Address CVE-2024-3727 by patching vendored github.com/containers/image (#9343)

Author: bfjelds

SPECS/containerized-data-importer/CVE-2024-3727.patch

@@ -0,0 +1,165 @@
+From ea14d57b98cc37decad0c39ccbafb27994274b47 Mon Sep 17 00:00:00 2001
+From: Brian Fjeldstad <bfjelds@microsoft.com>
+Date: Thu, 6 Jun 2024 21:13:36 +0000
+Subject: [PATCH] apply CVE-2024-3727 fix to v5.19.1
+
+---
+ vendor/github.com/containers/image/v5/docker/docker_client.go     |  3 +++
+ vendor/github.com/containers/image/v5/docker/docker_image.go      |  8 ++++++--
+ vendor/github.com/containers/image/v5/docker/docker_image_dest.go | 15 ++++++++++++---
+ vendor/github.com/containers/image/v5/docker/docker_image_src.go  | 19 +++++++++++++++++--
+ vendor/github.com/containers/image/v5/docker/lookaside.go         |  7 +++++--
+ 5 files changed, 43 insertions(+), 9 deletions(-)
+
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
+index 833323b4..99bde923 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_client.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
+@@ -796,6 +796,9 @@ func (c *dockerClient) detectProperties(ctx context.Context) error {
+ // getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension,
+ // using the original data structures.
+ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) {
++	if err := manifestDigest.Validate(); err != nil { // Make sure manifestDigest.String() does not contain any unexpected characters
++		return nil, err
++	}
+ 	path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest)
+ 	res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil)
+ 	if err != nil {
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go
+index c84bb37d..0076d229 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image.go
+@@ -83,8 +83,12 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
+ 		if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil {
+ 			return nil, err
+ 		}
+-		tags = append(tags, tagsHolder.Tags...)
+-
++		for _, tag := range tagsHolder.Tags {
++			if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values
++				return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err)
++			}
++			tags = append(tags, tag)
++		}
+ 		link := res.Header.Get("Link")
+ 		if link == "" {
+ 			break
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+index e7af8f93..1096c56f 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+@@ -226,6 +226,9 @@ func (d *dockerImageDestination) PutBlob(ctx context.Context, stream io.Reader,
+ // If the destination does not contain the blob, or it is unknown, blobExists ordinarily returns (false, -1, nil);
+ // it returns a non-nil error only on an unexpected failure.
+ func (d *dockerImageDestination) blobExists(ctx context.Context, repo reference.Named, digest digest.Digest, extraScope *authScope) (bool, int64, error) {
++	if err := digest.Validate(); err != nil { // Make sure digest.String() does not contain any unexpected characters
++		return false, -1, err
++	}
+ 	checkPath := fmt.Sprintf(blobsPath, reference.Path(repo), digest.String())
+ 	logrus.Debugf("Checking %s", checkPath)
+ 	res, err := d.c.makeRequest(ctx, http.MethodHead, checkPath, nil, nil, v2Auth, extraScope)
+@@ -558,8 +561,11 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, m
+ 
+ 	// NOTE: Keep this in sync with docs/signature-protocols.md!
+ 	for i, signature := range signatures {
+-		url := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
+-		err := d.putOneSignature(url, signature)
++		url, err := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
++		if err != nil {
++			return err
++		}
++		err = d.putOneSignature(url, signature)
+ 		if err != nil {
+ 			return err
+ 		}
+@@ -570,7 +576,10 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, m
+ 	// is enough for dockerImageSource to stop looking for other signatures, so that
+ 	// is sufficient.
+ 	for i := len(signatures); ; i++ {
+-		url := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
++		url, err := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
++		if err != nil {
++			return err
++		}
+ 		missing, err := d.c.deleteOneSignature(url)
+ 		if err != nil {
+ 			return err
