import buildah-1.11.6-9.module+el8.5.0+12239+ec01067b

2021-11-09 04:53:06 -05:00 · 2021-11-09 04:53:06 -05:00 · 9c907f25d6
parent bebf7f1dfb
commit 9c907f25d6
6 changed files with 28 additions and 576 deletions
--- a/.buildah.metadata
+++ b/.buildah.metadata
@ -1 +1 @@
-da35ceecbee25d37313869956f602161fc282153 SOURCES/buildah-9513cb8.tar.gz
+c3f43583c7affe6ffb1d4e812fcd11faf91d8cab SOURCES/release-1.11-rhel-6a746dc.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/buildah-9513cb8.tar.gz
+SOURCES/release-1.11-rhel-6a746dc.tar.gz
--- a/SOURCES/CVE-2020-1702-1801930.patch
+++ b/SOURCES/CVE-2020-1702-1801930.patch
@ -1,390 +0,0 @@
-From be1eb6f70fb40e45096b69aeb048d54c526a4a8f Mon Sep 17 00:00:00 2001
-From: Valentin Rothberg <rothberg@redhat.com>
-Date: Thu, 6 Feb 2020 09:49:15 +0100
-Subject: [PATCH] [1.11-rhel] update github.com/containers/image
-
-Note that this includes fixes for
-https://access.redhat.com/security/cve/CVE-2020-1702.
-
-Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
---
- go.mod                                        |  2 +-
- go.sum                                        |  2 +
- .../image/v5/docker/docker_client.go          |  6 +-
- .../image/v5/docker/docker_image_dest.go      |  3 +-
- .../image/v5/docker/docker_image_src.go       | 10 ++--
- .../image/v5/docker/tarfile/dest.go           |  3 +-
- .../containers/image/v5/docker/tarfile/src.go |  9 +--
- .../image/v5/image/docker_schema2.go          |  4 +-
- .../containers/image/v5/image/oci.go          |  4 +-
- .../image/v5/internal/iolimits/iolimits.go    | 60 +++++++++++++++++++
- .../image/v5/openshift/openshift.go           |  4 +-
- vendor/modules.txt                            |  3 +-
- 12 files changed, 89 insertions(+), 21 deletions(-)
- create mode 100644 vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
-
-diff --git a/go.mod b/go.mod
-index 684b00ff5..b94792238 100644
--- a/go.mod
-+++ b/go.mod
-@@ -5,7 +5,7 @@ go 1.12
- require (
- 	github.com/blang/semver v3.5.0+incompatible // indirect
- 	github.com/containernetworking/cni v0.7.1
-	github.com/containers/image/v5 v5.0.0
-+	github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
- 	github.com/containers/storage v1.14.0
- 	github.com/cyphar/filepath-securejoin v0.2.2
- 	github.com/docker/distribution v2.7.1+incompatible
-diff --git a/go.sum b/go.sum
-index 1cce3ff7e..ef8729952 100644
--- a/go.sum
-+++ b/go.sum
-@@ -54,6 +54,8 @@ github.com/containers/image/v4 v4.0.1 h1:idNGHChj0Pyv3vLrxul2oSVMZLeFqpoq3CjLeVg
- github.com/containers/image/v4 v4.0.1/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
- github.com/containers/image/v5 v5.0.0 h1:arnXgbt1ucsC/ndtSpiQY87rA0UjhF+/xQnPzqdBDn4=
- github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
-+github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0 h1:iV4aHKRoPcHp5BISsuiPMyaCjGJfLKp/FUMAG1NeqvE=
-+github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
- github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
- github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
- github.com/containers/storage v1.13.4 h1:j0bBaJDKbUHtAW1MXPFnwXJtqcH+foWeuXK1YaBV5GA=
-diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
-index 0b012c703..bff077a40 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_client.go
