From a2a497f5493bf3062f70829c44e432755a71f839 Mon Sep 17 00:00:00 2001 From: Jianmin Date: Fri, 22 Aug 2025 12:18:32 +0800 Subject: [PATCH] fix CVE-2024-9341 CVE-2024-45337 --- backport-fix-CVE-2024-45337.patch | 53 +++++++++++++++++++++++++++++++ backport-fix-CVE-2024-9341.patch | 37 +++++++++++++++++++++ buildah.spec | 16 +++++++++- 3 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 backport-fix-CVE-2024-45337.patch create mode 100644 backport-fix-CVE-2024-9341.patch diff --git a/backport-fix-CVE-2024-45337.patch b/backport-fix-CVE-2024-45337.patch new file mode 100644 index 0000000..1c9147f --- /dev/null +++ b/backport-fix-CVE-2024-45337.patch @@ -0,0 +1,53 @@ +From 2204608f663c25082e5f191b16caf8610429edc7 Mon Sep 17 00:00:00 2001 +From: Jianmin +Date: Fri, 22 Aug 2025 16:41:28 +0800 +Subject: [PATCH] [backport] fix CVE-2024-45337 + +--- + vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go +index c2dfe32..39dcc09 100644 +--- a/vendor/golang.org/x/crypto/ssh/server.go ++++ b/vendor/golang.org/x/crypto/ssh/server.go +@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -157,7 +157,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the +-- +2.39.5 (Apple Git-154) + diff --git a/backport-fix-CVE-2024-9341.patch b/backport-fix-CVE-2024-9341.patch new file mode 100644 index 0000000..4963f4d --- /dev/null +++ b/backport-fix-CVE-2024-9341.patch @@ -0,0 +1,37 @@ +From fc61d94066bc98fe785ec05af65a5a7004a4f11b Mon Sep 17 00:00:00 2001 +From: Jianmin +Date: Tue, 14 Jan 2025 11:55:30 +0800 +Subject: [PATCH] [backport] pkg/subscriptions: use securejoin for the + container path + +--- + .../containers/common/pkg/subscriptions/subscriptions.go | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +index 6ba2154..d976329 100644 +--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go ++++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +@@ -10,6 +10,7 @@ import ( + + "github.com/containers/common/pkg/umask" + "github.com/containers/storage/pkg/idtools" ++ securejoin "github.com/cyphar/filepath-securejoin" + rspec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux/label" + "github.com/sirupsen/logrus" +@@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, + + srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" + destDir := "/etc/crypto-policies/back-ends" +- srcOnHost := filepath.Join(mountPoint, srcBackendDir) ++ srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir) ++ if err != nil { ++ return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err) ++ } + if _, err := os.Stat(srcOnHost); err != nil { + if errors.Is(err, os.ErrNotExist) { + return nil +-- +2.39.5 (Apple Git-154) + diff --git a/buildah.spec b/buildah.spec index db28492..b03dc88 100644 --- a/buildah.spec +++ b/buildah.spec @@ -22,7 +22,7 @@ Name: buildah Version: 1.34.1 -Release: 7 +Release: 9 Summary: A command line tool used for creating OCI Images License: Apache-2.0 and BSD-2-Clause and BSD-3-Clause and ISC and MIT and MPL-2.0 URL: https://%{name}.io @@ -35,6 +35,8 @@ Patch0003: 0003-fix-CVE-2024-28180.patch Patch0004: 0004-fix-CVE-2024-3727.patch Patch0005: backport-fix-CVE-2025-22869.patch Patch0006: backport-fix-CVE-2025-27144.patch +Patch0007: backport-fix-CVE-2024-9341.patch +Patch0008: backport-fix-CVE-2024-45337.patch BuildRequires: device-mapper-devel BuildRequires: git-core @@ -150,6 +152,18 @@ rm %{buildroot}%{_datadir}/%{name}/test/system/tools/build/* %{_datadir}/%{name}/test %changelog +* Fri Aug 22 2025 Jianmin - 1.34.1-9 +-Type:cve +-CVE:CVE-2024-45337 +-SUG:NA +-DESC:backport CVE-2024-45337 + +* Fri Aug 22 2025 Jianmin - 1.34.1-8 +-Type:cve +-CVE:CVE-2024-9341 +-SUG:NA +-DESC:backport CVE-2024-9341 + * Mon Apr 7 2025 zhangbowei - 1.34.1-7 -Type:cve -CVE:CVE-2025-27144 -- Gitee