From 879b877db3607f50b8d1b30d096b1882b7aba65c Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 10 Jun 2025 14:16:46 +0200 Subject: [PATCH 3/3] CVE-2025-6032: machine init: fix tls check Ensure we verify the TLS connection when pulling the OCI image. Bugs: bsc#1245320 Fixes: CVE-2025-6032 Signed-off-by: Paul Holzinger Signed-off-by: Danish Prakash --- pkg/machine/ocipull/ociartifact.go | 2 +- pkg/machine/ocipull/pull.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/machine/ocipull/ociartifact.go b/pkg/machine/ocipull/ociartifact.go index e144689ffe53..75154437e9ae 100644 --- a/pkg/machine/ocipull/ociartifact.go +++ b/pkg/machine/ocipull/ociartifact.go @@ -224,7 +224,7 @@ func (o *OCIArtifactDisk) getDestArtifact() (types.ImageReference, digest.Digest } fmt.Printf("Looking up Podman Machine image at %s to create VM\n", imgRef.DockerReference()) sysCtx := &types.SystemContext{ - DockerInsecureSkipTLSVerify: types.NewOptionalBool(!o.pullOptions.TLSVerify), + DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify, } imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx) if err != nil { diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go index 0822578e8a96..85cf5c18ec73 100644 --- a/pkg/machine/ocipull/pull.go +++ b/pkg/machine/ocipull/pull.go @@ -21,8 +21,8 @@ import ( // PullOptions includes data to alter certain knobs when pulling a source // image. type PullOptions struct { - // Require HTTPS and verify certificates when accessing the registry. - TLSVerify bool + // Skip TLS verification when accessing the registry. + SkipTLSVerify types.OptionalBool // [username[:password] to use when connecting to the registry. Credentials string // Quiet the progress bars when pushing. @@ -46,7 +46,7 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d } sysCtx := &types.SystemContext{ - DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify), + DockerInsecureSkipTLSVerify: options.SkipTLSVerify, } if options.Credentials != "" { authConf, err := parse.AuthConfig(options.Credentials) -- 2.49.0