import buildah-1.11.6-7.module+el8.2.0+6369+1f4293b4

This commit is contained in:
CentOS Sources 2020-07-28 04:41:03 -04:00 committed by Stepan Oksanichenko
parent 0f5432893d
commit b9a622a02d
5 changed files with 719 additions and 2 deletions

147
SOURCES/2031.patch Normal file
View File

@ -0,0 +1,147 @@
From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 17 Dec 2019 15:24:29 -0500
Subject: [PATCH] Add support for FIPS-Mode backends
If host is running in fips mode, then RHEL8.2 and beyond container images
will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
order to make all tools in the container follow the FIPS Mode rules.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
run_linux.go | 2 +-
2 files changed, 39 insertions(+), 11 deletions(-)
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
index 80ca05016..ee2e9a7c8 100644
--- a/pkg/secrets/secrets.go
+++ b/pkg/secrets/secrets.go
@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, string, error) {
}
// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
+// Deprecated, Please use SecretMountWithUIDGID
func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
}
-// SecretMountsWithUIDGID specifies the uid/gid of the owner
-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
+// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
+// mountLabel: MAC/SELinux label for container content
+// containerWorkingDir: Private data for storing secrets on the host mounted in container.
+// mountFile: Additional mount points required for the container.
+// mountPoint: Container image mountpoint
+// uid: to assign to content created for secrets
+// gid: to assign to content created for secrets
+// rootless: indicates whether container is running in rootless mode
+// disableFips: indicates whether system should ignore fips mode
+func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
var (
secretMounts []rspec.Mount
mountFiles []string
@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
}
for _, file := range mountFiles {
if _, err := os.Stat(file); err == nil {
- mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
+ mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
if err != nil {
logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
}
@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
// Add FIPS mode secret if /etc/system-fips exists on the host
_, err := os.Stat("/etc/system-fips")
if err == nil {
- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
+ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
logrus.Errorf("error adding FIPS mode secret to container: %v", err)
}
} else if os.IsNotExist(err) {
@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid int) error {
// addSecretsFromMountsFile copies the contents of host directory to container directory
// and returns a list of mounts
-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
+func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
var mounts []rspec.Mount
defaultMountsPaths := getMounts(filePath)
for _, path := range defaultMountsPaths {
@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
}
m := rspec.Mount{
- Source: filepath.Join(mountPrefix, ctrDirOrFile),
+ Source: ctrDirOrFileOnHost,
Destination: ctrDirOrFile,
Type: "bind",
Options: []string{"bind", "rprivate"},
@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
// root filesystem if /etc/system-fips exists on hosts.
// This enables the container to be FIPS compliant and run openssl in
// FIPS mode as the host is also in FIPS mode.
-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
secretsDir := "/run/secrets"
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
- return errors.Wrapf(err, "making container directory on host failed")
+ return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
}
if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
- return errors.Wrap(err, "error applying correct labels")
+ return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
}
}
fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
if !mountExists(*mounts, secretsDir) {
m := rspec.Mount{
- Source: filepath.Join(mountPrefix, secretsDir),
+ Source: ctrDirOnHost,
Destination: secretsDir,
Type: "bind",
Options: []string{"bind", "rprivate"},
@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
*mounts = append(*mounts, m)
}
+ srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ destDir := "/etc/crypto-policies/back-ends"
+ srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+ if _, err := os.Stat(srcOnHost); err != nil {
+ if os.IsNotExist(err) {
+ return nil
+ }
+ return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
+ }
+
+ if !mountExists(*mounts, destDir) {
+ m := rspec.Mount{
+ Source: srcOnHost,
+ Destination: destDir,
+ Type: "bind",
+ Options: []string{"bind", "rprivate"},
+ }
+ *mounts = append(*mounts, m)
+ }
return nil
}
diff --git a/run_linux.go b/run_linux.go
index 4c2d73edd..c8e75eada 100644
--- a/run_linux.go
+++ b/run_linux.go
@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
}
// Get the list of secrets mounts.
- secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
+ secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
// Add temporary copies of the contents of volume locations at the
// volume locations, unless we already have something there.

