2 files changed, 62 insertions, 0 deletions
diff --git a/recipes-containers/podman/podman/CVE-2025-6032.patch b/recipes-containers/podman/podman/CVE-2025-6032.patch
new file mode 100644
index 00000000..b3733e3b
--- /dev/null
+++ b/recipes-containers/podman/podman/CVE-2025-6032.patch
@@ -0,0 +1,61 @@
+From 1569c209829530b1f42e8c2fce851de8003ab3fe Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Tue, 10 Jun 2025 14:16:46 +0200
+Subject: [PATCH] machine init: fix tls check
+Ensure we verify the TLS connection when pulling the OCI image.
+Fixes: CVE-2025-6032
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+(cherry picked from commit 726b506acc8a00d99f1a3a1357ecf619a1f798c3)
+CVE: CVE-2025-6032
+Upstream-Status: Backport [https://github.com/containers/podman/commit/1569c209829530b1f42e8c2fce851de8003ab3fe]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ pkg/machine/ocipull/ociartifact.go | 2 +-
+ pkg/machine/ocipull/pull.go        | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+diff --git a/pkg/machine/ocipull/ociartifact.go b/pkg/machine/ocipull/ociartifact.go
+index 6c48be1e89..7bc8186caa 100644
+--- a/pkg/machine/ocipull/ociartifact.go
+++ b/pkg/machine/ocipull/ociartifact.go
+@@ -169,7 +169,7 @@ func (o *OCIArtifactDisk) getDestArtifact() (types.ImageReference, digest.Digest
+        }
+        fmt.Printf("Looking up Podman Machine image at %s to create VM\n", imgRef.DockerReference())
+        sysCtx := &types.SystemContext{
+-               DockerInsecureSkipTLSVerify: types.NewOptionalBool(!o.pullOptions.TLSVerify),
+               DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify,
+        }
+        imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx)
+        if err != nil {
+diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go
+index 0822578e8a..85cf5c18ec 100644
+--- a/pkg/machine/ocipull/pull.go
+++ b/pkg/machine/ocipull/pull.go
+@@ -21,8 +21,8 @@ import (
+ // PullOptions includes data to alter certain knobs when pulling a source
+ // image.
+ type PullOptions struct {
+-       // Require HTTPS and verify certificates when accessing the registry.
+-       TLSVerify bool
+       // Skip TLS verification when accessing the registry.
+       SkipTLSVerify types.OptionalBool
+        // [username[:password] to use when connecting to the registry.
+        Credentials string
+        // Quiet the progress bars when pushing.
+@@ -46,7 +46,7 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d
+        }
+        sysCtx := &types.SystemContext{
+-               DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
+               DockerInsecureSkipTLSVerify: options.SkipTLSVerify,
+        }
+        if options.Credentials != "" {
+                authConf, err := parse.AuthConfig(options.Credentials)
+--
+2.40.0
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 8b4f0680..2018c74d 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -23,6 +23,7 @@ SRC_URI = " \
    ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
    file://run-ptest \
    file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
+    file://CVE-2025-6032.patch;patchdir=src/import \
 "
 LICENSE = "Apache-2.0"

diff --git a/recipes-containers/podman/podman/CVE-2025-6032.patch b/recipes-containers/podman/podman/CVE-2025-6032.patch new file mode 100644 index 00000000..b3733e3b --- /dev/null +++ b/recipes-containers/podman/podman/CVE-2025-6032.patch
@@ -0,0 +1,61 @@
		1	From 1569c209829530b1f42e8c2fce851de8003ab3fe Mon Sep 17 00:00:00 2001
		2	From: Paul Holzinger <pholzing@redhat.com>
		3	Date: Tue, 10 Jun 2025 14:16:46 +0200
		4	Subject: [PATCH] machine init: fix tls check
		5
		6	Ensure we verify the TLS connection when pulling the OCI image.
		7
		8	Fixes: CVE-2025-6032
		9
		10	Signed-off-by: Paul Holzinger <pholzing@redhat.com>
		11	(cherry picked from commit 726b506acc8a00d99f1a3a1357ecf619a1f798c3)
		12
		13	CVE: CVE-2025-6032
		14
		15	Upstream-Status: Backport [https://github.com/containers/podman/commit/1569c209829530b1f42e8c2fce851de8003ab3fe]
		16
		17	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
		18	---
		19	pkg/machine/ocipull/ociartifact.go \| 2 +-
		20	pkg/machine/ocipull/pull.go \| 6 +++---
		21	2 files changed, 4 insertions(+), 4 deletions(-)
		22
		23	diff --git a/pkg/machine/ocipull/ociartifact.go b/pkg/machine/ocipull/ociartifact.go
		24	index 6c48be1e89..7bc8186caa 100644
		25	--- a/pkg/machine/ocipull/ociartifact.go
		26	+++ b/pkg/machine/ocipull/ociartifact.go
		27	@@ -169,7 +169,7 @@ func (o *OCIArtifactDisk) getDestArtifact() (types.ImageReference, digest.Digest
		28	}
		29	fmt.Printf("Looking up Podman Machine image at %s to create VM\n", imgRef.DockerReference())
		30	sysCtx := &types.SystemContext{
		31	- DockerInsecureSkipTLSVerify: types.NewOptionalBool(!o.pullOptions.TLSVerify),
		32	+ DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify,
		33	}
		34	imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx)
		35	if err != nil {
		36	diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go
		37	index 0822578e8a..85cf5c18ec 100644
		38	--- a/pkg/machine/ocipull/pull.go
		39	+++ b/pkg/machine/ocipull/pull.go
		40	@@ -21,8 +21,8 @@ import (
		41	// PullOptions includes data to alter certain knobs when pulling a source
		42	// image.
		43	type PullOptions struct {
		44	- // Require HTTPS and verify certificates when accessing the registry.
		45	- TLSVerify bool
		46	+ // Skip TLS verification when accessing the registry.
		47	+ SkipTLSVerify types.OptionalBool
		48	// [username[:password] to use when connecting to the registry.
		49	Credentials string
		50	// Quiet the progress bars when pushing.
		51	@@ -46,7 +46,7 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d
		52	}
		53
		54	sysCtx := &types.SystemContext{
		55	- DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
		56	+ DockerInsecureSkipTLSVerify: options.SkipTLSVerify,
		57	}
		58	if options.Credentials != "" {
		59	authConf, err := parse.AuthConfig(options.Credentials)
		60	--
		61	2.40.0


diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb index 8b4f0680..2018c74d 100644 --- a/recipes-containers/podman/podman_git.bb +++ b/recipes-containers/podman/podman_git.bb
@@ -23,6 +23,7 @@ SRC_URI = " \
23	${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \	23	${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
24	file://run-ptest \	24	file://run-ptest \
25	file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \	25	file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
		26	file://CVE-2025-6032.patch;patchdir=src/import \
26	"	27	"
27		28
28	LICENSE = "Apache-2.0"	29	LICENSE = "Apache-2.0"