Resolves: #2066840,#2070114 - Security fix for CVE-2022-27651

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>

.gitignore

@@ -598,3 +598,17 @@
 /buildah-8f63761.tar.gz
 /buildah-885e9c1.tar.gz
 /buildah-9eb048a.tar.gz
+/v1.20.0.tar.gz
+/v1.20.1.tar.gz
+/v1.21.0.tar.gz
+/v1.21.1.tar.gz
+/buildah-8d08247.tar.gz
+/v1.21.2.tar.gz
+/buildah-ec35bc4.tar.gz
+/v1.21.3.tar.gz
+/v1.21.4.tar.gz
+/v1.22.0.tar.gz
+/v1.22.3.tar.gz
+/v1.23.0.tar.gz
+/v1.23.1.tar.gz
+/v1.23.3.tar.gz

CVE-2022-27651-1.patch

@@ -0,0 +1,58 @@
+From d16cb975d83acb5a30d3a4c3e2ef78b8070c6a7b Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Mon, 28 Feb 2022 10:38:48 +0100
+Subject: [PATCH 1/2] do not set the inheritable capabilities
+
+The kernel never sets the inheritable capabilities for a process, they
+are only set by userspace.  Emulate the same behavior.
+
+Closes: CVE-2022-27651
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+(cherry picked from commit e7e55c988c05dd74005184ceb64f097a0cfe645b)
+Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
+---
+ chroot/run.go | 2 +-
+ run_linux.go  | 6 ------
+ 2 files changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/chroot/run.go b/chroot/run.go
+index e6f28e81..5634240a 100644
+--- a/chroot/run.go
++++ b/chroot/run.go
+@@ -894,7 +894,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
+ 	capMap := map[capability.CapType][]string{
+ 		capability.BOUNDING:    spec.Process.Capabilities.Bounding,
+ 		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
+-		capability.INHERITABLE: spec.Process.Capabilities.Inheritable,
++		capability.INHERITABLE: []string{},
+ 		capability.PERMITTED:   spec.Process.Capabilities.Permitted,
+ 		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
+ 	}
+diff --git a/run_linux.go b/run_linux.go
+index 113c83ef..5905d888 100644
+--- a/run_linux.go
++++ b/run_linux.go
+@@ -1935,9 +1935,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
+ 		if err := g.AddProcessCapabilityEffective(cap); err != nil {
+ 			return errors.Wrapf(err, "error adding %q to the effective capability set", cap)
+ 		}
+-		if err := g.AddProcessCapabilityInheritable(cap); err != nil {
+-			return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap)
+-		}
+ 		if err := g.AddProcessCapabilityPermitted(cap); err != nil {
+ 			return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
+ 		}
+@@ -1956,9 +1953,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
+ 		if err := g.DropProcessCapabilityEffective(cap); err != nil {
+ 			return errors.Wrapf(err, "error removing %q from the effective capability set", cap)
+ 		}
+-		if err := g.DropProcessCapabilityInheritable(cap); err != nil {
+-			return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap)
+-		}
+ 		if err := g.DropProcessCapabilityPermitted(cap); err != nil {
+ 			return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
+ 		}
+-- 
+2.35.1
+

CVE-2022-27651-2.patch

@@ -0,0 +1,54 @@
+From d190df39916fcb559798d0fc0ade6307ebe5f4cd Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Thu, 24 Mar 2022 16:32:47 -0400
+Subject: [PATCH 2/2] Add a test for CVE-2022-27651
+
+Check that the inheritable capabilities are set to 0, even when we
+explicitly try to add capabilities.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+(cherry picked from commit 90b3254c7404039c1c786999ac189654228f6e0e)
+Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
+---
+ tests/run.bats | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tests/run.bats b/tests/run.bats
+index 6044d673..c974018c 100644
+--- a/tests/run.bats
++++ b/tests/run.bats
+@@ -687,3 +687,31 @@ _EOF
+ 	uncolored="$output"
+ 	[ "$colored" != "$uncolored" ]
+ }
++
++@test "rootless on cgroupv2 and systemd runs under user.slice" {
++	skip_if_no_runtime
++	skip_if_cgroupsv1
++	skip_if_in_container
++	if test "$DBUS_SESSION_BUS_ADDRESS" = ""; then
++		skip "${1:-test does not work when \$BUILDAH_ISOLATION = chroot}"
++	fi
++	_prefetch alpine
++
++	run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json alpine
++	cid=$output
++	run_buildah run --cgroupns=host $cid cat /proc/self/cgroup
++	expect_output --substring "/user.slice/"
++}
++
++@test "run-inheritable-capabilities" {
++	skip_if_no_runtime
++
++	_prefetch alpine
++
++	run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json alpine
++	cid=$output
++	run_buildah run $cid grep ^CapInh: /proc/self/status
++	expect_output "CapInh:	0000000000000000"
++	run_buildah run --cap-add=ALL $cid grep ^CapInh: /proc/self/status
++	expect_output "CapInh:	0000000000000000"
++}
+-- 
+2.35.1
+

buildah.spec

@@ -24,24 +24,26 @@
 # https://github.com/containers/buildah
 %global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
 %global git0 https://%{import_path}
-%global commit0 9eb048a8b3c02fd5e946a01d72a4facf6c1700bc
-%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
+# To build random commit
+#%%global commit0 baba8de3ddad18bb6eb7abd6d17972c8403f8f25
 