-+++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
-@@ -6,7 +6,6 @@ import (
- 	"encoding/json"
- 	"fmt"
- 	"io"
-	"io/ioutil"
- 	"net/http"
- 	"net/url"
- 	"os"
-@@ -17,6 +16,7 @@ import (
- 	"time"
- 
- 	"github.com/containers/image/v5/docker/reference"
-+	"github.com/containers/image/v5/internal/iolimits"
- 	"github.com/containers/image/v5/pkg/docker/config"
- 	"github.com/containers/image/v5/pkg/sysregistriesv2"
- 	"github.com/containers/image/v5/pkg/tlsclientconfig"
-@@ -597,7 +597,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
- 	default:
- 		return nil, errors.Errorf("unexpected http code: %d (%s), URL: %s", res.StatusCode, http.StatusText(res.StatusCode), authReq.URL)
- 	}
-	tokenBlob, err := ioutil.ReadAll(res.Body)
-+	tokenBlob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize)
- 	if err != nil {
- 		return nil, err
- 	}
-@@ -690,7 +690,7 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe
- 		return nil, errors.Wrapf(clientLib.HandleErrorResponse(res), "Error downloading signatures for %s in %s", manifestDigest, ref.ref.Name())
- 	}
- 
-	body, err := ioutil.ReadAll(res.Body)
-+	body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureListBodySize)
- 	if err != nil {
- 		return nil, err
- 	}
-diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
-index 417d97aec..ce8a1f357 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
-+++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
-@@ -15,6 +15,7 @@ import (
- 	"strings"
- 
- 	"github.com/containers/image/v5/docker/reference"
-+	"github.com/containers/image/v5/internal/iolimits"
- 	"github.com/containers/image/v5/manifest"
- 	"github.com/containers/image/v5/pkg/blobinfocache/none"
- 	"github.com/containers/image/v5/types"
-@@ -620,7 +621,7 @@ sigExists:
- 		}
- 		defer res.Body.Close()
- 		if res.StatusCode != http.StatusCreated {
-			body, err := ioutil.ReadAll(res.Body)
-+			body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxErrorBodySize)
- 			if err == nil {
- 				logrus.Debugf("Error body %s", string(body))
- 			}
-diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
-index 35beb30e5..5436d9b7d 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
-+++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
-@@ -12,6 +12,7 @@ import (
- 	"strconv"
- 
- 	"github.com/containers/image/v5/docker/reference"
-+	"github.com/containers/image/v5/internal/iolimits"
- 	"github.com/containers/image/v5/manifest"
- 	"github.com/containers/image/v5/pkg/sysregistriesv2"
- 	"github.com/containers/image/v5/types"
-@@ -156,7 +157,8 @@ func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest strin
- 	if res.StatusCode != http.StatusOK {
- 		return nil, "", errors.Wrapf(client.HandleErrorResponse(res), "Error reading manifest %s in %s", tagOrDigest, s.ref.ref.Name())
- 	}
-	manblob, err := ioutil.ReadAll(res.Body)
-+
-+	manblob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxManifestBodySize)
- 	if err != nil {
- 		return nil, "", err
- 	}
-@@ -342,7 +344,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
- 		} else if res.StatusCode != http.StatusOK {
- 			return nil, false, errors.Errorf("Error reading signature from %s: status %d (%s)", url.String(), res.StatusCode, http.StatusText(res.StatusCode))
