Update module github.com/containers/buildah to v1.38.0 [SECURITY] #109
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![bootc-bot[bot]](https://avatars.githubusercontent.com/u/202312630?s=60&v=4){kind=small}
Signed-off-by: Platform Engineering Bot <[email protected]>
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.35.3->v1.38.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-9407
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
CVE-2024-9675
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a
RUNinstruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.CVE-2024-11218
Impact
With careful use of the
--mountflag in RUN instructions in Containerfiles, and by using either multi-stage builds with use of concurrently-executing build stages (e.g., using the--jobsCLI flag) or multiple separate but concurrently-executing builds, a malicious Containerfile can be used to expose content from the build host to the command being run using the RUN instruction. This can be used to read or write contents using the privileges of the process which is performing the build. When that process is a root-owned podman system service which is provided for use by unprivileged users, this includes the ability to read and write contents which the client should not be allowed to read and write, including setuid executables in locations where they can be later accessed by unprivileged users.Patches
Patches have been merged to the main branch, and will be added to upcoming releases on the release-1.38, release-1.37, release-1.35, and release-1.33 branches.
This addressed a number of Jira cards, but primarily https://issues.redhat.com/browse/RHEL-67616 and https://issues.redhat.com/browse/RHEL-67618, which were then vendored into Podman and backported into olde rbranches.
Workarounds
Mandatory access controls should limit the access of the process performing the build, on systems where they are enabled.
Release Notes
containers/buildah (github.com/containers/buildah)
v1.38.0Compare Source
Bump to c/common v0.61.0, c/image v5.33.0, c/storage v1.56.0
fix(deps): update module golang.org/x/crypto to v0.29.0
fix(deps): update module github.com/moby/buildkit to v0.17.1
fix(deps): update module github.com/containers/storage to v1.56.0
tests: skip two ulimit tests
CI VMs: bump f40 -> f41
tests/tools: rebuild tools when we change versions
tests/tools: update golangci-lint to v1.61.0
fix(deps): update module github.com/moby/buildkit to v0.17.0
Handle RUN --mount with relative targets and no configured workdir
tests: bud: make parallel-safe
fix(deps): update module github.com/opencontainers/runc to v1.2.1
fix(deps): update golang.org/x/exp digest to
f66d83cfix(deps): update github.com/opencontainers/runtime-tools digest to
6c9570atests: blobcache: use unique image name
tests: sbom: never write to cwd
tests: mkcw: bug fixes, refactor
deps: bump runc to v1.2.0
deps: switch to moby/sys/userns
tests/test_runner.sh: remove some redundancies
Integration tests: run git daemon on a random-but-bind()able port
fix(deps): update module github.com/opencontainers/selinux to v1.11.1
go.mod: remove unnecessary replace
Document more buildah build --secret options
Add support for COPY --exclude and ADD --exclude options
fix(deps): update github.com/containers/luksy digest to
e2530d6chore(deps): update dependency containers/automation_images to v20241010
fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4
Properly validate cache IDs and sources
[skip-ci] Packit: constrain koji job to fedora package to avoid dupes
Audit and tidy OWNERS
fix(deps): update module golang.org/x/crypto to v0.28.0
tests: add quotes to names
vendor: update c/common to latest
CVE-2024-9407: validate "bind-propagation" flag settings
vendor: switch to moby/sys/capability
Don't set ambient capabilities
Document that zstd:chunked is downgraded to zstd when encrypting
fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3
buildah-manifest-create.1: Fix manpage section
chore(deps): update dependency ubuntu to v24
Make
buildah manifest push --alltrue by defaultchroot: add newlines at the end of printed error messages
Do not error on trying to write IMA xattr as rootless
fix: remove duplicate conditions
fix(deps): update module github.com/moby/buildkit to v0.16.0
fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2
Document how entrypoint is configured in buildah config
In a container, try to register binfmt_misc
imagebuildah.StageExecutor: clean up volumes/volumeCache
build: fall back to parsing a TARGETPLATFORM build-arg
manifest add --artifact: handle multiple valuesPackit: split out ELN jobs and reuse fedora downstream targets
Packit: Enable sidetags for bodhi updates
fix(deps): update module github.com/docker/docker to v27.2.1+incompatible
tests/bud.bats: add git source
add: add support for git source
Add support for the new c/common pasta options
vendor latest c/common
fix(deps): update module golang.org/x/term to v0.24.0
fix(deps): update module github.com/fsouza/go-dockerclient to v1.12.0
packit: update fedora and epel targets
cirrus: disable f39 testing
cirrus: fix fedora names
