import buildah-1.5-5.gite94b4f9.module+el8.1.0+4241+a7060183
This commit is contained in:
parent
c73af817ba
commit
75f79ab48b
16
SOURCES/buildah-CVE-2019-10214.patch
Normal file
16
SOURCES/buildah-CVE-2019-10214.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
diff -up ./buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go
|
||||||
|
--- buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 16:00:45.509807991 +0200
|
||||||
|
+++ buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 16:00:45.510808003 +0200
|
||||||
|
@@ -480,11 +480,7 @@ func (c *dockerClient) getBearerToken(ct
|
||||||
|
authReq.SetBasicAuth(c.username, c.password)
|
||||||
|
}
|
||||||
|
logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
|
||||||
|
- tr := tlsclientconfig.NewTransport()
|
||||||
|
- // TODO(runcom): insecure for now to contact the external token service
|
||||||
|
- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
|
||||||
|
- client := &http.Client{Transport: tr}
|
||||||
|
- res, err := client.Do(authReq)
|
||||||
|
+ res, err := c.client.Do(authReq)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
@ -1,48 +0,0 @@
|
|||||||
From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
|
|
||||||
From: TomSweeneyRedHat <tsweeney@redhat.com>
|
|
||||||
Date: Tue, 24 Mar 2020 20:10:22 -0400
|
|
||||||
Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
|
|
||||||
|
|
||||||
Stealing @nalind 's workaround to avoid refetching
|
|
||||||
content after a file read failure. Under the right
|
|
||||||
circumstances that could be a symlink to a file meant
|
|
||||||
to overwrite a good file with bad data.
|
|
||||||
|
|
||||||
Testing:
|
|
||||||
```
|
|
||||||
goodstuff
|
|
||||||
|
|
||||||
[1] 14901
|
|
||||||
|
|
||||||
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
|
|
||||||
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
|
|
||||||
no FROM statement found
|
|
||||||
|
|
||||||
goodstuff
|
|
||||||
```
|
|
||||||
|
|
||||||
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
|
||||||
---
|
|
||||||
imagebuildah/util.go | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
|
|
||||||
--- a/imagebuildah/util.go.CVE-2020-10696
|
|
||||||
+++ b/imagebuildah/util.go
|
|
||||||
@@ -12,6 +12,7 @@ import (
|
|
||||||
|
|
||||||
"github.com/containers/buildah"
|
|
||||||
"github.com/containers/storage/pkg/chrootarchive"
|
|
||||||
+ "github.com/containers/storage/pkg/ioutils"
|
|
||||||
"github.com/pkg/errors"
|
|
||||||
"github.com/sirupsen/logrus"
|
|
||||||
)
|
|
||||||
@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
|
|
||||||
}
|
|
||||||
dockerfile := filepath.Join(dir, "Dockerfile")
|
|
||||||
// Assume this is a Dockerfile
|
|
||||||
- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
|
|
||||||
+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
|
|
||||||
return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
|
|
||||||
}
|
|
||||||
}
|
|
@ -11,7 +11,7 @@
|
|||||||
%if 0%{?rhel} > 7 && ! 0%{?fedora}
|
%if 0%{?rhel} > 7 && ! 0%{?fedora}
|
||||||
%define gobuild(o:) \
|
%define gobuild(o:) \
|
||||||
go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
|
go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
|
||||||
%endif
|
%endif # distro
|
||||||
|
|
||||||
%global provider github
|
%global provider github
|
||||||
%global provider_tld com
|
%global provider_tld com
|
||||||
@ -25,14 +25,12 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL
|
|||||||
|
|
||||||
Name: %{repo}
|
Name: %{repo}
|
||||||
Version: 1.5
|
Version: 1.5
|
||||||
Release: 4.git%{shortcommit}%{?dist}
|
Release: 5.git%{shortcommit}%{?dist}
|
||||||
Summary: A command line tool used for creating OCI Images
|
Summary: A command line tool used for creating OCI Images
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: https://%{provider_prefix}
|
URL: https://%{provider_prefix}
|
||||||
Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
|
Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
|
||||||
# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
|
Patch0: buildah-CVE-2019-10214.patch
|
||||||
# backported: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
|
|
||||||
Patch0: buildah-CVE-2020-10696.patch
|
|
||||||
ExclusiveArch: x86_64 %{arm} aarch64 ppc64le s390x
|
ExclusiveArch: x86_64 %{arm} aarch64 ppc64le s390x
|
||||||
# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
|
# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
|
||||||
BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
|
BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
|
||||||
@ -62,6 +60,7 @@ or
|
|||||||
%prep
|
%prep
|
||||||
%autosetup -Sgit -n %{name}-%{commit}
|
%autosetup -Sgit -n %{name}-%{commit}
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
mkdir _build
|
mkdir _build
|
||||||
pushd _build
|
pushd _build
|
||||||
@ -93,9 +92,11 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
|
|||||||
%{_datadir}/bash-completion/completions/%{name}
|
%{_datadir}/bash-completion/completions/%{name}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Apr 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.5-4.gite94b4f9
|
* Tue Sep 17 2019 Jindrich Novy <jnovy@redhat.com> - 1.5-5.gite94b4f9
|
||||||
- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
|
- Use autosetup macro again.
|
||||||
- Resolves: #1819431
|
|
||||||
|
* Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.5-4.gite94b4f9
|
||||||
|
- Fix CVE-2019-10214 (#1734660).
|
||||||
|
|
||||||
* Tue Dec 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-3.gite94b4f9
|
* Tue Dec 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-3.gite94b4f9
|
||||||
- re-enable debuginfo
|
- re-enable debuginfo
|
||||||
|
Loading…
Reference in New Issue
Block a user