- 		}
-		sig, err := ioutil.ReadAll(res.Body)
-+		sig, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureBodySize)
- 		if err != nil {
- 			return nil, false, err
- 		}
-@@ -401,7 +403,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
- 		return err
- 	}
- 	defer get.Body.Close()
-	manifestBody, err := ioutil.ReadAll(get.Body)
-+	manifestBody, err := iolimits.ReadAtMost(get.Body, iolimits.MaxManifestBodySize)
- 	if err != nil {
- 		return err
- 	}
-@@ -424,7 +426,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
- 	}
- 	defer delete.Body.Close()
- 
-	body, err := ioutil.ReadAll(delete.Body)
-+	body, err := iolimits.ReadAtMost(delete.Body, iolimits.MaxErrorBodySize)
- 	if err != nil {
- 		return err
- 	}
-diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
-index b02c60bb3..9748ca112 100644
--- a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
-+++ b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
-@@ -13,6 +13,7 @@ import (
- 	"time"
- 
- 	"github.com/containers/image/v5/docker/reference"
-+	"github.com/containers/image/v5/internal/iolimits"
- 	"github.com/containers/image/v5/internal/tmpdir"
- 	"github.com/containers/image/v5/manifest"
- 	"github.com/containers/image/v5/types"
-@@ -135,7 +136,7 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t
- 	}
- 
- 	if isConfig {
-		buf, err := ioutil.ReadAll(stream)
-+		buf, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
- 		if err != nil {
- 			return types.BlobInfo{}, errors.Wrap(err, "Error reading Config file stream")
- 		}
-diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/src.go b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
-index ad0a3d2cb..bbf604da6 100644
--- a/vendor/github.com/containers/image/v5/docker/tarfile/src.go
-+++ b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
-@@ -11,6 +11,7 @@ import (
- 	"path"
- 	"sync"
- 
-+	"github.com/containers/image/v5/internal/iolimits"
- 	"github.com/containers/image/v5/internal/tmpdir"
- 	"github.com/containers/image/v5/manifest"
- 	"github.com/containers/image/v5/pkg/compression"
-@@ -187,13 +188,13 @@ func findTarComponent(inputFile io.Reader, path string) (*tar.Reader, *tar.Heade
- }
- 
- // readTarComponent returns full contents of componentPath.
-func (s *Source) readTarComponent(path string) ([]byte, error) {
-+func (s *Source) readTarComponent(path string, limit int) ([]byte, error) {
- 	file, err := s.openTarComponent(path)
- 	if err != nil {
- 		return nil, errors.Wrapf(err, "Error loading tar component %s", path)
- 	}
- 	defer file.Close()
-	bytes, err := ioutil.ReadAll(file)
-+	bytes, err := iolimits.ReadAtMost(file, limit)
- 	if err != nil {
- 		return nil, err
- 	}
-@@ -224,7 +225,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
- 	}
- 
- 	// Read and parse config.
-	configBytes, err := s.readTarComponent(tarManifest[0].Config)
-+	configBytes, err := s.readTarComponent(tarManifest[0].Config, iolimits.MaxConfigBodySize)
- 	if err != nil {
- 		return err
- 	}
-@@ -250,7 +251,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
- // loadTarManifest loads and decodes the manifest.json.
- func (s *Source) loadTarManifest() ([]ManifestItem, error) {
- 	// FIXME? Do we need to deal with the legacy format?
