Security update for buildah (important)

An update that fixes three vulnerabilities is now available.

Description:

This update for buildah fixes the following issues:

• CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to
  execute arbitrary binaries on the host (bsc#1181961).
• CVE-2020-10696: Fixed an issue that could lead to files being
  overwritten during the image building process (bsc#1167864).
• CVE-2022-2990: Fixed possible information disclosure and modification /
  bsc#1202812

Buildah was updated to version 1.27.1:

• run: add container gid to additional groups

• Add fix for CVE-2022-2990 / bsc#1202812

Update to version 1.27.0:

• Don’t try to call runLabelStdioPipes if spec.Linux is not set
• build: support filtering cache by duration using --cache-ttl
• build: support building from commit when using git repo as build context
• build: clean up git repos correctly when using subdirs
• integration tests: quote “?” in shell scripts
• test: manifest inspect should have OCIv1 annotation
• vendor: bump to c/common@87fab4b7019a
• Failure to determine a file or directory should print an error
• refactor: remove unused CommitOptions from generateBuildOutput
• stage_executor: generate output for cases with no commit
• stage_executor, commit: output only if last stage in build
• Use errors.Is() instead of os.Is{Not,}Exist
• Minor test tweak for podman-remote compatibility
• Cirrus: Use the latest imgts container
• imagebuildah: complain about the right Dockerfile
• tests: don’t try to wrap nil errors
• cmd/buildah.commitCmd: don’t shadow “err”
• cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
• Fix a copy/paste error message
• Fix a typo in an error message
• build,cache: support pulling/pushing cache layers to/from remote sources
• Update vendor of containers/(common, storage, image)
• Rename chroot/run.go to chroot/run_linux.go
• Don’t bother telling codespell to skip files that don’t exist
• Set user namespace defaults correctly for the library
• imagebuildah: optimize cache hits for COPY and ADD instructions
• Cirrus: Update VM images w/ updated bats
• docs, run: show SELinux label flag for cache and bind mounts
• imagebuildah, build: remove undefined concurrent writes
• bump github.com/opencontainers/runtime-tools
• Add FreeBSD support for ‘buildah info’
• Vendor in latest containers/(storage, common, image)
• Add freebsd cross build targets
• Make the jail package build on 32bit platforms
• Cirrus: Ensure the build-push VM image is labeled
• GHA: Fix dynamic script filename
• Vendor in containers/(common, storage, image)
• Run codespell
• Remove import of github.com/pkg/errors
• Avoid using cgo in pkg/jail
• Rename footypes to fooTypes for naming consistency
• Move cleanupTempVolumes and cleanupRunMounts to run_common.go
• Make the various run mounts work for FreeBSD
• Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
• Move runSetupRunMounts to run_common.go
• Move cleanableDestinationListFromMounts to run_common.go
• Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
• Move setupMounts and runSetupBuiltinVolumes to run_common.go
• Tidy up - runMakeStdioPipe can’t be shared with linux
• Move runAcceptTerminal to run_common.go
• Move stdio copying utilities to run_common.go
• Move runUsingRuntime and runCollectOutput to run_common.go
• Move fileCloser, waitForSync and contains to run_common.go
• Move checkAndOverrideIsolationOptions to run_common.go
• Move DefaultNamespaceOptions to run_common.go
• Move getNetworkInterface to run_common.go
• Move configureEnvironment to run_common.go
• Don’t crash in configureUIDGID if Process.Capabilities is nil
• Move configureUIDGID to run_common.go
• Move runLookupPath to run_common.go
• Move setupTerminal to run_common.go
• Move etc file generation utilities to run_common.go
• Add run support for FreeBSD
• Add a simple FreeBSD jail library
• Add FreeBSD support to pkg/chrootuser
• Sync call signature for RunUsingChroot with chroot/run.go
• test: verify feature to resolve basename with args
• vendor: bump openshift/imagebuilder to master@4151e43
• GHA: Remove required reserved-name use
• buildah: set XDG_RUNTIME_DIR before setting default runroot
• imagebuildah: honor build output even if build container is not commited
• chroot: honor DefaultErrnoRet
• [CI:DOCS] improve pull-policy documentation
• tests: retrofit test since --file does not supports dir
• Switch to golang native error wrapping
• BuildDockerfiles: error out if path to containerfile is a directory
• define.downloadToDirectory: fail early if bad HTTP response
• GHA: Allow re-use of Cirrus-Cron fail-mail workflow
• add: fail on bad http response instead of writing to container
• [CI:DOCS] Update buildahimage comment
• lint: inspectable is never nil
• vendor: c/common to common@7e1563b
• build: support OCI hooks for ephemeral build containers
• [CI:BUILD] Install latest buildah instead of compiling
• Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
• Make sure cpp is installed in buildah images
• demo: use unshare for rootless invocations
• buildah.spec.rpkg: initial addition
• build: fix test for subid 4
• build, userns: add support for --userns=auto
• Fix building upstream buildah image
• Remove redundant buildahimages-are-sane validation
• Docs: Update multi-arch buildah images readme
• Cirrus: Migrate multiarch build off github actions
• retrofit-tests: we skip unused stages so use stages
• stage_executor: dont rely on stage while looking for additional-context
• buildkit, multistage: skip computing unwanted stages
• More test cleanup
• copier: work around freebsd bug for “mkdir /”
• Replace $BUILDAH_BINARY with buildah() function
• Fix up buildah images
• Make util and copier build on FreeBSD
• Vendor in latest github.com/sirupsen/logrus
• Makefile: allow building without .git
• run_unix: don’t return an error from getNetworkInterface
• run_unix: return a valid DefaultNamespaceOptions
• Update vendor of containers/storage
• chroot: use ActKillThread instead of ActKill
• use resolvconf package from c/common/libnetwork
• update c/common to latest main
• copier: add NoOverwriteNonDirDir option
• Sort buildoptions and move cli/build functions to internal
• Fix TODO: de-spaghettify run mounts
• Move options parsing out of build.go and into pkg/cli
• [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
• build, multiarch: support splitting build logs for --platform
• [CI:BUILD] WIP Cleanup Image Dockerfiles
• cli remove stutter
• docker-parity: ignore sanity check if baseImage history is null
• build, commit: allow disabling image history with --omit-history
• Fix use generic/ambiguous DEBUG name
• Cirrus: use Ubuntu 22.04 LTS
• Fix codespell errors
• Remove util.StringInSlice because it is defined in containers/common
• buildah: add support for renaming a device in rootless setups
• squash: never use build cache when computing last step of last stage
• Update vendor of containers/(common, storage, image)
• buildkit: supports additionalBuildContext in builds via --build-context
• buildah source pull/push: show progress bar
• run: allow resuing secret twice in different RUN steps
• test helpers: default to being rootless-aware
• Add --cpp-flag flag to buildah build
• build: accept branch and subdirectory when context is git repo
• Vendor in latest containers/common
• vendor: update c/storage and c/image
• Fix gentoo install docs
• copier: move NSS load to new process
• Add test for prevention of reusing encrypted layers
• Make buildah build --label foo create an empty “foo” label again