View File

@ -0,0 +1,390 @@
From be1eb6f70fb40e45096b69aeb048d54c526a4a8f Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <rothberg@redhat.com>
Date: Thu, 6 Feb 2020 09:49:15 +0100
Subject: [PATCH] [1.11-rhel] update github.com/containers/image
Note that this includes fixes for
https://access.redhat.com/security/cve/CVE-2020-1702.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
---
go.mod | 2 +-
go.sum | 2 +
.../image/v5/docker/docker_client.go | 6 +-
.../image/v5/docker/docker_image_dest.go | 3 +-
.../image/v5/docker/docker_image_src.go | 10 ++--
.../image/v5/docker/tarfile/dest.go | 3 +-
.../containers/image/v5/docker/tarfile/src.go | 9 +--
.../image/v5/image/docker_schema2.go | 4 +-
.../containers/image/v5/image/oci.go | 4 +-
.../image/v5/internal/iolimits/iolimits.go | 60 +++++++++++++++++++
.../image/v5/openshift/openshift.go | 4 +-
vendor/modules.txt | 3 +-
12 files changed, 89 insertions(+), 21 deletions(-)
create mode 100644 vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
diff --git a/go.mod b/go.mod
index 684b00ff5..b94792238 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.12
require (
github.com/blang/semver v3.5.0+incompatible // indirect
github.com/containernetworking/cni v0.7.1
- github.com/containers/image/v5 v5.0.0
+ github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
github.com/containers/storage v1.14.0
github.com/cyphar/filepath-securejoin v0.2.2
github.com/docker/distribution v2.7.1+incompatible
diff --git a/go.sum b/go.sum
index 1cce3ff7e..ef8729952 100644
--- a/go.sum
+++ b/go.sum
@@ -54,6 +54,8 @@ github.com/containers/image/v4 v4.0.1 h1:idNGHChj0Pyv3vLrxul2oSVMZLeFqpoq3CjLeVg
github.com/containers/image/v4 v4.0.1/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
github.com/containers/image/v5 v5.0.0 h1:arnXgbt1ucsC/ndtSpiQY87rA0UjhF+/xQnPzqdBDn4=
github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
+github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0 h1:iV4aHKRoPcHp5BISsuiPMyaCjGJfLKp/FUMAG1NeqvE=
+github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
github.com/containers/storage v1.13.4 h1:j0bBaJDKbUHtAW1MXPFnwXJtqcH+foWeuXK1YaBV5GA=
diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
index 0b012c703..bff077a40 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_client.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
@@ -6,7 +6,6 @@ import (
"encoding/json"
"fmt"
"io"
- "io/ioutil"
"net/http"
"net/url"
"os"
@@ -17,6 +16,7 @@ import (
"time"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/pkg/docker/config"
"github.com/containers/image/v5/pkg/sysregistriesv2"
"github.com/containers/image/v5/pkg/tlsclientconfig"
@@ -597,7 +597,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
default:
return nil, errors.Errorf("unexpected http code: %d (%s), URL: %s", res.StatusCode, http.StatusText(res.StatusCode), authReq.URL)
}
- tokenBlob, err := ioutil.ReadAll(res.Body)
+ tokenBlob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize)
if err != nil {
return nil, err
}
@@ -690,7 +690,7 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe
return nil, errors.Wrapf(clientLib.HandleErrorResponse(res), "Error downloading signatures for %s in %s", manifestDigest, ref.ref.Name())
}
- body, err := ioutil.ReadAll(res.Body)
+ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureListBodySize)
if err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
index 417d97aec..ce8a1f357 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
@@ -15,6 +15,7 @@ import (
"strings"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/blobinfocache/none"
"github.com/containers/image/v5/types"
@@ -620,7 +621,7 @@ sigExists:
}
defer res.Body.Close()
if res.StatusCode != http.StatusCreated {
- body, err := ioutil.ReadAll(res.Body)
+ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxErrorBodySize)
if err == nil {
logrus.Debugf("Error body %s", string(body))
}
diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
index 35beb30e5..5436d9b7d 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
@@ -12,6 +12,7 @@ import (
"strconv"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/sysregistriesv2"
"github.com/containers/image/v5/types"
@@ -156,7 +157,8 @@ func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest strin
if res.StatusCode != http.StatusOK {
return nil, "", errors.Wrapf(client.HandleErrorResponse(res), "Error reading manifest %s in %s", tagOrDigest, s.ref.ref.Name())
}
- manblob, err := ioutil.ReadAll(res.Body)
+
+ manblob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxManifestBodySize)
if err != nil {
return nil, "", err
}
@@ -342,7 +344,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
