[release-1.51] Backport ignore chown errors in additionalimagestore

fix the detection for the maximum userns size from an image.

If the maximum ID used in an image is X, we need to use a user
namespace with size X+1 to include UID=X.

Closes: #2104

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

the alpine image defines a "nogroup":

$ podman run --rm alpine grep nogroup /etc/group
nogroup:x:65533:

ignore it as we are already doing for the "nobody" user.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

We need to read /etc/passwd and /etc/group in the container to
get an idea of how many UIDs and GIDs we need to allocate for a
user namespace when `--userns=auto` is specified. We were forming
paths for these using filepath.Join, which is not safe for paths
within a container, resulting in this CVE allowing crafted
symlinks in the container to access paths on the host instead.

Cherry-pick conflict fixed for v1.51 branch, and converted to use
the old securejoin API (securejoin.SecureJoin and then os.Open)
as this branch is too old to have the new API.

Addresses CVE-2024-9676

Signed-off-by: Matt Heon <mheon@redhat.com>

Signed-off-by: Matt Heon <mheon@redhat.com>

[release-1.51] Backport CVE-2024-9676 fix

As the title says.  Bumping the version to fix CVE-2024-9676 in this
branch.

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>