Update to version 1.26.4:

• build, multiarch: support splitting build logs for --platform
• copier: add NoOverwriteNonDirDir option
• docker-parity: ignore sanity check if baseImage history is null
• build, commit: allow disabling image history with --omit-history
• buildkit: supports additionalBuildContext in builds via --build-context
• Add --cpp-flag flag to buildah build

Update to version 1.26.3:

• define.downloadToDirectory: fail early if bad HTTP response
• add: fail on bad http response instead of writing to container
• squash: never use build cache when computing last step of last stage
• run: allow resuing secret twice in different RUN steps
• integration tests: update expected error messages
• integration tests: quote “?” in shell scripts
• Use errors.Is() to check for storage errors
• lint: inspectable is never nil
• chroot: use ActKillThread instead of ActKill
• chroot: honor DefaultErrnoRet
• Set user namespace defaults correctly for the library
• contrib/rpm/buildah.spec: fix rpm parser warnings

Drop requires on apparmor pattern, should be moved elsewhere for systems
which want AppArmor instead of SELinux.

• Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is
  required to build.

Update to version 1.26.2:

• buildah: add support for renaming a device in rootless setups

Update to version 1.26.1:

• Make buildah build --label foo create an empty “foo” label again
• imagebuildah,build: move deepcopy of args before we spawn goroutine
• Vendor in containers/storage v1.40.2
• buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
• help output: get more consistent about option usage text
• Handle OS version and features flags
• buildah build: --annotation and --label should remove values
• buildah build: add a --env
• buildah: deep copy options.Args before performing concurrent build/stage
• test: inline platform and builtinargs behaviour
• vendor: bump imagebuilder to master/009dbc6
• build: automatically set correct TARGETPLATFORM where expected
• Vendor in containers/(common, storage, image)
• imagebuildah, executor: process arg variables while populating baseMap
• buildkit: add support for custom build output with --output
• Cirrus: Update CI VMs to F36
• fix staticcheck linter warning for deprecated function
• Fix docs build on FreeBSD
• copier.unwrapError(): update for Go 1.16
• copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
• copier.Put(): write to read-only directories
• Ed’s periodic test cleanup
• using consistent lowercase ‘invalid’ word in returned err msg
• use etchosts package from c/common
• run: set actual hostname in /etc/hostname to match docker parity
• Update vendor of containers/(common,storage,image)
• manifest-create: allow creating manifest list from local image
• Update vendor of storage,common,image
• Initialize network backend before first pull
• oci spec: change special mount points for namespaces
• tests/helpers.bash: assert handle corner cases correctly
• buildah: actually use containers.conf settings
• integration tests: learn to start a dummy registry
• Fix error check to work on Podman
• buildah build should accept at most one arg
• tests: reduce concurrency for flaky bud-multiple-platform-no-run
• vendor in latest containers/common,image,storage
• manifest-add: allow override arch,variant while adding image
• Remove a stray \ from .containerenv
• Vendor in latest opencontainers/selinux v1.10.1
• build, commit: allow removing default identity labels
• Create shorter names for containers based on image IDs
• test: skip rootless on cgroupv2 in root env
• fix hang when oci runtime fails
• Set permissions for GitHub actions
• copier test: use correct UID/GID in test archives
• run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap Micro 5.2:

  zypper in -t patch openSUSE-Leap-Micro-5.2-2022-3766=1

• openSUSE Leap 15.3:

  zypper in -t patch openSUSE-SLE-15.3-2022-3766=1

• SUSE Linux Enterprise Module for Containers 15-SP3:

  zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2022-3766=1

• SUSE Linux Enterprise Module for Basesystem 15-SP3:

  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-3766=1

• SUSE Linux Enterprise Micro 5.2:

  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-3766=1

• SUSE Linux Enterprise Micro 5.1:

  zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-3766=1