} else if res.StatusCode != http.StatusOK {
return nil, false, errors.Errorf("Error reading signature from %s: status %d (%s)", url.String(), res.StatusCode, http.StatusText(res.StatusCode))
}
- sig, err := ioutil.ReadAll(res.Body)
+ sig, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureBodySize)
if err != nil {
return nil, false, err
}
@@ -401,7 +403,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
return err
}
defer get.Body.Close()
- manifestBody, err := ioutil.ReadAll(get.Body)
+ manifestBody, err := iolimits.ReadAtMost(get.Body, iolimits.MaxManifestBodySize)
if err != nil {
return err
}
@@ -424,7 +426,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
}
defer delete.Body.Close()
- body, err := ioutil.ReadAll(delete.Body)
+ body, err := iolimits.ReadAtMost(delete.Body, iolimits.MaxErrorBodySize)
if err != nil {
return err
}
diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
index b02c60bb3..9748ca112 100644
--- a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
+++ b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
@@ -13,6 +13,7 @@ import (
"time"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/internal/tmpdir"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/types"
@@ -135,7 +136,7 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t
}
if isConfig {
- buf, err := ioutil.ReadAll(stream)
+ buf, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
if err != nil {
return types.BlobInfo{}, errors.Wrap(err, "Error reading Config file stream")
}
diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/src.go b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
index ad0a3d2cb..bbf604da6 100644
--- a/vendor/github.com/containers/image/v5/docker/tarfile/src.go
+++ b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
@@ -11,6 +11,7 @@ import (
"path"
"sync"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/internal/tmpdir"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/compression"
@@ -187,13 +188,13 @@ func findTarComponent(inputFile io.Reader, path string) (*tar.Reader, *tar.Heade
}
// readTarComponent returns full contents of componentPath.
-func (s *Source) readTarComponent(path string) ([]byte, error) {
+func (s *Source) readTarComponent(path string, limit int) ([]byte, error) {
file, err := s.openTarComponent(path)
if err != nil {
return nil, errors.Wrapf(err, "Error loading tar component %s", path)
}
defer file.Close()
- bytes, err := ioutil.ReadAll(file)
+ bytes, err := iolimits.ReadAtMost(file, limit)
if err != nil {
return nil, err
}
@@ -224,7 +225,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
}
// Read and parse config.
- configBytes, err := s.readTarComponent(tarManifest[0].Config)
+ configBytes, err := s.readTarComponent(tarManifest[0].Config, iolimits.MaxConfigBodySize)
if err != nil {
return err
}
@@ -250,7 +251,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
// loadTarManifest loads and decodes the manifest.json.
func (s *Source) loadTarManifest() ([]ManifestItem, error) {
// FIXME? Do we need to deal with the legacy format?
- bytes, err := s.readTarComponent(manifestFileName)
+ bytes, err := s.readTarComponent(manifestFileName, iolimits.MaxTarFileManifestSize)
if err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/image/v5/image/docker_schema2.go b/vendor/github.com/containers/image/v5/image/docker_schema2.go
index 254c13f78..29c5047d7 100644
--- a/vendor/github.com/containers/image/v5/image/docker_schema2.go
+++ b/vendor/github.com/containers/image/v5/image/docker_schema2.go
@@ -7,10 +7,10 @@ import (
"encoding/hex"
"encoding/json"
"fmt"
- "io/ioutil"
"strings"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/blobinfocache/none"
"github.com/containers/image/v5/types"
@@ -102,7 +102,7 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
return nil, err
}
defer stream.Close()
- blob, err := ioutil.ReadAll(stream)
+ blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
if err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/image/v5/image/oci.go b/vendor/github.com/containers/image/v5/image/oci.go
index 18a38d463..406da262f 100644
--- a/vendor/github.com/containers/image/v5/image/oci.go
+++ b/vendor/github.com/containers/image/v5/image/oci.go
@@ -4,9 +4,9 @@ import (
"context"
"encoding/json"
"fmt"
- "io/ioutil"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/blobinfocache/none"
"github.com/containers/image/v5/types"
@@ -67,7 +67,7 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
return nil, err
}
defer stream.Close()
- blob, err := ioutil.ReadAll(stream)
+ blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
if err != nil {
return nil, err
}