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+index 314e9b39..43ca0c4f 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+@@ -178,6 +178,9 @@ func simplifyContentType(contentType string) string {
+ // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+ func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
+ 	if instanceDigest != nil {
++		if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters
++			return nil, "", err
++		}
+ 		return s.fetchManifest(ctx, instanceDigest.String())
+ 	}
+ 	err := s.ensureManifestIsLoaded(ctx)
+@@ -373,6 +376,9 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo,
+ 		return nil, nil, fmt.Errorf("external URLs not supported with GetBlobAt")
+ 	}
+ 
++	if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters
++		return nil, nil, err
++	}
+ 	path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String())
+ 	logrus.Debugf("Downloading %s", path)
+ 	res, err := s.c.makeRequest(ctx, http.MethodGet, path, headers, nil, v2Auth, nil)
+@@ -425,6 +431,9 @@ func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca
+ 		}
+ 	}
+ 
++	if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters
++		return nil, 0, err
++	}
+ 	path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String())
+ 	logrus.Debugf("Downloading %s", path)
+ 	res, err := s.c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil)
+@@ -486,7 +495,10 @@ func (s *dockerImageSource) getSignaturesFromLookaside(ctx context.Context, inst
+ 	// NOTE: Keep this in sync with docs/signature-protocols.md!
+ 	signatures := [][]byte{}
+ 	for i := 0; ; i++ {
+-		url := signatureStorageURL(s.c.signatureBase, manifestDigest, i)
++		url, err := signatureStorageURL(s.c.signatureBase, manifestDigest, i)
++		if err != nil {
++			return nil, err
++		}
+ 		signature, missing, err := s.getOneSignature(ctx, url)
+ 		if err != nil {
+ 			return nil, err
+@@ -627,7 +639,10 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
+ 	}
+ 
+ 	for i := 0; ; i++ {
+-		url := signatureStorageURL(c.signatureBase, manifestDigest, i)
++		url, err := signatureStorageURL(c.signatureBase, manifestDigest, i)
++		if err != nil {
++			return err
++		}
+ 		missing, err := c.deleteOneSignature(url)
+ 		if err != nil {
+ 			return err
+diff --git a/vendor/github.com/containers/image/v5/docker/lookaside.go b/vendor/github.com/containers/image/v5/docker/lookaside.go
+index 515e5932..2e400c09 100644
+--- a/vendor/github.com/containers/image/v5/docker/lookaside.go
++++ b/vendor/github.com/containers/image/v5/docker/lookaside.go
+@@ -229,8 +229,11 @@ func (ns registryNamespace) signatureTopLevel(write bool) string {
+ // signatureStorageURL returns an URL usable for accessing signature index in base with known manifestDigest.
+ // base is not nil from the caller
+ // NOTE: Keep this in sync with docs/signature-protocols.md!
+-func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) *url.URL {
++func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) (*url.URL, error) {
++	if err := manifestDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in a path with ../, so validate explicitly.
++		return nil, err
++	}
+ 	url := *base
+ 	url.Path = fmt.Sprintf("%s@%s=%s/signature-%d", url.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1)
+-	return &url
++	return &url, nil
+ }
+-- 
+2.34.1
+

SPECS/containerized-data-importer/containerized-data-importer.spec

@@ -18,7 +18,7 @@
 Summary:        Container native virtualization
 Name:           containerized-data-importer
 Version:        1.55.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -34,6 +34,7 @@ BuildRequires:  sed
 Provides:       cdi = %{version}-%{release}
 ExclusiveArch:  x86_64 aarch64
 Patch0:         CVE-2023-44487.patch
+Patch1:         CVE-2024-3727.patch
 
 %description
 Containerized-Data-Importer (CDI) is a persistent storage management add-on for Kubernetes
@@ -201,6 +202,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m
 %{_datadir}/cdi/manifests
 
 %changelog
+* Thu Jun 06 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 1.55.0-19
+- Address CVE-2024-3727 by patching vendored github.com/containers/image
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.55.0-18
 - Bump release to rebuild with go 1.21.11