-	bytes, err := s.readTarComponent(manifestFileName)
-+	bytes, err := s.readTarComponent(manifestFileName, iolimits.MaxTarFileManifestSize)
- 	if err != nil {
- 		return nil, err
- 	}
-diff --git a/vendor/github.com/containers/image/v5/image/docker_schema2.go b/vendor/github.com/containers/image/v5/image/docker_schema2.go
-index 254c13f78..29c5047d7 100644
--- a/vendor/github.com/containers/image/v5/image/docker_schema2.go
-+++ b/vendor/github.com/containers/image/v5/image/docker_schema2.go
-@@ -7,10 +7,10 @@ import (
- 	"encoding/hex"
- 	"encoding/json"
- 	"fmt"
-	"io/ioutil"
- 	"strings"
- 
- 	"github.com/containers/image/v5/docker/reference"
-+	"github.com/containers/image/v5/internal/iolimits"
- 	"github.com/containers/image/v5/manifest"
- 	"github.com/containers/image/v5/pkg/blobinfocache/none"
- 	"github.com/containers/image/v5/types"
-@@ -102,7 +102,7 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
- 			return nil, err
- 		}
- 		defer stream.Close()
-		blob, err := ioutil.ReadAll(stream)
-+		blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
- 		if err != nil {
- 			return nil, err
- 		}
-diff --git a/vendor/github.com/containers/image/v5/image/oci.go b/vendor/github.com/containers/image/v5/image/oci.go
-index 18a38d463..406da262f 100644
--- a/vendor/github.com/containers/image/v5/image/oci.go
-+++ b/vendor/github.com/containers/image/v5/image/oci.go
-@@ -4,9 +4,9 @@ import (
- 	"context"
- 	"encoding/json"
- 	"fmt"
-	"io/ioutil"
- 
- 	"github.com/containers/image/v5/docker/reference"
-+	"github.com/containers/image/v5/internal/iolimits"
- 	"github.com/containers/image/v5/manifest"
- 	"github.com/containers/image/v5/pkg/blobinfocache/none"
- 	"github.com/containers/image/v5/types"
-@@ -67,7 +67,7 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
- 			return nil, err
- 		}
- 		defer stream.Close()
-		blob, err := ioutil.ReadAll(stream)
-+		blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
- 		if err != nil {
- 			return nil, err
- 		}
-diff --git a/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
-new file mode 100644
-index 000000000..3fed1995c
--- /dev/null
-+++ b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
-@@ -0,0 +1,60 @@
-+package iolimits
-+
-+import (
-+	"io"
-+	"io/ioutil"
-+
-+	"github.com/pkg/errors"
-+)
-+
-+// All constants below are intended to be used as limits for `ReadAtMost`. The
-+// immediate use-case for limiting the size of in-memory copied data is to
-+// protect against OOM DOS attacks as described inCVE-2020-1702. Instead of
-+// copying data until running out of memory, we error out after hitting the
-+// specified limit.
-+const (
-+	// megaByte denotes one megabyte and is intended to be used as a limit in
-+	// `ReadAtMost`.
-+	megaByte = 1 << 20
-+	// MaxManifestBodySize is the maximum allowed size of a manifest. The limit
-+	// of 4 MB aligns with the one of a Docker registry:
-+	// https://github.com/docker/distribution/blob/a8371794149d1d95f1e846744b05c87f2f825e5a/registry/handlers/manifests.go#L30
-+	MaxManifestBodySize = 4 * megaByte
-+	// MaxAuthTokenBodySize is the maximum allowed size of an auth token.
-+	// The limit of 1 MB is considered to be greatly sufficient.
-+	MaxAuthTokenBodySize = megaByte
-+	// MaxSignatureListBodySize is the maximum allowed size of a signature list.
-+	// The limit of 4 MB is considered to be greatly sufficient.
-+	MaxSignatureListBodySize = 4 * megaByte
-+	// MaxSignatureBodySize is the maximum allowed size of a signature.
-+	// The limit of 4 MB is considered to be greatly sufficient.
-+	MaxSignatureBodySize = 4 * megaByte
-+	// MaxErrorBodySize is the maximum allowed size of an error-response body.
-+	// The limit of 1 MB is considered to be greatly sufficient.
-+	MaxErrorBodySize = megaByte
-+	// MaxConfigBodySize is the maximum allowed size of a config blob.
-+	// The limit of 4 MB is considered to be greatly sufficient.
-+	MaxConfigBodySize = 4 * megaByte
-+	// MaxOpenShiftStatusBody is the maximum allowed size of an OpenShift status body.
-+	// The limit of 4 MB is considered to be greatly sufficient.
-+	MaxOpenShiftStatusBody = 4 * megaByte
-+	// MaxTarFileManifestSize is the maximum allowed size of a (docker save)-like manifest (which may contain multiple images)
-+	// The limit of 1 MB is considered to be greatly sufficient.
