) ++ p, err := w.physicalLayerPath(l.Digest) ++ if err != nil { ++ return err ++ } ++ layerPaths = append(layerPaths, p) + } + + var item *ManifestItem ++ configPath, err := w.configPath(configDigest) ++ if err != nil { ++ return err ++ } + newItem := ManifestItem{ +- Config: w.configPath(configDigest), ++ Config: configPath, + RepoTags: []string{}, + Layers: layerPaths, + Parent: "", // We don’t have this information +@@ -296,21 +310,27 @@ func (w *Writer) Close() error { + // configPath returns a path we choose for storing a config with the specified digest. + // NOTE: This is an internal implementation detail, not a format property, and can change + // any time. +-func (w *Writer) configPath(configDigest digest.Digest) string { +- return configDigest.Hex() + ".json" ++func (w *Writer) configPath(configDigest digest.Digest) (string, error) { ++ if err := configDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in unexpected paths, so validate explicitly. ++ return "", err ++ } ++ return configDigest.Hex() + ".json", nil + } + + // physicalLayerPath returns a path we choose for storing a layer with the specified digest + // (the actual path, i.e. a regular file, not a symlink that may be used in the legacy format). + // NOTE: This is an internal implementation detail, not a format property, and can change + // any time. +-func (w *Writer) physicalLayerPath(layerDigest digest.Digest) string { ++func (w *Writer) physicalLayerPath(layerDigest digest.Digest) (string, error) { ++ if err := layerDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in unexpected paths, so validate explicitly. ++ return "", err ++ } + // Note that this can't be e.g. filepath.Join(l.Digest.Hex(), legacyLayerFileName); due to the way + // writeLegacyMetadata constructs layer IDs differently from inputinfo.Digest values (as described + // inside it), most of the layers would end up in subdirectories alone without any metadata; (docker load) + // tries to load every subdirectory as an image and fails if the config is missing. So, keep the layers + // in the root of the tarball. +- return layerDigest.Hex() + ".tar" ++ return layerDigest.Hex() + ".tar", nil + } + + type tarFI struct { +diff --git a/vendor/github.com/containers/image/v5/ostree/ostree_dest.go b/vendor/github.com/containers/image/v5/ostree/ostree_dest.go +index c91a49c57..fc5d58d45 100644 +--- a/vendor/github.com/containers/image/v5/ostree/ostree_dest.go ++++ b/vendor/github.com/containers/image/v5/ostree/ostree_dest.go +@@ -352,6 +352,10 @@ func (d *ostreeImageDestination) TryReusingBlob(ctx context.Context, info types. + } + d.repo = repo + } ++ ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, so validate explicitly. ++ return false, types.BlobInfo{}, err ++ } + branch := fmt.Sprintf("ociimage/%s", info.Digest.Hex()) + + found, data, err := readMetadata(d.repo, branch, "docker.uncompressed_digest") +@@ -472,12 +476,18 @@ func (d *ostreeImageDestination) Commit(context.Context, types.UnparsedImage) er + return nil + } + for _, layer := range d.schema.LayersDescriptors { ++ if err := layer.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return err ++ } + hash := layer.Digest.Hex() + if err = checkLayer(hash); err != nil { + return err + } + } + for _, layer := range d.schema.FSLayers { ++ if err := layer.BlobSum.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return err ++ } + hash := layer.BlobSum.Hex() + if err = checkLayer(hash); err != nil { + return err +diff --git a/vendor/github.com/containers/image/v5/ostree/ostree_src.go b/vendor/github.com/containers/image/v5/ostree/ostree_src.go +index 4948ec664..9c4b53968 100644 +--- a/vendor/github.com/containers/image/v5/ostree/ostree_src.go ++++ b/vendor/github.com/containers/image/v5/ostree/ostree_src.go +@@ -272,7 +272,9 @@ func (s *ostreeImageSource) HasThreadSafeGetBlob() bool { + // The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided. + // May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location. + func (s *ostreeImageSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) { +- ++ if err := info.Digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return nil, -1, err ++ } + blob := info.Digest.Hex() + + // Ensure s.compressed is initialized. It is build by LayerInfosForCopy. +diff --git a/vendor/github.com/containers/image/v5/storage/storage_image.go b/vendor/github.com/containers/image/v5/storage/storage_image.go +index 6b0fea61a..433bf383d 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_image.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_image.go +@@ -96,14 +96,21 @@ type storageImageCloser struct { + // manifestBigDataKey returns a key suitable for recording a manifest with the specified digest using storage.Store.ImageBigData and related functions. + // If a specific manifest digest is explicitly requested by the user, the key returned by this function should be used preferably; + // for compatibility, if a manifest is not available under this key, check also storage.ImageDigestBigDataKey +-func manifestBigDataKey(digest digest.Digest) string { +- return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String() ++func manifestBigDataKey(digest digest.Digest) (string, error) { ++ // return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String() ++ if err := digest.Validate(); err != nil { // Make sure info.Digest.String() uses the expected format and does not collide with other BigData keys. ++ return "", err ++ } ++ return storage.ImageDigestManifestBigDataNamePrefix + "-" + digest.String(), nil + } + + // signatureBigDataKey returns a key suitable for recording the signatures associated with the manifest with the specified digest using storage.Store.ImageBigData and related functions. + // If a specific manifest digest is explicitly requested by the