update to go 1.22
Vendor c/common:9d025e4cb348
copier: handle globbing with "**" path components
fix(deps): update golang.org/x/exp digest to
9b4947dfix(deps): update github.com/containers/luksy digest to
2e7307cimagebuildah: make scratch config handling toggleable
fix(deps): update module github.com/docker/docker to v27.2.0+incompatible
Add a validation script for Makefile $(SOURCES)
fix(deps): update module github.com/openshift/imagebuilder to v1.2.15
New VMs
Update some godocs, use 0o to prefix an octal in a comment
buildah-build.1.md: expand the --layer-label description
fix(deps): update module github.com/containers/common to v0.60.2
run: fix a nil pointer dereference on FreeBSD
CI: enable the whitespace linter
Fix some govet linter warnings
Commit(): retry committing to local storage on storage.LayerUnknown
CI: enable the gofumpt linter
conformance: move weirdly-named files out of the repository
fix(deps): update module github.com/docker/docker to v27.1.2+incompatible
fix(deps): update module github.com/containers/common to v0.60.1
*: use gofmt -s, add gofmt linter
*: fix build tags
fix(deps): update module github.com/containers/image/v5 to v5.32.1
Add(): re-escape any globbed items that included escapes
conformance tests: use mirror.gcr.io for most images
unit tests: use test-specific policy.json and registries.conf
fix(deps): update module golang.org/x/sys to v0.24.0
Update to spun-out "github.com/containerd/platforms"
Bump github.com/containerd/containerd
test/tools/Makefile: duplicate the vendor-in-container target
linters: unchecked error
linters: don't end loop iterations with "else" when "then" would
linters: unused arguments shouldn't have names
linters: rename checkIdsGreaterThan5() to checkIDsGreaterThan5()
linters: don't name variables "cap"
make lint: use --timeout instead of --deadlineDrop the e2e test suite
fix(deps): update module golang.org/x/crypto to v0.26.0
fix(deps): update module github.com/onsi/gomega to v1.34.1
make vendor-in-container: use the caller's Go cache if it existsfix(deps): fix test/tools ginkgo typo
fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1
Update to keep up with API changes in storage
fix(deps): update github.com/containers/luksy digest to
1f482a9install: On Debian/Ubuntu, add installation of libbtrfs-dev
fix(deps): update module golang.org/x/sys to v0.23.0
fix(deps): update golang.org/x/exp digest to
8a7402afix(deps): update module github.com/fsouza/go-dockerclient to v1.11.2
Use Epoch: 2 and respect the epoch in dependencies.
Bump to Buildah v1.38.0-dev
AddAndCopyOptions: add CertPath, InsecureSkipTLSVerify, Retry fields
Add PrependedLinkedLayers/AppendedLinkedLayers to CommitOptions
integration tests: teach starthttpd() about TLS and pid files
v1.37.6Compare Source
What's Changed
Notable changes
Full Changelog: containers/buildah@v1.37.5...v1.37.6
v1.37.5Compare Source
What's Changed
Notable changes
Full Changelog: containers/buildah@v1.37.4...v1.37.5
v1.37.4Compare Source
What's Changed
Notable changes
Full Changelog: containers/buildah@v1.37.3...v1.37.4
v1.37.3Compare Source
What's Changed
Notable changes
manifest add --artifact: handle multiple values by @openshift-cherrypick-robot in #5739Full Changelog: containers/buildah@v1.37.2...v1.37.3
v1.37.2Compare Source
What's Changed
Notable changes
Full Changelog: containers/buildah@v1.37.1...v1.37.2
v1.37.1Compare Source
[release-1.37] Bump c/common v0.60.1, c/image v5.32.1
[release-1.37] Bump to Buildah v1.37.1
Full Changelog: containers/buildah@v1.37.0...v1.37.1
v1.37.0Compare Source
Bump c/storage, c/image, c/common for v1.37.0
"build with basename resolving user arg" tests: correct ARG use
bud-multiple-platform-no-run test: correct ARG use
imagebuildah: always have default values for $TARGET... args ready
bump github.com/openshift/imagebuilder to v1.2.14
fix(deps): update module github.com/docker/docker to v27.1.1+incompatible
fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.1
fix(deps): update module github.com/docker/docker to v27.1.0+incompatible
CI: use local registry, part 2 of 2
CI: use local registry, part 1 of 2
fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.1
Revert "fix(deps): update github.com/containers/image/v5 to v5.31.1"
Replace libimage.LookupReferenceFunc with the manifests version
conformance tests: enable testing CompatVolumes
conformance tests: add a test that tries to chown a volume
imagebuildah: make traditional volume handling not the default
StageExecutor.prepare(): mark base image volumes for preservation
fix(deps): update module github.com/containers/image/v5 to v5.31.1
Vendor in latest containers/(common, storage, image)
fix(deps): update module golang.org/x/term to v0.22.0
fix(deps): update module golang.org/x/sys to v0.22.0
fix(deps): update golang.org/x/exp digest to
7f521eafix(deps): update github.com/containers/luksy digest to
a8846e2imagebuildah.StageExecutor.Copy(): reject new flags for now
bump github.com/openshift/imagebuilder to v1.2.11
Rework parsing of --pull flags
fix(deps): update module github.com/containers/image/v5 to v5.31.1
imagebuildah.StageExecutor.prepare(): log the --platform flag