-+	MaxTarFileManifestSize = megaByte
-+)
-+
-+// ReadAtMost reads from reader and errors out if the specified limit (in bytes) is exceeded.
-+func ReadAtMost(reader io.Reader, limit int) ([]byte, error) {
-+	limitedReader := io.LimitReader(reader, int64(limit+1))
-+
-+	res, err := ioutil.ReadAll(limitedReader)
-+	if err != nil {
-+		return nil, err
-+	}
-+
-+	if len(res) > limit {
-+		return nil, errors.Errorf("exceeded maximum allowed size of %d bytes", limit)
-+	}
-+
-+	return res, nil
-+}
-diff --git a/vendor/github.com/containers/image/v5/openshift/openshift.go b/vendor/github.com/containers/image/v5/openshift/openshift.go
-index 016de4803..c37e1b751 100644
--- a/vendor/github.com/containers/image/v5/openshift/openshift.go
-+++ b/vendor/github.com/containers/image/v5/openshift/openshift.go
-@@ -7,13 +7,13 @@ import (
- 	"encoding/json"
- 	"fmt"
- 	"io"
-	"io/ioutil"
- 	"net/http"
- 	"net/url"
- 	"strings"
- 
- 	"github.com/containers/image/v5/docker"
- 	"github.com/containers/image/v5/docker/reference"
-+	"github.com/containers/image/v5/internal/iolimits"
- 	"github.com/containers/image/v5/manifest"
- 	"github.com/containers/image/v5/types"
- 	"github.com/containers/image/v5/version"
-@@ -102,7 +102,7 @@ func (c *openshiftClient) doRequest(ctx context.Context, method, path string, re
- 		return nil, err
- 	}
- 	defer res.Body.Close()
-	body, err := ioutil.ReadAll(res.Body)
-+	body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxOpenShiftStatusBody)
- 	if err != nil {
- 		return nil, err
- 	}
-diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 840dae067..3f72f3f34 100644
--- a/vendor/modules.txt
-+++ b/vendor/modules.txt
-@@ -48,7 +48,7 @@ github.com/containernetworking/cni/pkg/types
- github.com/containernetworking/cni/pkg/types/020
- github.com/containernetworking/cni/pkg/types/current
- github.com/containernetworking/cni/pkg/version
-# github.com/containers/image/v5 v5.0.0
-+# github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
- github.com/containers/image/v5/copy
- github.com/containers/image/v5/directory
- github.com/containers/image/v5/directory/explicitfilepath
-@@ -59,6 +59,7 @@ github.com/containers/image/v5/docker/policyconfiguration
- github.com/containers/image/v5/docker/reference
- github.com/containers/image/v5/docker/tarfile
- github.com/containers/image/v5/image
-+github.com/containers/image/v5/internal/iolimits
- github.com/containers/image/v5/internal/pkg/keyctl
- github.com/containers/image/v5/internal/tmpdir
- github.com/containers/image/v5/manifest
--- a/SOURCES/buildah-1756986.patch
+++ b/SOURCES/buildah-1756986.patch
@ -1,98 +0,0 @@
-From 6d7ab38f33edb9ab87a290a0c68cfd27b55b061f Mon Sep 17 00:00:00 2001
-From: Nalin Dahyabhai <nalin@redhat.com>
-Date: Wed, 8 Jan 2020 11:02:05 -0500
-Subject: [PATCH 1/2] Check for .dockerignore specifically
-
-When generating the list of exclusions to process .dockerignore
-contents, don't include .dockerignore if we don't have a .dockerignore
-file in the context directory.  That way, if the file doesn't exist, and
-the caller didn't pass in any patterns, we get no patterns instead of
-just one ".dockerignore" pattern, and we can hit the faster copy path.