diff --git a/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
new file mode 100644
index 000000000..3fed1995c
--- /dev/null
+++ b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
@@ -0,0 +1,60 @@
+package iolimits
+
+import (
+ "io"
+ "io/ioutil"
+
+ "github.com/pkg/errors"
+)
+
+// All constants below are intended to be used as limits for `ReadAtMost`. The
+// immediate use-case for limiting the size of in-memory copied data is to
+// protect against OOM DOS attacks as described inCVE-2020-1702. Instead of
+// copying data until running out of memory, we error out after hitting the
+// specified limit.
+const (
+ // megaByte denotes one megabyte and is intended to be used as a limit in
+ // `ReadAtMost`.
+ megaByte = 1 << 20
+ // MaxManifestBodySize is the maximum allowed size of a manifest. The limit
+ // of 4 MB aligns with the one of a Docker registry:
+ // https://github.com/docker/distribution/blob/a8371794149d1d95f1e846744b05c87f2f825e5a/registry/handlers/manifests.go#L30
+ MaxManifestBodySize = 4 * megaByte
+ // MaxAuthTokenBodySize is the maximum allowed size of an auth token.
+ // The limit of 1 MB is considered to be greatly sufficient.
+ MaxAuthTokenBodySize = megaByte
+ // MaxSignatureListBodySize is the maximum allowed size of a signature list.
+ // The limit of 4 MB is considered to be greatly sufficient.
+ MaxSignatureListBodySize = 4 * megaByte
+ // MaxSignatureBodySize is the maximum allowed size of a signature.
+ // The limit of 4 MB is considered to be greatly sufficient.
+ MaxSignatureBodySize = 4 * megaByte
+ // MaxErrorBodySize is the maximum allowed size of an error-response body.
+ // The limit of 1 MB is considered to be greatly sufficient.
+ MaxErrorBodySize = megaByte
+ // MaxConfigBodySize is the maximum allowed size of a config blob.
+ // The limit of 4 MB is considered to be greatly sufficient.
+ MaxConfigBodySize = 4 * megaByte
+ // MaxOpenShiftStatusBody is the maximum allowed size of an OpenShift status body.
+ // The limit of 4 MB is considered to be greatly sufficient.
+ MaxOpenShiftStatusBody = 4 * megaByte
+ // MaxTarFileManifestSize is the maximum allowed size of a (docker save)-like manifest (which may contain multiple images)
+ // The limit of 1 MB is considered to be greatly sufficient.
+ MaxTarFileManifestSize = megaByte
+)
+
+// ReadAtMost reads from reader and errors out if the specified limit (in bytes) is exceeded.
+func ReadAtMost(reader io.Reader, limit int) ([]byte, error) {
+ limitedReader := io.LimitReader(reader, int64(limit+1))
+
+ res, err := ioutil.ReadAll(limitedReader)
+ if err != nil {
+ return nil, err
+ }
+
+ if len(res) > limit {
+ return nil, errors.Errorf("exceeded maximum allowed size of %d bytes", limit)
+ }
+
+ return res, nil
+}
diff --git a/vendor/github.com/containers/image/v5/openshift/openshift.go b/vendor/github.com/containers/image/v5/openshift/openshift.go
index 016de4803..c37e1b751 100644
--- a/vendor/github.com/containers/image/v5/openshift/openshift.go
+++ b/vendor/github.com/containers/image/v5/openshift/openshift.go
@@ -7,13 +7,13 @@ import (
"encoding/json"
"fmt"
"io"
- "io/ioutil"
"net/http"
"net/url"
"strings"
"github.com/containers/image/v5/docker"
"github.com/containers/image/v5/docker/reference"
+ "github.com/containers/image/v5/internal/iolimits"
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/types"
"github.com/containers/image/v5/version"
@@ -102,7 +102,7 @@ func (c *openshiftClient) doRequest(ctx context.Context, method, path string, re
return nil, err
}
defer res.Body.Close()
- body, err := ioutil.ReadAll(res.Body)
+ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxOpenShiftStatusBody)
if err != nil {
return nil, err
}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 840dae067..3f72f3f34 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -48,7 +48,7 @@ github.com/containernetworking/cni/pkg/types
github.com/containernetworking/cni/pkg/types/020
github.com/containernetworking/cni/pkg/types/current
github.com/containernetworking/cni/pkg/version
-# github.com/containers/image/v5 v5.0.0
+# github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
github.com/containers/image/v5/copy
github.com/containers/image/v5/directory
github.com/containers/image/v5/directory/explicitfilepath
@@ -59,6 +59,7 @@ github.com/containers/image/v5/docker/policyconfiguration
github.com/containers/image/v5/docker/reference
github.com/containers/image/v5/docker/tarfile
github.com/containers/image/v5/image
+github.com/containers/image/v5/internal/iolimits
github.com/containers/image/v5/internal/pkg/keyctl
github.com/containers/image/v5/internal/tmpdir
github.com/containers/image/v5/manifest