-# Used for comparing with latest upstream tag
-# to decide whether to autobuild (non-rawhide only)
-%define built_tag v1.19.4
-%define built_tag_strip %(b=%{built_tag}; echo ${b:1})
-%define download_url https://%{import_path}/archive/%{built_tag}.tar.gz
+%global built_tag v1.23.3
+%global built_tag_strip %(b=%{built_tag}; echo ${b:1})
 
 Name: %{repo}
-Version: 1.20.0
-Release: 0.19.dev.git%{shortcommit0}%{?dist}
+Version: 1.23.3
+Release: 1%{?dist}
 Summary: A command line tool used for creating OCI Images
 License: ASL 2.0
 URL: https://%{name}.io
-Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+Source0: %{git0}/archive/%{built_tag}.tar.gz
+Patch0: CVE-2022-27651-1.patch
+Patch1: CVE-2022-27651-2.patch
+# To build random commit
+#Source0: %%{git0}/archive/%%{commit0}.tar.gz
 BuildRequires: device-mapper-devel
-BuildRequires: golang
+BuildRequires: golang >= 1.16.6
+BuildRequires: go-rpm-macros
 BuildRequires: git
 BuildRequires: glib2-devel
 BuildRequires: glibc-static
@@ -49,30 +51,14 @@ BuildRequires: go-md2man
 BuildRequires: gpgme-devel
 BuildRequires: libassuan-devel
 BuildRequires: make
-Requires: containers-common
-Requires: oci-runtime >= 2
-# No ostree for centos 7
-%if 0%{?fedora} || 0%{?centos} >= 8
 BuildRequires: ostree-devel
-%endif
-# No btrfs for centos 8
-%if 0%{?fedora} || 0%{?centos} <= 7 && ! 0%{?eln}
-BuildRequires: btrfs-progs-devel
-%endif
-%if 0%{?fedora}
 BuildRequires: libseccomp-static
+Requires: containers-common >= 4:1-20
 Requires: libseccomp >= 2.4.1-0
-Recommends: crun >= 0.17.1-1
-Recommends: container-selinux
-Recommends: slirp4netns >= 0.3-0
-Recommends: fuse-overlayfs
 Suggests: cpp
-%else
-BuildRequires: libseccomp-devel
-Requires: crun >= 0.17.1-1
-Requires: libseccomp
-Requires: container-selinux
-Requires: slirp4netns >= 0.3-0
+# No btrfs for centos 8
+%if 0%{?fedora}
+BuildRequires: btrfs-progs-devel
 %endif
 
 %description
@@ -95,6 +81,7 @@ Requires: golang
 Requires: jq
 Requires: httpd-tools
 Requires: openssl
+Requires: nmap-ncat
 
 %description tests
 %{summary}
@@ -102,7 +89,8 @@ Requires: openssl
 This package contains system tests for %{name}
 
 %prep
-%autosetup -Sgit -n %{name}-%{commit0}
+%autosetup -Sgit -n %{name}-%{built_tag_strip}
+#%%autosetup -Sgit -n %%{name}-%%{commit0}
 sed -i 's/GOMD2MAN =/GOMD2MAN ?=/' docs/Makefile
 sed -i '/docs install/d' Makefile
 
@@ -118,13 +106,13 @@ mv vendor src
 export GOPATH=$(pwd)/_build:$(pwd)
 export CGO_CFLAGS="-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
 %ifarch x86_64
-export CGO_CFLAGS="$CGO_CFLAGS -m64 -mtune=generic"
-%if 0%{?fedora} || 0%{?centos} >= 8
-export CGO_CFLAGS="$CGO_CFLAGS -fcf-protection"
-%endif
+export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
 %endif
 # These extra flags present in %%{optflags} have been skipped for now as they break the build
-#export CGO_CFLAGS="$CGO_CFLAGS -flto=auto -Wp,D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1"
+#export CGO_CFLAGS+=" -flto=auto -Wp,D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1"
+
+export CNI_VERSION=`grep '^# github.com/containernetworking/cni ' src/modules.txt | sed 's,.* ,,'`
+export LDFLAGS="-X main.buildInfo=`date +%s` -X main.cniVersion=${CNI_VERSION}"
 
 export BUILDTAGS='seccomp selinux'
 %if 0%{?centos} >= 8
@@ -132,6 +120,7 @@ export BUILDTAGS+=' exclude_graphdriver_btrfs'
 %endif
 %gobuild -o bin/%{name} %{import_path}/cmd/%{name}
 %gobuild -o bin/imgtype %{import_path}/tests/imgtype
+%gobuild -o bin/copy    %{import_path}/tests/copy
 GOMD2MAN=go-md2man %{__make} -C docs
 
