6 changed files with 94 additions and 116 deletions
--- a/.crun.metadata
+++ b/.crun.metadata
@ -1 +1 @@
-c79a414d0b980611ba929a7526b7b4c30c2b3b1d SOURCES/crun-0.18.tar.gz
+f112adeb806f3160fbc05c88f902c5c1b039780f SOURCES/crun-1.6.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/crun-0.18.tar.gz
+SOURCES/crun-1.6.tar.gz
--- a/SOURCES/0001-revert-tests-build-init-always-statically.patch
+++ b/SOURCES/0001-revert-tests-build-init-always-statically.patch
@ -1,43 +0,0 @@
 From 320a7ec41342c95fd6bdc500cd207eb0ea5cda6a Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Fri, 19 Feb 2021 13:25:37 +0100
 Subject: [PATCH] Revert "tests: build init always statically"
 This reverts commit a0f322a49a10a014a447b505eda5923a8e6aff7c as it
 causes issues on RHEL 8.
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 ---
 Makefile.am | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/Makefile.am b/Makefile.am
 index e39dc3b..2b8e18b 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -14,7 +14,7 @@ srpm: dist-gzip rpm/crun.spec
 	$(MAKE) -C $(WD) dist-gzip
 	rpmbuild -bs --define "_sourcedir $(WD)" --define "_specdir $(WD)" --define "_builddir $(WD)" --define "_srcrpmdir $(WD)" --define "_rpmdir $(WD)" --define "_buildrootdir $(WD)/.build" rpm/crun.spec
 -CLEANFILES = crun.spec tests/init
 +CLEANFILES = crun.spec
 lib_LTLIBRARIES = libcrun.la
@@ -79,9 +79,9 @@ noinst_PROGRAMS = tests/init $(UNIT_TESTS)
 TESTS_LDADD = libcrun_testing.a $(FOUND_LIBS)
 -tests/init: tests/init.c
 -	$(CC) -static-libgcc --static -o $@ $<
 -EXTRA_DIST += tests/init.c
 +tests_init_LDADD =
 +tests_init_LDFLAGS = -static-libgcc -all-static
 +tests_init_SOURCES = tests/init.c $(UNIT_TESTS)
 tests_tests_libcrun_utils_CFLAGS = -I $(abs_top_builddir)/libocispec/src -I $(abs_top_srcdir)/libocispec/src -I $(abs_top_builddir)/src -I $(abs_top_srcdir)/src
 tests_tests_libcrun_utils_SOURCES = tests/tests_libcrun_utils.c
 -- 
 2.29.2
--- a/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
+++ b/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
@ -1,30 +0,0 @@
 From ed485db1465d67f0215c27529c57a76a1daf5135 Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Mon, 28 Feb 2022 11:05:18 +0100
 Subject: [PATCH 1/2] spec: do not set inheritable capabilities
 Closes: CVE-2022-27650
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 (cherry picked from commit b847d146d496c9d7beba166fd595488e85488562)
 ---
 src/libcrun/container.c | 3 ---
 1 file changed, 3 deletions(-)
 diff --git a/src/libcrun/container.c b/src/libcrun/container.c
 index d3fb017..1e3f3e6 100644
 --- a/src/libcrun/container.c
 +++ b/src/libcrun/container.c
@@ -128,9 +128,6 @@ static char spec_file[] = "\
 				\"CAP_NET_BIND_SERVICE\"\n\
 			],\n\
 			\"inheritable\": [\n\
 -				\"CAP_AUDIT_WRITE\",\n\
 -				\"CAP_KILL\",\n\
 -				\"CAP_NET_BIND_SERVICE\"\n\
 			],\n\
 			\"permitted\": [\n\
 				\"CAP_AUDIT_WRITE\",\n\
 -- 
 2.35.1
--- a/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch
+++ b/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch
@ -1,31 +0,0 @@
 From 21cb5a8c7bcc90c42743ffd15cd11a55bf66993d Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Mon, 28 Feb 2022 11:06:50 +0100
 Subject: [PATCH 2/2] exec: --cap do not set inheritable capabilities
 Closes: CVE-2022-27650
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 (cherry picked from commit 1aeeed2e4fdeffb4875c0d0b439915894594c8c6)
 ---
 src/exec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/exec.c b/src/exec.c
 index bf6c05f..8c9862d 100644
 --- a/src/exec.c
 +++ b/src/exec.c
@@ -250,8 +250,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a
           capabilities->effective = exec_options.cap;
           capabilities->effective_len = exec_options.cap_size;
 -          capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size);
 -          capabilities->inheritable_len = exec_options.cap_size;
 +          capabilities->inheritable = NULL;
 +          capabilities->inheritable_len = 0;
           capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size);
           capabilities->bounding_len = exec_options.cap_size;
 -- 
 2.35.1
--- a/SPECS/crun.spec
+++ b/SPECS/crun.spec
@ -1,11 +1,8 @@
 Summary: OCI runtime written in C
 Name: crun
-Version: 0.18
+Version: 1.6
-Release: 3%{?dist}
+Release: 1%{?dist}
 Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
 Patch0: 0001-revert-tests-build-init-always-statically.patch
 Patch1: 0001-spec-do-not-set-inheritable-capabilities.patch
 Patch2: 0002-exec-cap-do-not-set-inheritable-capabilities.patch
