import podman-1.0.0-6.git921f98f.module+el8.3.0+8236+8e428216

SOURCES/podman-1882267.patch

@@ -0,0 +1,23 @@
+From bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea Mon Sep 17 00:00:00 2001
+From: Matthew Heon <mheon@redhat.com>
+Date: Thu, 24 Sep 2020 10:42:13 -0400
+Subject: [PATCH] Fix https://bugzilla.redhat.com/show_bug.cgi?id=1882267
+
+Signed-off-by: Matthew Heon <mheon@redhat.com>
+---
+ cmd/podman/sigproxy.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go
+index 16861bad04..92d7f4e4a9 100644
+--- a/cmd/podman/sigproxy.go
++++ b/cmd/podman/sigproxy.go
+@@ -19,7 +19,7 @@ func ProxySignals(ctr *libpod.Container) {
+ 		for s := range sigBuffer {
+ 			// Ignore SIGCHLD and SIGPIPE - these are mostly likely
+ 			// intended for the podman command itself.
+-			if s == signal.SIGCHLD || s == signal.SIGPIPE {
++			if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG {
+ 				continue
+ 			}
+ 

SOURCES/podman-CVE-2019-10214.patch

@@ -1,32 +0,0 @@
-diff -up ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go
---- ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214	2019-09-12 15:16:38.812884788 +0200
-+++ ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go	2019-09-12 15:16:38.813884801 +0200
-@@ -530,11 +530,7 @@ func (c *dockerClient) getBearerToken(ct
- 		authReq.SetBasicAuth(c.username, c.password)
- 	}
- 	logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
--	tr := tlsclientconfig.NewTransport()
--	// TODO(runcom): insecure for now to contact the external token service
--	tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
--	client := &http.Client{Transport: tr}
--	res, err := client.Do(authReq)
-+	res, err := c.client.Do(authReq)
- 	if err != nil {
- 		return nil, err
- 	}
-diff -up ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go
---- ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214	2019-09-12 15:16:38.815884828 +0200
-+++ ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go	2019-09-12 15:16:38.816884841 +0200
-@@ -530,11 +530,7 @@ func (c *dockerClient) getBearerToken(ct
- 		authReq.SetBasicAuth(c.username, c.password)
- 	}
- 	logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
--	tr := tlsclientconfig.NewTransport()
--	// TODO(runcom): insecure for now to contact the external token service
--	tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
--	client := &http.Client{Transport: tr}
--	res, err := client.Do(authReq)
-+	res, err := c.client.Do(authReq)
- 	if err != nil {
- 		return nil, err
- 	}

SOURCES/podman-CVE-2020-10696.patch

@@ -0,0 +1,48 @@
+From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
+From: TomSweeneyRedHat <tsweeney@redhat.com>
+Date: Tue, 24 Mar 2020 20:10:22 -0400
+Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
+
+Stealing @nalind 's workaround to avoid refetching
+content after a file read failure.  Under the right
+circumstances that could be a symlink to a file meant
+to overwrite a good file with bad data.
+
+Testing:
+```
+goodstuff
+
+[1] 14901
+
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+no FROM statement found
+
+goodstuff
+```
+
+Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
+---
+ imagebuildah/util.go | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
+--- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696
++++ b/vendor/github.com/containers//buildah/imagebuildah/util.go
+@@ -12,6 +12,7 @@ import (
+ 
+ 	"github.com/containers/buildah"
+ 	"github.com/containers/storage/pkg/chrootarchive"
++	"github.com/containers/storage/pkg/ioutils"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+ )
+@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
+ 		}
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
++		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
+ 		}
+ 	}

SPECS/podman.spec

@@ -16,7 +16,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL
 %bcond_without varlink
 %else
 %bcond_with varlink
-%endif # rhel8 and fedora varlink
+%endif
 
 %global provider github
 %global provider_tld com
@@ -36,13 +36,18 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL
 
 Name: podman
 Version: 1.0.0
-Release: 4.git%{shortcommit}%{?dist}
+Release: 6.git%{shortcommit}%{?dist}
 Summary: Manage Pods, Containers and Container Images
 License: ASL 2.0
 URL: %{git_podman}
 Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
 Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz
-Patch0: podman-CVE-2019-10214.patch
+# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
+# backported:  https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
+Patch0: podman-CVE-2020-10696.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1882267
+# patch:       https://github.com/mheon/libpod/commit/bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea.patch
+Patch1: podman-1882267.patch
 
 # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
 #ExclusiveArch:  %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}}
@@ -196,15 +201,12 @@ executing %{name} commands, it also creates links between all Docker CLI man
 pages and %{name}.
 
 %prep
-%setup -q -n %{repo}-%{commit}
+%autosetup -Sgit -n %{repo}-%{commit}
 mv pkg/hooks/README.md pkg/hooks/README-hooks.md
 
 # untar cri-o
 tar zxf %{SOURCE1}
 
-# fix CVE-2019-10214
-%patch0 -p2
-
 %build
 mkdir -p $(pwd)/_build
 pushd $(pwd)/_build
@@ -284,12 +286,21 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_mandir}/man1/docker*.1*
 
 %changelog
-* Tue Nov 26 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-4.git921f98f
+* Thu Sep 24 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-6.git921f98f
-- rebuild because of CVE-2019-9512 and CVE-2019-9514
+- fix "podman run errors out/segfaults in container-tools-1.0-8.3.0"
-- Resolves: #1766293, #1766321
+- Resolves: #1882267
 
-* Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-3.git921f98f
+* Fri Jun 26 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-5.git921f98f
-- Fix CVE-2019-10214 (#1734656).
+- bump release to preserve upgrade path
+- Resolves: #1821193
+
+* Fri Apr 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-4.git921f98f
+- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
+- Resolves: #1818122
+
+* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-3.git921f98f
+- rebuild because of CVE-2019-9512 and CVE-2019-9514
+- Resolves: #1766294, #1766322
 
 * Mon Feb 11 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-2.git921f98f
 - rebase