-
-Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
-
-Closes: #2072
-Approved by: giuseppe
---
- add.go | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/add.go b/add.go
-index b5119e369..e82a5ef9a 100644
--- a/add.go
-+++ b/add.go
-@@ -215,7 +215,12 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
- 	if contextDir == "" {
- 		return nil, nil
- 	}
-	patterns := []string{".dockerignore"}
-+	// If there's no .dockerignore file, then we don't have to add a
-+	// pattern to tell copy logic to ignore it later.
-+	var patterns []string
-+	if _, err := os.Stat(filepath.Join(contextDir, ".dockerignore")); err == nil || !os.IsNotExist(err) {
-+		patterns = []string{".dockerignore"}
-+	}
- 	for _, ignoreSpec := range lines {
- 		ignoreSpec = strings.TrimSpace(ignoreSpec)
- 		// ignore comments passed back from .dockerignore
-@@ -224,7 +229,8 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
- 		}
- 		// if the spec starts with '!' it means the pattern
- 		// should be included. make a note so that we can move
-		// it to the front of the updated pattern
-+		// it to the front of the updated pattern, and insert
-+		// the context dir's path in between
- 		includeFlag := ""
- 		if strings.HasPrefix(ignoreSpec, "!") {
- 			includeFlag = "!"
-
-From f999964084ce75c833b0cffd17fb09b947dad506 Mon Sep 17 00:00:00 2001
-From: Nalin Dahyabhai <nalin@redhat.com>
-Date: Wed, 8 Jan 2020 11:04:57 -0500
-Subject: [PATCH 2/2] copyFileWithTar: close source files at the right time
-
-Close source files after we've finished reading from them, rather than
-leaving it for later.
-
-Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
-
-Closes: #2072
-Approved by: giuseppe
---
- util.go | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/util.go b/util.go
-index b4670e41c..2f923357c 100644
--- a/util.go
-+++ b/util.go
-@@ -165,11 +165,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
- 				if err != nil {
- 					return errors.Wrapf(err, "error opening %q to copy its contents", src)
- 				}
-				defer func() {
-					if err := f.Close(); err != nil {
-						logrus.Debugf("error closing %s: %v", fi.Name(), err)
-					}
-				}()
- 			}
- 		}
- 
-@@ -200,6 +195,9 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
- 					logrus.Debugf("error copying contents of %s: %v", fi.Name(), err)
- 					copyErr = err
- 				}
-+				if err = srcFile.Close(); err != nil {
-+					logrus.Debugf("error closing %s: %v", fi.Name(), err)
-+				}
- 			}
- 			if err = writer.Close(); err != nil {
- 				logrus.Debugf("error closing write pipe for %s: %v", hdr.Name, err)
-@@ -213,7 +211,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
- 		if err == nil {
- 			err = copyErr
- 		}
-		f = nil
- 		if pipeWriter != nil {
- 			pipeWriter.Close()
- 		}
--- a/SOURCES/buildah-CVE-2020-10696.patch
+++ b/SOURCES/buildah-CVE-2020-10696.patch
@ -1,58 +0,0 @@
-From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
-From: TomSweeneyRedHat <tsweeney@redhat.com>
-Date: Tue, 24 Mar 2020 20:10:22 -0400
-Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
-
-Stealing @nalind 's workaround to avoid refetching
-content after a file read failure.  Under the right
-circumstances that could be a symlink to a file meant
-to overwrite a good file with bad data.