CI VMs: bump
buildah copy: preserve owner info with --from= a container or image
conformance tests: enable testing CompatSetParent
containerImageRef.NewImageSource(): move the FROM comment to first
commit: set "parent" for docker format only when requested
Update godoc for Builder.EnsureContainerPathAs
fix(deps): update module github.com/spf13/cobra to v1.8.1
fix(deps): update module github.com/containernetworking/cni to v1.2.0
fix(deps): update module github.com/opencontainers/runc to v1.1.13
Change default for podman build to --pull missing
fix(deps): update module github.com/containers/common to v0.59.1
Clarify definition of --pull options
buildah: fix a nil pointer reference on FreeBSD
Use /var/tmp for $TMPDIR for vfs conformance jobs
Cirrus: run
dfduring job setupconformance: use quay.io/libpod/centos:7 instead of centos:8
Stop setting "parent" in docker format
conformance: check if workdir trims path separator suffixes
push integration test: pass password to docker login via stdin
Re-enable the "copy with chown" conformance test
healthcheck: Add support for
--start-intervalfix(deps): update module github.com/docker/docker to v26.1.4+incompatible
fix(deps): update module github.com/containerd/containerd to v1.7.18
tests: set _CONTAINERS_USERNS_CONFIGURED=done for libnetwork
Cross-build on Fedora
Drop copyStringSlice() and copyStringStringMap()
fix(deps): update module golang.org/x/crypto to v0.24.0
fix(deps): update module github.com/openshift/imagebuilder to v1.2.10
Provide an uptime_netbsd.go
Spell unix as "!windows"
Add netbsd to lists-of-OSes
fix(deps): update golang.org/x/exp digest to
fd00a4e[skip-ci] Packit: enable c10s downstream sync
CI VMs: bump, to debian with cgroups v2
Document when BlobDirectory is overridden
fix secret mounts for env vars when using chroot isolation
Change to take a types.ImageReference arg
imagebuildah: Support custom image reference lookup for cache push/pull
fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.0
Bump to v1.37.0-dev
CI: Clarify Debian use for conformance tests
v1.36.0Compare Source
build: be more selective about specifying the default OS
Bump to c/common v0.59.0
Fix buildah prune --help showing the same example twice
fix(deps): update module github.com/onsi/ginkgo/v2 to v2.18.0
fix(deps): update module github.com/containers/image/v5 to v5.31.0
bud tests: fix breakage when vendoring into podman
Integration tests: fake up a replacement for nixery.dev/shell
copierWithSubprocess(): try to capture stderr on io.ErrClosedPipe
Don't expand RUN heredocs ourselves, let the shell do it
Don't leak temp files on failures
Add release note template to split dependency chores
fix CentOS/RHEL build - no BATS there
fix(deps): update module github.com/containers/luksy to v0.0.0-20240506205542-84b50f50f3ee
Address CVE-2024-3727
chore(deps): update module github.com/opencontainers/runtime-spec to v1.2.0
Builder.cdiSetupDevicesInSpecdefConfig(): use configured CDI dirs
Setting --arch should set the TARGETARCH build arg
fix(deps): update module golang.org/x/exp to v0.0.0-20240416160154-fe59bbe5cc7f
[CI:DOCS] Add link to Buildah image page to README.md
Don't set GOTOOLCHAIN=local
fix(deps): update module github.com/cyphar/filepath-securejoin to v0.2.5
Makefile: set GOTOOLCHAIN=local
Integration tests: switch some base images
containerImageRef.NewImageSource: merge the tar filters
fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.2
fix(deps): update module github.com/containers/luksy to v0.0.0-20240408185936-afd8e7619947
Disable packit builds for centos-stream+epel-next-8
Makefile: add missing files to $(SOURCES)
CI VMs: bump to new versions with tmpfs /tmp
chore(deps): update module golang.org/x/net to v0.23.0 [security]
integration test: handle new labels in "bud and test --unsetlabel"
Switch packit configuration to use epel-9-$arch ...
Give unit tests a bit more time
Integration tests: remove a couple of duplicated tests
Integration tests: whitespace tweaks
Integration tests: don't remove images at start or end of test
Integration tests: use cached images more
Integration tests _prefetch: use registry configs
internal: use fileutils.(Le|E)xists
pkg/parse: use fileutils.(Le|E)xists
buildah: use fileutils.(Le|E)xists
chroot: use fileutils.(Le|E)xists
vendor: update containers/(common|storage)
Fix issue/pr lock workflow
[CI:DOCS] Add golang 1.21 update warning
heredoc: honor inline COPY irrespective of ignorefiles
Update install.md
source-push: add support for --digestfile
Fix caching when mounting a cached stage with COPY/ADD
fix(deps): update github.com/containers/luksy digest to
3d2cf0eMakefile: softcode
strip, use it from env varMan page updates
Add support for passing CDI specs to --device
Update comments on some API objects
pkg/parse.DeviceFromPath(): dereference src symlinks
fix(deps): update module github.com/onsi/ginkgo/v2 to v2.17.1
v1.35.5Compare Source
What's Changed
Full Changelog: containers/buildah@v1.35.4...v1.35.5
v1.35.4Compare Source
What's Changed
Full Changelog: containers/buildah@v1.35.3...v1.35.4
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.