View File

@ -0,0 +1,98 @@
From 6d7ab38f33edb9ab87a290a0c68cfd27b55b061f Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Wed, 8 Jan 2020 11:02:05 -0500
Subject: [PATCH 1/2] Check for .dockerignore specifically
When generating the list of exclusions to process .dockerignore
contents, don't include .dockerignore if we don't have a .dockerignore
file in the context directory. That way, if the file doesn't exist, and
the caller didn't pass in any patterns, we get no patterns instead of
just one ".dockerignore" pattern, and we can hit the faster copy path.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #2072
Approved by: giuseppe
---
add.go | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/add.go b/add.go
index b5119e369..e82a5ef9a 100644
--- a/add.go
+++ b/add.go
@@ -215,7 +215,12 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
if contextDir == "" {
return nil, nil
}
- patterns := []string{".dockerignore"}
+ // If there's no .dockerignore file, then we don't have to add a
+ // pattern to tell copy logic to ignore it later.
+ var patterns []string
+ if _, err := os.Stat(filepath.Join(contextDir, ".dockerignore")); err == nil || !os.IsNotExist(err) {
+ patterns = []string{".dockerignore"}
+ }
for _, ignoreSpec := range lines {
ignoreSpec = strings.TrimSpace(ignoreSpec)
// ignore comments passed back from .dockerignore
@@ -224,7 +229,8 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
}
// if the spec starts with '!' it means the pattern
// should be included. make a note so that we can move
- // it to the front of the updated pattern
+ // it to the front of the updated pattern, and insert
+ // the context dir's path in between
includeFlag := ""
if strings.HasPrefix(ignoreSpec, "!") {
includeFlag = "!"
From f999964084ce75c833b0cffd17fb09b947dad506 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Wed, 8 Jan 2020 11:04:57 -0500
Subject: [PATCH 2/2] copyFileWithTar: close source files at the right time
Close source files after we've finished reading from them, rather than
leaving it for later.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #2072
Approved by: giuseppe
---
util.go | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/util.go b/util.go
index b4670e41c..2f923357c 100644
--- a/util.go
+++ b/util.go
@@ -165,11 +165,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
if err != nil {
return errors.Wrapf(err, "error opening %q to copy its contents", src)
}
- defer func() {
- if err := f.Close(); err != nil {
- logrus.Debugf("error closing %s: %v", fi.Name(), err)
- }
- }()
}
}
@@ -200,6 +195,9 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
logrus.Debugf("error copying contents of %s: %v", fi.Name(), err)
copyErr = err
}
+ if err = srcFile.Close(); err != nil {
+ logrus.Debugf("error closing %s: %v", fi.Name(), err)
+ }
}
if err = writer.Close(); err != nil {
logrus.Debugf("error closing write pipe for %s: %v", hdr.Name, err)
@@ -213,7 +211,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
if err == nil {
err = copyErr
}
- f = nil
if pipeWriter != nil {
pipeWriter.Close()
}

