5 changed files with 436 additions and 2292 deletions
--- a/.buildah.metadata
+++ b/.buildah.metadata
@ -1 +1 @@
-09993f8aad3024403e1e2aa76aa3d11d1023cceb SOURCES/release-1.24-7b559a3.tar.gz
+d3fcf1950a92f35210dc390cde164f6e428826d1 SOURCES/buildah-e94b4f9.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/release-1.24-7b559a3.tar.gz
+SOURCES/buildah-e94b4f9.tar.gz
--- a/SOURCES/buildah-CVE-2020-10696.patch
+++ b/SOURCES/buildah-CVE-2020-10696.patch
@ -0,0 +1,48 @@
+From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
+From: TomSweeneyRedHat <tsweeney@redhat.com>
+Date: Tue, 24 Mar 2020 20:10:22 -0400
+Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
+
+Stealing @nalind 's workaround to avoid refetching
+content after a file read failure.  Under the right
+circumstances that could be a symlink to a file meant
+to overwrite a good file with bad data.
+
+Testing:
+```
+goodstuff
+
+[1] 14901
+
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+no FROM statement found
+
+goodstuff
+```
+
+Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
+---
+ imagebuildah/util.go | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
+--- a/imagebuildah/util.go.CVE-2020-10696
+++ b/imagebuildah/util.go
+@@ -12,6 +12,7 @@ import (
+ 
+ 	"github.com/containers/buildah"
+ 	"github.com/containers/storage/pkg/chrootarchive"
+	"github.com/containers/storage/pkg/ioutils"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+ )
+@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
+ 		}
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
+		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
+ 		}
+ 	}
--- a/SOURCES/fix-bash-syntax.patch
+++ b/SOURCES/fix-bash-syntax.patch
@ -1,45 +0,0 @@
-From eedab4fd872c3be8ab15af767897f92c78a71fde Mon Sep 17 00:00:00 2001
-From: Lokesh Mandvekar <lsm5@fedoraproject.org>
-Date: Mon, 21 Feb 2022 14:58:40 -0500
-Subject: [PATCH] helpers.bash: Use correct syntax
-
-Fixes gating test failure:
-```
- /usr/share/buildah/test/system/./helpers.bash: line 474: !is_cgroupsv2: command not found
- ```
-
-Co-authored-by: Yiqiao Pu <ypu@redhat.com>
-
-I'm just the committer.
-
-Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
---
- tests/helpers.bash | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/tests/helpers.bash b/tests/helpers.bash
-index bd2794c974..3e72108bec 100644
--- a/tests/helpers.bash
-+++ b/tests/helpers.bash
-@@ -433,9 +433,9 @@ function skip_if_rootless() {
- ##################################
- function skip_if_rootless_and_cgroupv1() {
-     if test "$BUILDAH_ISOLATION" = "rootless"; then
-	if !is_cgroupsv2; then
-		skip "${1:-test does not work when \$BUILDAH_ISOLATION = rootless} and not cgroupv2"
-	fi
-+        if ! is_cgroupsv2; then
-+            skip "${1:-test does not work when \$BUILDAH_ISOLATION = rootless} and not cgroupv2"
-+        fi
-     fi
- }
- 
-@@ -471,7 +471,7 @@ function skip_if_cgroupsv2() {
- #  skip_if_cgroupsv1  #  Some tests don't work with cgroupsv1
- #######################
- function skip_if_cgroupsv1() {
-    if !is_cgroupsv2; then
-+    if ! is_cgroupsv2; then
-         skip "${1:-test does not work with cgroups v1}"
-     fi
- }
--- a/SPECS/buildah.spec
+++ b/SPECS/buildah.spec