import buildah-1.5-8.gite94b4f9.module+el8.3.0+8236+8e428216

import buildah-1.5-6.gite94b4f9.module+el8.1.0+4908+72a45cef
2021-09-10 09:35:17 +00:00 · 2021-09-10 09:35:08 +00:00 · 2021-09-10 09:34:59 +00:00
3 changed files with 59 additions and 24 deletions
--- a/SOURCES/buildah-CVE-2019-10214.patch
+++ b/SOURCES/buildah-CVE-2019-10214.patch
@ -1,16 +0,0 @@
-diff -up ./buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go
--- buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214	2019-09-12 16:00:45.509807991 +0200
-+++ buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go	2019-09-12 16:00:45.510808003 +0200
-@@ -480,11 +480,7 @@ func (c *dockerClient) getBearerToken(ct
- 		authReq.SetBasicAuth(c.username, c.password)
- 	}
- 	logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
-	tr := tlsclientconfig.NewTransport()
-	// TODO(runcom): insecure for now to contact the external token service
-	tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	client := &http.Client{Transport: tr}
-	res, err := client.Do(authReq)
-+	res, err := c.client.Do(authReq)
- 	if err != nil {
- 		return nil, err
- 	}
--- a/SOURCES/buildah-CVE-2020-10696.patch
+++ b/SOURCES/buildah-CVE-2020-10696.patch
@ -0,0 +1,48 @@
+From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
+From: TomSweeneyRedHat <tsweeney@redhat.com>
+Date: Tue, 24 Mar 2020 20:10:22 -0400
+Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
+
+Stealing @nalind 's workaround to avoid refetching
+content after a file read failure.  Under the right
+circumstances that could be a symlink to a file meant
+to overwrite a good file with bad data.
+
+Testing:
+```
+goodstuff
+
+[1] 14901
+
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+no FROM statement found
+
+goodstuff
+```
+
+Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
+---
+ imagebuildah/util.go | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
+--- a/imagebuildah/util.go.CVE-2020-10696
+++ b/imagebuildah/util.go
+@@ -12,6 +12,7 @@ import (
+ 
+ 	"github.com/containers/buildah"
+ 	"github.com/containers/storage/pkg/chrootarchive"
+	"github.com/containers/storage/pkg/ioutils"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+ )
+@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
+ 		}
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
+		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
+ 		}
+ 	}
--- a/SPECS/buildah.spec
+++ b/SPECS/buildah.spec
@ -11,7 +11,7 @@
 %if 0%{?rhel} > 7 && ! 0%{?fedora}
 %define gobuild(o:) \
 go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
-%endif # distro
+%endif

 %global provider        github
 %global provider_tld    com
@ -25,12 +25,14 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL

 Name:           %{repo}
 Version:        1.5
-Release:        5.git%{shortcommit}%{?dist}
+Release:        8.git%{shortcommit}%{?dist}
 Summary:        A command line tool used for creating OCI Images
 License:        ASL 2.0
 URL:            https://%{provider_prefix}
 Source0:        https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
-Patch0: buildah-CVE-2019-10214.patch
+# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
+# backported:  https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
+Patch0: buildah-CVE-2020-10696.patch
 ExclusiveArch:  x86_64 %{arm} aarch64 ppc64le s390x
 # If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
 BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
@ -60,7 +62,6 @@ or
 %prep
 %autosetup -Sgit -n %{name}-%{commit}

-
 %build
 mkdir _build
 pushd _build
@ -92,11 +93,13 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 %{_datadir}/bash-completion/completions/%{name}

 %changelog
-* Tue Sep 17 2019 Jindrich Novy <jnovy@redhat.com> - 1.5-5.gite94b4f9
- Use autosetup macro again.
+* Thu Jun 25 2020 Jindrich Novy <jnovy@redhat.com> - 1.5-8.gite94b4f9
+- bump release to preserve upgrade path
+- Related: #1821193

-* Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.5-4.gite94b4f9
- Fix CVE-2019-10214 (#1734660).
+* Fri Apr 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.5-4.gite94b4f9
+- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
+- Resolves: #1818127

 * Tue Dec 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-3.gite94b4f9
 - re-enable debuginfo
Author	SHA1	Message	Date
CentOS Sources	7d7542b2ee	import buildah-1.5-8.gite94b4f9.module+el8.3.0+8236+8e428216	2021-09-10 09:35:17 +00:00
CentOS Sources	8baae1d2ab	import buildah-1.5-8.gite94b4f9.module+el8.3.0+8236+8e428216	2021-09-10 09:35:08 +00:00
CentOS Sources	31e89c86c5	import buildah-1.5-6.gite94b4f9.module+el8.1.0+4908+72a45cef	2021-09-10 09:34:59 +00:00