 License: GPLv2+
 URL: https://github.com/containers/crun
 # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
@ -24,7 +21,7 @@ BuildRequires: libselinux-devel
 BuildRequires: python3-libmount
 BuildRequires: libtool
 BuildRequires: go-md2man
-Provides: oci-runtime = 2
+Provides: oci-runtime
 %description
 crun is a runtime for running OCI containers
@ -41,7 +38,7 @@ export CFLAGS="%{optflags} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFF
 %install
 %make_install
-rm -rf $RPM_BUILD_ROOT/usr/lib*
+rm -rf %{buildroot}%{_prefix}/lib*
 %files
 %license COPYING
@ -49,14 +46,99 @@ rm -rf $RPM_BUILD_ROOT/usr/lib*
 %{_mandir}/man1/*
 %changelog
-* Tue Apr 05 2022 Jindrich Novy <jnovy@redhat.com> - 0.18-3
+* Fri Sep 09 2022 Jindrich Novy <jnovy@redhat.com> - 1.6-1
- fix CVE-2022-27650
+- update to https://github.com/containers/crun/releases/tag/1.6
 - Related: #2123641
 * Wed Jul 27 2022 Jindrich Novy <jnovy@redhat.com> - 1.5-1
 - update to https://github.com/containers/crun/releases/tag/1.5
 - Related: #2061390
-* Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-2
+* Wed Jun 15 2022 Jindrich Novy <jnovy@redhat.com> - 1.4.5-1
 - update to https://github.com/containers/crun/releases/tag/1.4.5
 - Related: #2061390
 * Thu Mar 24 2022 Jindrich Novy <jnovy@redhat.com> - 1.4.4-2
 - update to https://github.com/containers/crun/releases/tag/1.4.4
 - Related: #2061390
 * Wed Mar 23 2022 Jindrich Novy <jnovy@redhat.com> - 1.4.4-1
 - update to https://github.com/containers/crun/releases/tag/1.4.4
 - Related: #2061390
 * Fri Mar 11 2022 Jindrich Novy <jnovy@redhat.com> - 1.4.3-1
 - update to https://github.com/containers/crun/releases/tag/1.4.3
 - Related: #2061390
 * Wed Jan 26 2022 Jindrich Novy <jnovy@redhat.com> - 1.4.2-1
 - update to https://github.com/containers/crun/releases/tag/1.4.2
 - Related: #2001445
 * Fri Jan 14 2022 Jindrich Novy <jnovy@redhat.com> - 1.4.1-1
 - update to https://github.com/containers/crun/releases/tag/1.4.1
 - Related: #2001445
 * Wed Dec 22 2021 Jindrich Novy <jnovy@redhat.com> - 1.4-1
 - update to https://github.com/containers/crun/releases/tag/1.4
 - Related: #2001445
 * Mon Nov 15 2021 Jindrich Novy <jnovy@redhat.com> - 1.3-1
 - update to https://github.com/containers/crun/releases/tag/1.3
 - Related: #2001445
 * Mon Oct 11 2021 Jindrich Novy <jnovy@redhat.com> - 1.2-1
 - update to https://github.com/containers/crun/releases/tag/1.2
 - Related: #2001445
 * Mon Sep 27 2021 Jindrich Novy <jnovy@redhat.com> - 1.1-1
 - update to https://github.com/containers/crun/releases/tag/1.1
 - Related: #2001445
 * Thu Aug 26 2021 Jindrich Novy <jnovy@redhat.com> - 1.0-1
 - update to https://github.com/containers/crun/releases/tag/1.0
 - Related: #1934415
 * Fri Aug 06 2021 Jindrich Novy <jnovy@redhat.com> - 0.21-3
 - remove BR: criu-devel and leave it just for RHEL9
 - Related: #1934415
 * Fri Aug 06 2021 Jindrich Novy <jnovy@redhat.com> - 0.21-2
 - do not use versioned provide
 - BR: criu-devel
 - Related: #1934415
 * Tue Jul 27 2021 Jindrich Novy <jnovy@redhat.com> - 0.21-1
 - update to https://github.com/containers/crun/releases/tag/0.21
 - Related: #1934415
 * Thu Jun 10 2021 Jindrich Novy <jnovy@redhat.com> - 0.20.1-1
 - update to https://github.com/containers/crun/releases/tag/0.20.1
 - Related: #1934415
 * Wed Jun 02 2021 Jindrich Novy <jnovy@redhat.com> - 0.20-1
 - update to https://github.com/containers/crun/releases/tag/0.20
 - Related: #1934415
 * Mon Apr 26 2021 Jindrich Novy <jnovy@redhat.com> - 0.19.1-1
 - update to https://github.com/containers/crun/releases/tag/0.19.1
 - Related: #1934415
 * Wed Apr 07 2021 Jindrich Novy <jnovy@redhat.com> - 0.19-2
 - remove unused patch reference from spec
 - Related: #1934415
 * Tue Apr 06 2021 Jindrich Novy <jnovy@redhat.com> - 0.19-1
 - update to https://github.com/containers/crun/releases/tag/0.19
 - Related: #1934415
 * Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-1
 - allow to build without glibc-static (thanks to Giuseppe Scrivano)
 - Related: #1883490
 * Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.17-2
 - reverting back to 0.17 as there's no glibc-static in RHEL
 - Related: #1883490
 * Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-1
 - update to https://github.com/containers/crun/releases/tag/0.18
 - Related: #1883490
`@ -1 +1 @@`
	`c79a414d0b980611ba929a7526b7b4c30c2b3b1d SOURCES/crun-0.18.tar.gz`	`f112adeb806f3160fbc05c88f902c5c1b039780f SOURCES/crun-1.6.tar.gz`
`@ -1 +1 @@`
	`SOURCES/crun-0.18.tar.gz`	`SOURCES/crun-1.6.tar.gz`