From 87cc09305d7569deb7bb34bacf74ae8b848556a8 Mon Sep 17 00:00:00 2001
From: Jianmin <jianmin@iscas.ac.cn>
Date: Tue, 26 Aug 2025 21:03:15 +0800
Subject: [PATCH] [backport] fix CVE-2024-9407

(cherry picked from commit 44d2e7b193dfb6c553e031f8d166d5bfedb3b145)
---
 backport-fix-CVE-2024-9407.patch | 79 ++++++++++++++++++++++++++++++++
 buildah.spec                     |  9 +++-
 2 files changed, 87 insertions(+), 1 deletion(-)
 create mode 100644 backport-fix-CVE-2024-9407.patch

diff --git a/backport-fix-CVE-2024-9407.patch b/backport-fix-CVE-2024-9407.patch
new file mode 100644
index 0000000..904ecb2
--- /dev/null
+++ b/backport-fix-CVE-2024-9407.patch
@@ -0,0 +1,79 @@
+From 732f77064830bb91062d475407b761ade2e4fe6b Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Tue, 1 Oct 2024 11:01:45 -0400
+Subject: [PATCH] CVE-2024-9407: validate "bind-propagation" flag settings
+
+CVE-2024-9407: validate that the value for the "bind-propagation" flag
+when handling "bind" and "cache" mounts in `buildah run` or in RUN
+instructions is one of the values that we would accept without the
+"bind-propagation=" prefix.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ internal/volumes/volumes.go | 12 ++++++++++++
+ tests/bud.bats              | 25 +++++++++++++++++++++++++
+ 2 files changed, 37 insertions(+)
+
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index 3d20ccb6899..ab97f80aea9 100644
+--- a/internal/volumes/volumes.go
++++ b/internal/volumes/volumes.go
+@@ -104,6 +104,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 			if !hasArgValue {
+ 				return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
+ 			}
++			switch argValue {
++			default:
++				return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
++			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
++				// this should be the relevant parts of the same list of options we accepted above
++			}
+ 			newMount.Options = append(newMount.Options, argValue)
+ 		case "src", "source":
+ 			if !hasArgValue {
+@@ -276,6 +282,12 @@ func GetCacheMount(args []string, _ storage.Store, _ string, additionalMountPoin
+ 			if !hasArgValue {
+ 				return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
+ 			}
++			switch argValue {
++			default:
++				return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
++			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
++				// this should be the relevant parts of the same list of options we accepted above
++			}
+ 			newMount.Options = append(newMount.Options, argValue)
+ 		case "id":
+ 			if !hasArgValue {
+diff --git a/tests/bud.bats b/tests/bud.bats
+index 0a5c66ba345..76f7005a61a 100644
+--- a/tests/bud.bats
++++ b/tests/bud.bats
+@@ -6946,3 +6946,28 @@ _EOF
+   expect_output --substring "$podman_files"
+   expect_output --substring "$podman_processes"
+ }
++
++@test "build-validates-bind-bind-propagation" {
++  _prefetch alpine
++
++  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
++FROM alpine as base
++FROM alpine
++RUN --mount=type=bind,from=base,source=/,destination=/var/empty,rw,bind-propagation=suid pwd
++_EOF
++
++  run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
++  expect_output --substring "invalid mount option"
++}
++
++@test "build-validates-cache-bind-propagation" {
++  _prefetch alpine
++
++  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
++FROM alpine
++RUN --mount=type=cache,destination=/var/empty,rw,bind-propagation=suid pwd
++_EOF
++
++  run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
++  expect_output --substring "invalid mount option"
++}
diff --git a/buildah.spec b/buildah.spec
index b03dc88..7952b09 100644
--- a/buildah.spec
+++ b/buildah.spec
@@ -22,7 +22,7 @@
 
 Name:           buildah
 Version:        1.34.1
-Release:        9
+Release:        10
 Summary:        A command line tool used for creating OCI Images
 License:        Apache-2.0 and BSD-2-Clause and BSD-3-Clause and ISC and MIT and MPL-2.0
 URL:            https://%{name}.io
@@ -37,6 +37,7 @@ Patch0005:      backport-fix-CVE-2025-22869.patch
 Patch0006:      backport-fix-CVE-2025-27144.patch
 Patch0007:      backport-fix-CVE-2024-9341.patch
 Patch0008:      backport-fix-CVE-2024-45337.patch
+Patch0009:      backport-fix-CVE-2024-9407.patch
 
 BuildRequires:  device-mapper-devel
 BuildRequires:  git-core
@@ -152,6 +153,12 @@ rm %{buildroot}%{_datadir}/%{name}/test/system/tools/build/*
 %{_datadir}/%{name}/test
 
 %changelog
+* Tue Aug 26 2025 Jianmin <jianmin@iscas.ac.cn> - 1.34.1-10
+-Type:cve
+-CVE:CVE-2024-9407
+-SUG:NA
+-DESC:backport CVE-2024-9407
+
 * Fri Aug 22 2025 Jianmin <jianmin@iscas.ac.cn> - 1.34.1-9
 -Type:cve
 -CVE:CVE-2024-45337
-- 
Gitee