Skip to content

[release-5.29] Backport #2403 aka CVE-2024-3727#2415

Closed
dcermak wants to merge 6 commits into
containers:release-5.29from
dcermak:backport-2403
Closed

[release-5.29] Backport #2403 aka CVE-2024-3727#2415
dcermak wants to merge 6 commits into
containers:release-5.29from
dcermak:backport-2403

Conversation

@dcermak
Copy link
Copy Markdown
Contributor

@dcermak dcermak commented May 14, 2024

No description provided.

mtrmac added 6 commits May 14, 2024 15:25
@mtrmac @dcermak
Validate the tags returned by a registry
fdda27f 
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
(cherry picked from commit b724ee7)
@mtrmac @dcermak
Refactor the error handling path of saveStream
99478d5 
Use defer() to remove the temporary file, instead
of duplicating the call.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
(cherry picked from commit a802d65)
@mtrmac @dcermak
Refactor the error handling further
594b6da 
Use defer, a nested function, and early returns.

Besides being a bit more directly related to what
we want to achieve, this now does not call decompressed.Close()
on a nil value if DecompressStream fails.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
(cherry picked from commit 4a3785d)
@mtrmac @dcermak
Call .Validate() before digest.Digest.String() if necessary
defce3f 
... to prevent unexpected behavior on invalid values.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
(cherry picked from commit a9225e4)
@mtrmac @dcermak
Validate digests before using them
043bbda 
If doing it makes sense at all, it should happen before
the values are used.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
(cherry picked from commit 2bcb834)
@mtrmac @dcermak
Call .Validate() before digest.Hex() / digest.Encoded()
0745f15 
... to prevent panics if the value does not contain a :, or other unexpected
values (e.g. a path traversal).

Don't bother on paths where we computed the digest ourselves, or it is already trusted
for other reasons.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
(cherry picked from commit 39e7c91)
@mtrmac mtrmac mentioned this pull request May 15, 2024
Merged
@mtrmac
Copy link
Copy Markdown
Collaborator

mtrmac commented May 15, 2024

Thanks so much for the backport!

If you don’t mind, I’d prefer the variant in #2418 , where the commit order matches #2404 , making it easier to prove the two match; and the backport is ~1 line smaller.

Either way, I’m very grateful for this PR, because it independently confirms the correctness of the backport.

Alternatively, if you’d like to reorder/update this PR, I’d be happy to merge this one to preserve your credit in the git history.

@mtrmac mtrmac changed the title Backport #2403 aka CVE-2024-3727 [release-5.29] Backport #2403 aka CVE-2024-3727 May 15, 2024
@dcermak
Copy link
Copy Markdown
Contributor Author

dcermak commented May 15, 2024
edited
Loading

Alternatively, if you’d like to reorder/update this PR, I’d be happy to merge this one to preserve your credit in the git history.

Nah, don't worry about it, you did 99% of the work, I just deleted some lines in git conflicts ;-)

@dcermak dcermak closed this May 15, 2024
@dcermak dcermak deleted the backport-2403 branch May 15, 2024 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dcermak @mtrmac