-
-Testing:
-```
-goodstuff
-
-[1] 14901
-
-127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
-127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
-no FROM statement found
-
-goodstuff
-```
-
-Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
---
- imagebuildah/util.go | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/imagebuildah/util.go b/imagebuildah/util.go
-index 29ea60970..5f14c9883 100644
--- a/imagebuildah/util.go
-+++ b/imagebuildah/util.go
-@@ -14,6 +14,7 @@ import (
- 
- 	"github.com/containers/buildah"
- 	"github.com/containers/storage/pkg/chrootarchive"
-+	"github.com/containers/storage/pkg/ioutils"
- 	"github.com/opencontainers/runtime-spec/specs-go"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
-@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error {
- 		}
- 		dockerfile := filepath.Join(dir, "Dockerfile")
- 		// Assume this is a Dockerfile
-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
-+		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
- 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
- 		}
- 	}
-@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error {
- 	if err := chrootarchive.Untar(reader, dir, nil); err != nil {
- 		dockerfile := filepath.Join(dir, "Dockerfile")
- 		// Assume this is a Dockerfile
-		if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil {
-+		if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil {
- 			return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile)
- 		}
- 	}
--- a/SPECS/buildah.spec
+++ b/SPECS/buildah.spec
@ -1,49 +1,37 @@
-%global with_debug 1
 %global with_bundled 1

-%if 0%{?with_debug}
 %global _find_debuginfo_dwz_opts %{nil}
 %global _dwz_low_mem_die_limit 0
-%else
-%global debug_package %{nil}
-%endif

 %if 0%{?rhel} > 7 && ! 0%{?fedora}
 %define gobuild(o:) \
-go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v %{?**};
+%else
+%if ! 0%{?gobuild:1}
+%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v %{?**};
+%endif
 %endif

-%global provider github
-%global provider_tld com
-%global project containers
-%global repo buildah
-# https://github.com/containers/buildah
-%global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
-%global git0 https://%{import_path}
-%global commit0 9513cb8c7bec0f7789c696aee4d252ebf85194cc
+%global import_path github.com/containers/buildah
+%global branch release-1.11-rhel
+%global commit0 6a746dc0ee433f54f9842ba49cf5aa5c08a65967
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

-Name: %{repo}
+Name: buildah
 Version: 1.11.6
-Release: 8%{?dist}
+Release: 9%{?dist}
 Summary: A command line tool used for creating OCI Images
 License: ASL 2.0
 URL: https://%{name}.io
-# Build fails with: No matching package to install: 'golang >= 1.12.12-4' on i686
 ExcludeArch: i686
-Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+%if 0%{?branch:1}
+Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz
+%else
+Source0: https://%{import_path}/archive/%{commit0}/%{name}-%{version}-%{shortcommit0}.tar.gz
+%endif
 Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1784952
 Patch1: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1702
-# https://github.com/containers/buildah/commit/be1eb6f70fb40e45096b69aeb048d54c526a4a8f.patch
-Patch2: CVE-2020-1702-1801930.patch
-# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1756986
-# backported:  https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2181.patch
-Patch3: buildah-1756986.patch
-# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
-# patch:       https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
-Patch4: buildah-CVE-2020-10696.patch
 BuildRequires: golang >= 1.12.12-4
 BuildRequires: git
 BuildRequires: glib2-devel
@ -82,14 +70,18 @@ Requires: golang
 This package contains system tests for %{name}

 %prep
+%if 0%{?branch:1}
+%autosetup -Sgit -n containers-%{name}-%{shortcommit0}
+%else
 %autosetup -Sgit -n %{name}-%{commit0}
+%endif
 sed -i 's/GOMD2MAN =/GOMD2MAN ?=/' docs/Makefile
 sed -i '/docs install/d' Makefile

 %build
 mkdir _build
 pushd _build
-mkdir -p src/%{provider}.%{provider_tld}/%{project}
+mkdir -p src/github.com/containers
 ln -s $(dirs +1 -l) src/%{import_path}
 popd

@ -129,6 +121,12 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
 %{_datadir}/%{name}/test

 %changelog
+* Tue Aug 17 2021 Jindrich Novy <jnovy@redhat.com> - 1.11.6-9
+- update to the latest content of https://github.com/containers/buildah/tree/release-1.11-rhel
+  (https://github.com/containers/buildah/commit/6a746dc)
+- fixes CVE-2021-3602
+- Related: #1977942
+
 * Thu Jul 16 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-8
 - exclude i686 arch
 - Related: #1821193