import podman-1.0.0-4.git921f98f.module+el8.1.0+4908+72a45cef

SOURCES/podman-CVE-2019-10214.patch

@@ -0,0 +1,32 @@
+diff -up ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go
+--- ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214	2019-09-12 15:16:38.812884788 +0200
++++ ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go	2019-09-12 15:16:38.813884801 +0200
+@@ -530,11 +530,7 @@ func (c *dockerClient) getBearerToken(ct
+ 		authReq.SetBasicAuth(c.username, c.password)
+ 	}
+ 	logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
+-	tr := tlsclientconfig.NewTransport()
+-	// TODO(runcom): insecure for now to contact the external token service
+-	tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+-	client := &http.Client{Transport: tr}
+-	res, err := client.Do(authReq)
++	res, err := c.client.Do(authReq)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff -up ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go
+--- ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214	2019-09-12 15:16:38.815884828 +0200
++++ ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go	2019-09-12 15:16:38.816884841 +0200
+@@ -530,11 +530,7 @@ func (c *dockerClient) getBearerToken(ct
+ 		authReq.SetBasicAuth(c.username, c.password)
+ 	}
+ 	logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
+-	tr := tlsclientconfig.NewTransport()
+-	// TODO(runcom): insecure for now to contact the external token service
+-	tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+-	client := &http.Client{Transport: tr}
+-	res, err := client.Do(authReq)
++	res, err := c.client.Do(authReq)
+ 	if err != nil {
+ 		return nil, err
+ 	}

SPECS/podman.spec

@@ -36,12 +36,13 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL
 
 Name: podman
 Version: 1.0.0
-Release: 3.git%{shortcommit}%{?dist}
+Release: 4.git%{shortcommit}%{?dist}
 Summary: Manage Pods, Containers and Container Images
 License: ASL 2.0
 URL: %{git_podman}
 Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
 Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz
+Patch0: podman-CVE-2019-10214.patch
 
 # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
 #ExclusiveArch:  %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}}
@@ -195,12 +196,15 @@ executing %{name} commands, it also creates links between all Docker CLI man
 pages and %{name}.
 
 %prep
-%autosetup -Sgit -n %{repo}-%{commit}
+%setup -q -n %{repo}-%{commit}
 mv pkg/hooks/README.md pkg/hooks/README-hooks.md
 
 # untar cri-o
 tar zxf %{SOURCE1}
 
+# fix CVE-2019-10214
+%patch0 -p2
+
 %build
 mkdir -p $(pwd)/_build
 pushd $(pwd)/_build
@@ -280,9 +284,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_mandir}/man1/docker*.1*
 
 %changelog
-* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-3.git921f98f
+* Tue Nov 26 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-4.git921f98f
 - rebuild because of CVE-2019-9512 and CVE-2019-9514
-- Resolves: #1766294, #1766322
+- Resolves: #1766293, #1766321
+
+* Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-3.git921f98f
+- Fix CVE-2019-10214 (#1734656).
 
 * Mon Feb 11 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-2.git921f98f
 - rebase