import podman-1.0.0-4.git921f98f.module+el8.2.0+6370+6fb6c8ca
This commit is contained in:
parent
c6b62672c9
commit
4b6dd98e34
@ -1,32 +0,0 @@
|
|||||||
diff -up ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go
|
|
||||||
--- ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 15:16:38.812884788 +0200
|
|
||||||
+++ ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 15:16:38.813884801 +0200
|
|
||||||
@@ -530,11 +530,7 @@ func (c *dockerClient) getBearerToken(ct
|
|
||||||
authReq.SetBasicAuth(c.username, c.password)
|
|
||||||
}
|
|
||||||
logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
|
|
||||||
- tr := tlsclientconfig.NewTransport()
|
|
||||||
- // TODO(runcom): insecure for now to contact the external token service
|
|
||||||
- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
|
|
||||||
- client := &http.Client{Transport: tr}
|
|
||||||
- res, err := client.Do(authReq)
|
|
||||||
+ res, err := c.client.Do(authReq)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
diff -up ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go
|
|
||||||
--- ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 15:16:38.815884828 +0200
|
|
||||||
+++ ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 15:16:38.816884841 +0200
|
|
||||||
@@ -530,11 +530,7 @@ func (c *dockerClient) getBearerToken(ct
|
|
||||||
authReq.SetBasicAuth(c.username, c.password)
|
|
||||||
}
|
|
||||||
logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
|
|
||||||
- tr := tlsclientconfig.NewTransport()
|
|
||||||
- // TODO(runcom): insecure for now to contact the external token service
|
|
||||||
- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
|
|
||||||
- client := &http.Client{Transport: tr}
|
|
||||||
- res, err := client.Do(authReq)
|
|
||||||
+ res, err := c.client.Do(authReq)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
48
SOURCES/podman-CVE-2020-10696.patch
Normal file
48
SOURCES/podman-CVE-2020-10696.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
|
||||||
|
From: TomSweeneyRedHat <tsweeney@redhat.com>
|
||||||
|
Date: Tue, 24 Mar 2020 20:10:22 -0400
|
||||||
|
Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
|
||||||
|
|
||||||
|
Stealing @nalind 's workaround to avoid refetching
|
||||||
|
content after a file read failure. Under the right
|
||||||
|
circumstances that could be a symlink to a file meant
|
||||||
|
to overwrite a good file with bad data.
|
||||||
|
|
||||||
|
Testing:
|
||||||
|
```
|
||||||
|
goodstuff
|
||||||
|
|
||||||
|
[1] 14901
|
||||||
|
|
||||||
|
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
|
||||||
|
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
|
||||||
|
no FROM statement found
|
||||||
|
|
||||||
|
goodstuff
|
||||||
|
```
|
||||||
|
|
||||||
|
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
||||||
|
---
|
||||||
|
imagebuildah/util.go | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
|
||||||
|
--- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696
|
||||||
|
+++ b/vendor/github.com/containers//buildah/imagebuildah/util.go
|
||||||
|
@@ -12,6 +12,7 @@ import (
|
||||||
|
|
||||||
|
"github.com/containers/buildah"
|
||||||
|
"github.com/containers/storage/pkg/chrootarchive"
|
||||||
|
+ "github.com/containers/storage/pkg/ioutils"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
"github.com/sirupsen/logrus"
|
||||||
|
)
|
||||||
|
@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
|
||||||
|
}
|
||||||
|
dockerfile := filepath.Join(dir, "Dockerfile")
|
||||||
|
// Assume this is a Dockerfile
|
||||||
|
- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
|
||||||
|
+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
|
||||||
|
return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
|
||||||
|
}
|
||||||
|
}
|
@ -16,7 +16,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL
|
|||||||
%bcond_without varlink
|
%bcond_without varlink
|
||||||
%else
|
%else
|
||||||
%bcond_with varlink
|
%bcond_with varlink
|
||||||
%endif # rhel8 and fedora varlink
|
%endif
|
||||||
|
|
||||||
%global provider github
|
%global provider github
|
||||||
%global provider_tld com
|
%global provider_tld com
|
||||||
@ -42,7 +42,9 @@ License: ASL 2.0
|
|||||||
URL: %{git_podman}
|
URL: %{git_podman}
|
||||||
Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
|
Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
|
||||||
Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz
|
Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz
|
||||||
Patch0: podman-CVE-2019-10214.patch
|
# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
|
||||||
|
# backported: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
|
||||||
|
Patch0: podman-CVE-2020-10696.patch
|
||||||
|
|
||||||
# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
|
# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
|
||||||
#ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}}
|
#ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}}
|
||||||
@ -196,15 +198,12 @@ executing %{name} commands, it also creates links between all Docker CLI man
|
|||||||
pages and %{name}.
|
pages and %{name}.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{repo}-%{commit}
|
%autosetup -Sgit -n %{repo}-%{commit}
|
||||||
mv pkg/hooks/README.md pkg/hooks/README-hooks.md
|
mv pkg/hooks/README.md pkg/hooks/README-hooks.md
|
||||||
|
|
||||||
# untar cri-o
|
# untar cri-o
|
||||||
tar zxf %{SOURCE1}
|
tar zxf %{SOURCE1}
|
||||||
|
|
||||||
# fix CVE-2019-10214
|
|
||||||
%patch0 -p2
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
mkdir -p $(pwd)/_build
|
mkdir -p $(pwd)/_build
|
||||||
pushd $(pwd)/_build
|
pushd $(pwd)/_build
|
||||||
@ -284,12 +283,13 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
|||||||
%{_mandir}/man1/docker*.1*
|
%{_mandir}/man1/docker*.1*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Nov 26 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-4.git921f98f
|
* Fri Apr 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-4.git921f98f
|
||||||
- rebuild because of CVE-2019-9512 and CVE-2019-9514
|
- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
|
||||||
- Resolves: #1766293, #1766321
|
- Resolves: #1819429
|
||||||
|
|
||||||
* Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-3.git921f98f
|
* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-3.git921f98f
|
||||||
- Fix CVE-2019-10214 (#1734656).
|
- rebuild because of CVE-2019-9512 and CVE-2019-9514
|
||||||
|
- Resolves: #1766294, #1766322
|
||||||
|
|
||||||
* Mon Feb 11 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-2.git921f98f
|
* Mon Feb 11 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-2.git921f98f
|
||||||
- rebase
|
- rebase
|
||||||
|
Loading…
Reference in New Issue
Block a user