user, the key returned by this function should be used preferably; +-func signatureBigDataKey(digest digest.Digest) string { +- return "signature-" + digest.Encoded() ++func signatureBigDataKey(digest digest.Digest) (string, error) { ++ if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, so validate explicitly. ++ return "", err ++ } ++ return "signature-" + digest.Encoded(), nil + } + + // newImageSource sets up an image for reading. +@@ -239,8 +246,12 @@ func (s *storageImageSource) getBlobAndLayerID(info types.BlobInfo) (rc io.ReadC + + // GetManifest() reads the image's manifest. + func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) (manifestBlob []byte, MIMEType string, err error) { ++ // Custom patch for CVE-2024-3727 + if instanceDigest != nil { +- key := manifestBigDataKey(*instanceDigest) ++ key, err := manifestBigDataKey(*instanceDigest) ++ if err != nil { ++ return nil, "", errors.Wrapf(err, "generating manifest big data key for image instance %q", *instanceDigest) ++ } + blob, err := s.imageRef.transport.store.ImageBigData(s.image.ID, key) + if err != nil { + return nil, "", errors.Wrapf(err, "reading manifest for image instance %q", *instanceDigest) +@@ -252,7 +263,10 @@ func (s *storageImageSource) GetManifest(ctx context.Context, instanceDigest *di + // Prefer the manifest corresponding to the user-specified digest, if available. + if s.imageRef.named != nil { + if digested, ok := s.imageRef.named.(reference.Digested); ok { +- key := manifestBigDataKey(digested.Digest()) ++ key, err := manifestBigDataKey(digested.Digest()) ++ if err != nil { ++ return nil, "", err ++ } + blob, err := s.imageRef.transport.store.ImageBigData(s.image.ID, key) + if err != nil && !os.IsNotExist(err) { // os.IsNotExist is true if the image exists but there is no data corresponding to key + return nil, "", err +@@ -365,7 +379,10 @@ func (s *storageImageSource) GetSignatures(ctx context.Context, instanceDigest * + instance := "default instance" + if instanceDigest != nil { + signatureSizes = s.SignaturesSizes[*instanceDigest] +- key = signatureBigDataKey(*instanceDigest) ++ key, err = signatureBigDataKey(*instanceDigest) ++ if err != nil { ++ return nil, errors.Wrapf(err, "generating signature big data key for image instance %q", *instanceDigest) ++ } + instance = instanceDigest.Encoded() + } + if len(signatureSizes) > 0 { +@@ -1140,7 +1157,10 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + if err != nil { + return errors.Wrapf(err, "digesting top-level manifest") + } +- key := manifestBigDataKey(manifestDigest) ++ key, err := manifestBigDataKey(manifestDigest) ++ if err != nil { ++ return errors.Wrapf(err, "getting manifest big data key for image %q", img.ID) ++ } + if err := s.imageRef.transport.store.SetImageBigData(img.ID, key, toplevelManifest, manifest.Digest); err != nil { + logrus.Debugf("error saving top-level manifest for image %q: %v", img.ID, err) + return errors.Wrapf(err, "saving top-level manifest for image %q", img.ID) +@@ -1149,7 +1169,10 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + // Save the image's manifest. Allow looking it up by digest by using the key convention defined by the Store. + // Record the manifest twice: using a digest-specific key to allow references to that specific digest instance, + // and using storage.ImageDigestBigDataKey for future users that don’t specify any digest and for compatibility with older readers. +- key := manifestBigDataKey(s.manifestDigest) ++ key, err := manifestBigDataKey(s.manifestDigest) ++ if err != nil { ++ return errors.Wrapf(err, "getting manifest big data key for image %q", img.ID) ++ } + if err := s.imageRef.transport.store.SetImageBigData(img.ID, key, s.manifest, manifest.Digest); err != nil { + logrus.Debugf("error saving manifest for image %q: %v", img.ID, err) + return errors.Wrapf(err, "saving manifest for image %q", img.ID) +@@ -1167,7 +1190,10 @@ func (s *storageImageDestination) Commit(ctx context.Context, unparsedToplevel t + } + } + for instanceDigest, signatures := range s.signatureses { +- key := signatureBigDataKey(instanceDigest) ++ key, err := signatureBigDataKey(instanceDigest) ++ if err != nil { ++ return err ++ } + if err := s.imageRef.transport.store.SetImageBigData(img.ID, key, signatures, manifest.Digest); err != nil { + logrus.Debugf("error saving signatures for image %q: %v", img.ID, err) + return errors.Wrapf(err, "saving signatures for image %q", img.ID) +diff --git a/vendor/github.com/containers/image/v5/storage/storage_reference.go b/vendor/github.com/containers/image/v5/storage/storage_reference.go +index 1aafe9068..ea4846346 100644 +--- a/vendor/github.com/containers/image/v5/storage/storage_reference.go ++++ b/vendor/github.com/containers/image/v5/storage/storage_reference.go +@@ -72,7 +72,10 @@ func multiArchImageMatchesSystemContext(store storage.Store, img *storage.Image, + // We don't need to care about storage.ImageDigestBigDataKey because + // manifests lists are only stored into storage by c/image versions + // that know about manifestBigDataKey, and only using that key. +- key := manifestBigDataKey(manifestDigest) ++ key, err := manifestBigDataKey(manifestDigest) ++ if err != nil { ++ return false // This should never happen, manifestDigest comes from a reference.Digested, and that validates the format. ++ } + manifestBytes, err := store.ImageBigData(img.ID, key) + if err != nil { + return false +@@ -94,7 +97,10 @@ func multiArchImageMatchesSystemContext(store storage.Store, img *storage.Image, + if err != nil { + return false + } +- key = manifestBigDataKey(chosenInstance) ++ key, err = manifestBigDataKey(chosenInstance) ++ if err != nil { ++ return false ++ } + _, err = store.ImageBigData(img.ID, key) + return err == nil // true if img.ID is based on chosenInstance. + } +-- +2.34.1 +