Patch buildah for CVE-2022-27651 (#4264)

* Add patch for CVE-2022-27651

* Add -p1 to autosetup directive

SPECS/buildah/CVE-2022-27651.patch

@@ -0,0 +1,53 @@
+From e7e55c988c05dd74005184ceb64f097a0cfe645b Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Mon, 28 Feb 2022 10:38:48 +0100
+Subject: [PATCH] do not set the inheritable capabilities
+
+The kernel never sets the inheritable capabilities for a process, they
+are only set by userspace.  Emulate the same behavior.
+
+Closes: CVE-2022-27651
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ chroot/run.go | 2 +-
+ run_linux.go  | 6 ------
+ 2 files changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/chroot/run.go b/chroot/run.go
+index badb51e34f..dcfbd0f247 100644
+--- a/chroot/run.go
++++ b/chroot/run.go
+@@ -897,7 +897,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
+ 	capMap := map[capability.CapType][]string{
+ 		capability.BOUNDING:    spec.Process.Capabilities.Bounding,
+ 		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
+-		capability.INHERITABLE: spec.Process.Capabilities.Inheritable,
++		capability.INHERITABLE: []string{},
+ 		capability.PERMITTED:   spec.Process.Capabilities.Permitted,
+ 		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
+ 	}
+diff --git a/run_linux.go b/run_linux.go
+index 794636bf4c..eb9adbfb6b 100644
+--- a/run_linux.go
++++ b/run_linux.go
+@@ -1964,9 +1964,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
+ 		if err := g.AddProcessCapabilityEffective(cap); err != nil {
+ 			return errors.Wrapf(err, "error adding %q to the effective capability set", cap)
+ 		}
+-		if err := g.AddProcessCapabilityInheritable(cap); err != nil {
+-			return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap)
+-		}
+ 		if err := g.AddProcessCapabilityPermitted(cap); err != nil {
+ 			return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
+ 		}
+@@ -1985,9 +1982,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
+ 		if err := g.DropProcessCapabilityEffective(cap); err != nil {
+ 			return errors.Wrapf(err, "error removing %q from the effective capability set", cap)
+ 		}
+-		if err := g.DropProcessCapabilityInheritable(cap); err != nil {
+-			return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap)
+-		}
+ 		if err := g.DropProcessCapabilityPermitted(cap); err != nil {
+ 			return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
+ 		}

SPECS/buildah/buildah.spec

@@ -19,12 +19,15 @@
 Summary:        A command line tool used for creating OCI Images
 Name:           %{repo}
 Version:        1.18.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://%{name}.io
 Source:         https://%{import_path}/archive/%{built_tag}.tar.gz#/%{name}-%{version}.tar.gz
+
+Patch0:         CVE-2022-27651.patch
+
 BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  git
@@ -54,7 +57,7 @@ or
 * delete a working container or an image
 
 %prep
-%autosetup -Sgit -n %{name}-%{built_tag_strip}
+%autosetup -p1 -Sgit -n %{name}-%{built_tag_strip}
 sed -i 's/GOMD2MAN =/GOMD2MAN ?=/' docs/Makefile
 sed -i '/docs install/d' Makefile
 
@@ -87,6 +90,9 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
 %{_datadir}/bash-completion/completions/%{name}
 
 %changelog
+* Fri Nov 18 2022 Sam Meluch <sammeluch@microsoft.com> - 1.18.0-8
+- Add Patch for CVE-2022-27651
+
 * Tue Nov 01 2022 Ameya Usgaonkar <ausgaonkar@microsoft.com> - 1.18.0-7
 - Move to core packages
 - Remove tests package