diff --git a/.bubblewrap.metadata b/.bubblewrap.metadata index 20239a1..2385f9b 100644 --- a/.bubblewrap.metadata +++ b/.bubblewrap.metadata @@ -1 +1 @@ -00e121950ea494fcd9cfbe23971c0938d6be6755 SOURCES/bubblewrap-0.4.1.tar.xz +16b93012c83abca438639beef74d77264e433c0d SOURCES/bubblewrap-0.6.3.tar.xz diff --git a/.gitignore b/.gitignore index cb13d4c..7cae112 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/bubblewrap-0.4.1.tar.xz +SOURCES/bubblewrap-0.6.3.tar.xz diff --git a/SOURCES/0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch b/SOURCES/0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch deleted file mode 100644 index 9a11a57..0000000 --- a/SOURCES/0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch +++ /dev/null @@ -1,39 +0,0 @@ -From d70c640aecc30e9216dc1a614a207e85c8732036 Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Thu, 27 May 2021 16:19:27 -0400 -Subject: [PATCH] Avoid memory leak if --args is specified multiple times - -Found by a static analyzer. - -``` -bubblewrap-0.4.1/bubblewrap.c:1500: overwrite_var: Overwriting "opt_args_data" in "opt_args_data = load_file_data(the_fd, &data_len)" leaks the storage that "opt_args_data" points to. - # 1498| * keep allocated until exit time, since its argv entries get used - # 1499| * by the other cases in parse_args_recurse() when we recurse. */ - # 1500|-> opt_args_data = load_file_data (the_fd, &data_len); - # 1501| if (opt_args_data == NULL) - # 1502| die_with_error ("Can't read --args data"); -``` ---- - bubblewrap.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/bubblewrap.c b/bubblewrap.c -index 771e1ea..56ac07c 100644 ---- a/bubblewrap.c -+++ b/bubblewrap.c -@@ -1494,6 +1494,12 @@ parse_args_recurse (int *argcp, - if (argv[1][0] == 0 || endptr[0] != 0 || the_fd < 0) - die ("Invalid fd: %s", argv[1]); - -+ /* Specifying --args multiple times doesn't work; this just pacifies -+ * a static analyzer which pointed out the memory leak -+ */ -+ if (opt_args_data != NULL) -+ free (opt_args_data); -+ - /* opt_args_data is essentially a recursive argv array, which we must - * keep allocated until exit time, since its argv entries get used - * by the other cases in parse_args_recurse() when we recurse. */ --- -2.31.1 - diff --git a/SPECS/bubblewrap.spec b/SPECS/bubblewrap.spec index d8d7f65..73f3746 100644 --- a/SPECS/bubblewrap.spec +++ b/SPECS/bubblewrap.spec @@ -1,21 +1,18 @@ Name: bubblewrap -Version: 0.4.1 -Release: 6%{?dist} +Version: 0.6.3 +Release: 1%{?dist} Summary: Core execution tool for unprivileged containers -License: LGPLv2+ -#VCS: git:https://github.com/projectatomic/bubblewrap -URL: https://github.com/projectatomic/bubblewrap -Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz -Patch0: 0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch +License: LGPL-2.0-or-later +URL: https://github.com/containers/bubblewrap/ +Source0: https://github.com/containers/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz -BuildRequires: autoconf automake libtool BuildRequires: gcc -BuildRequires: libcap-devel -BuildRequires: pkgconfig(libselinux) -BuildRequires: libxslt BuildRequires: docbook-style-xsl -BuildRequires: make +BuildRequires: meson +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libselinux) +BuildRequires: /usr/bin/xsltproc %description Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged @@ -23,30 +20,43 @@ containers that works as a setuid binary on kernels without user namespaces. %prep -%autosetup +%autosetup -p1 %build -if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi -%configure --disable-silent-rules --with-priv-mode=none -%make_build +%meson -Dman=enabled +%meson_build %install -%make_install INSTALL="install -p -c" -find %{buildroot} -name '*.la' -delete -print +%meson_install %files %license COPYING +%doc README.md %dir %{_datadir}/bash-completion %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/bwrap +%dir %{_datadir}/zsh +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_bwrap %if (0%{?rhel} != 0 && 0%{?rhel} <= 7) %attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap %else %{_bindir}/bwrap %endif -%{_mandir}/man1/* +%{_mandir}/man1/bwrap.1* %changelog +* Fri Aug 30 2024 Joseph Marrero - 0.6.3-1 +- Rebase to 0.6.3 which is supported upstream + This release also includes the fix for CVE-2024-42472 + Fixes: #RHEL-56797 + +* Fri Aug 30 2024 Kalev Lember - 0.4.1-8 +- Backport upstream fix to help address CVE-2024-42472 in flatpak + +* Fri Mar 15 2024 Daan De Meyer - 0.4.1-7 +- Backport https://github.com/containers/bubblewrap/commit/4c35d7a5f92499d6ed646d4a5ffad9acc10cb432 + * Mon Aug 09 2021 Mohan Boddu - 0.4.1-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688