View File

@ -0,0 +1,58 @@
From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
From: TomSweeneyRedHat <tsweeney@redhat.com>
Date: Tue, 24 Mar 2020 20:10:22 -0400
Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
Stealing @nalind 's workaround to avoid refetching
content after a file read failure. Under the right
circumstances that could be a symlink to a file meant
to overwrite a good file with bad data.
Testing:
```
goodstuff
[1] 14901
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
no FROM statement found
goodstuff
```
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
---
imagebuildah/util.go | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/imagebuildah/util.go b/imagebuildah/util.go
index 29ea60970..5f14c9883 100644
--- a/imagebuildah/util.go
+++ b/imagebuildah/util.go
@@ -14,6 +14,7 @@ import (
"github.com/containers/buildah"
"github.com/containers/storage/pkg/chrootarchive"
+ "github.com/containers/storage/pkg/ioutils"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error {
}
dockerfile := filepath.Join(dir, "Dockerfile")
// Assume this is a Dockerfile
- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
}
}
@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error {
if err := chrootarchive.Untar(reader, dir, nil); err != nil {
dockerfile := filepath.Join(dir, "Dockerfile")
// Assume this is a Dockerfile
- if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil {
+ if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil {
return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile)
}
}

View File

@ -25,13 +25,23 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
Name: %{repo}
Version: 1.11.6
Release: 4%{?dist}
Release: 7%{?dist}
Summary: A command line tool used for creating OCI Images
License: ASL 2.0
URL: https://%{name}.io
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1784952
Patch1: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1702
# https://github.com/containers/buildah/commit/be1eb6f70fb40e45096b69aeb048d54c526a4a8f.patch
Patch2: CVE-2020-1702-1801930.patch
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1756986
# backported: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2181.patch
Patch3: buildah-1756986.patch
# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
# patch: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
Patch4: buildah-CVE-2020-10696.patch
BuildRequires: golang >= 1.12.12-4
BuildRequires: git
BuildRequires: glib2-devel
@ -117,6 +127,20 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
%{_datadir}/%{name}/test
%changelog
* Wed Apr 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-7
- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
- Resolves: #1819393
* Mon Feb 24 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-6
- fix "COPY command takes long time with buildah"
- Resolves: #1806118
* Mon Feb 17 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-5
- fix CVE-2020-1702
- Resolves: #1801930
- adding the first phase of FIPS fix
- Related: #1784952
* Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-4
- compile in FIPS mode
- Related: RHELPLAN-25139