 %install
@@ -142,6 +131,7 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
 install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
 cp -pav tests/. %{buildroot}/%{_datadir}/%{name}/test/system
 cp bin/imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
+cp bin/copy    %{buildroot}/%{_bindir}/%{name}-copy
 
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
@@ -158,9 +148,75 @@ cp bin/imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 %files tests
 %license LICENSE
 %{_bindir}/%{name}-imgtype
+%{_bindir}/%{name}-copy
 %{_datadir}/%{name}/test
 
 %changelog
+* Wed Mar 30 2022 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.23.3-1
+- Resolves: #2066840,#2070114 - Security fix for CVE-2022-27651
+
+* Tue Sep 28 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1.23.1-1
+- autobuilt v1.23.1
+
+* Tue Sep 14 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1.23.0-1
+- autobuilt v1.23.0
+
+* Wed Aug 25 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1.22.3-1
+- autobuilt v1.22.3
+
+* Thu Aug 05 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1.22.0-1
+- autobuilt v1.22.0
+
+* Thu Aug 05 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.22.0-2
+- Resolves: #1974086 - correct build date in buildah version
+
+* Tue Aug 03 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1.22.0-1
+- autobuilt v1.22.0
+
+* Mon Aug 02 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.21.4-5
+- Resolves: #1983596, #1987738 - Security fix for CVE-2021-34558
+
+* Fri Jul 23 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.21.4-4
+- ensure consistent version-release and changelog
+
+* Fri Jul 23 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.21.4-1
+- bump to v1.21.4
+- fix gating test issues
+
+* Thu Jul 22 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.21.3-3
+- try fix for copy-release
+
+* Thu Jul 22 2021 Eduardo Santiago <santiago@redhat.com> - 1.21.3-2
+- Try to deal with new buildah-copy-helper nightmare
+
+* Fri Jul 16 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.21.3-1
+- Resolves: #1969264, #1982880 - Security fix for CVE-2021-3602
+- bump to v1.21.3
+
+* Wed Jun 30 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.21.2-1
+- bump to v1.21.2
+
+* Tue Jun 08 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1.21.1-1
+- autobuilt v1.21.1
+
+* Fri May 21 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1.21.0-1
+- autobuilt v1.21.0
+
+* Thu Apr 22 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.20.1-4
+- fix gating tests
+
+* Tue Apr 20 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.20.1-3
+- adjust deps and stay ahead of f33
+
+* Fri Apr 16 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.20.1-2
+- rebuild for buildah-tests
+
+* Wed Apr 14 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1.20.1-1
+- autobuilt v1.20.1
+
+* Mon Mar 29 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.20.0-1
+- bump to v1.20.0
+
 * Tue Feb 09 2021 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1.20.0-0.19.dev.git9eb048a
 - autobuilt 9eb048a
 

sources

@@ -1 +1 @@
-SHA512 (buildah-9eb048a.tar.gz) = 15318f699a3591d31db19e7254b28c69af459f8215a9f05dd065cee8dead68642e0837de78f11826278b293443bf15840c0730f1a0422835853aff0a04516848
+SHA512 (v1.23.3.tar.gz) = c3f42d580bafd5a359709d65ae41376ab83e4fa59fcfb4e2522e13f8ae343997512aece0691326b689250a13498c91f3d9a5043a761608c2f2ea6d9a77568399

tests/test_buildah.sh

@@ -13,13 +13,14 @@ env | grep -v LS_COLORS= | sort | sed -e 's/^/  /'
 
 export BUILDAH_BINARY=/usr/bin/buildah
 export IMGTYPE_BINARY=/usr/bin/buildah-imgtype
+export COPY_BINARY=/usr/bin/buildah-copy
 
 ###############################################################################
 # BEGIN setup/teardown
 
 # Start a registry
 pre_bats_setup() {
-    REGISTRY_FQIN=docker.io/library/registry:2
+    REGISTRY_FQIN=quay.io/libpod/registry:2
 
     AUTHDIR=/tmp/buildah-tests-auth.$$
     mkdir -p $AUTHDIR