From b4347a28e510e3bf7c9df1b12dfc9d74f2543635 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Jul 2020 05:04:27 -0400 Subject: [PATCH] import skopeo-0.1.32-6.git1715c90.module+el8.1.0+4903+9bde5d6c --- SOURCES/skopeo-CVE-2019-10214.patch | 16 ++++++++++++++++ SPECS/skopeo.spec | 21 ++++++++++++++++----- 2 files changed, 32 insertions(+), 5 deletions(-) create mode 100644 SOURCES/skopeo-CVE-2019-10214.patch diff --git a/SOURCES/skopeo-CVE-2019-10214.patch b/SOURCES/skopeo-CVE-2019-10214.patch new file mode 100644 index 0000000..8450aaf --- /dev/null +++ b/SOURCES/skopeo-CVE-2019-10214.patch @@ -0,0 +1,16 @@ +diff -up ./skopeo-1715c9084124875cb71f006916396e3c7d03014e/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./skopeo-1715c9084124875cb71f006916396e3c7d03014e/vendor/github.com/containers/image/docker/docker_client.go +--- ./skopeo-1715c9084124875cb71f006916396e3c7d03014e/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 15:41:30.949477994 +0200 ++++ ./skopeo-1715c9084124875cb71f006916396e3c7d03014e/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 15:41:30.950478007 +0200 +@@ -480,11 +480,7 @@ func (c *dockerClient) getBearerToken(ct + authReq.SetBasicAuth(c.username, c.password) + } + logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) +- tr := tlsclientconfig.NewTransport() +- // TODO(runcom): insecure for now to contact the external token service +- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +- client := &http.Client{Transport: tr} +- res, err := client.Do(authReq) ++ res, err := c.client.Do(authReq) + if err != nil { + return nil, err + } diff --git a/SPECS/skopeo.spec b/SPECS/skopeo.spec index d0fb776..fed3152 100644 --- a/SPECS/skopeo.spec +++ b/SPECS/skopeo.spec @@ -31,7 +31,7 @@ ExcludeArch: ppc64 %{ix86} Name: %{repo} Epoch: 1 Version: 0.1.32 -Release: 4.git%{shortcommit0}%{?dist} +Release: 6.git%{shortcommit0}%{?dist} Summary: Inspect Docker images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -43,6 +43,7 @@ Source4: registries.conf.5.md Source5: registries.conf Source6: policy.json.5.md Source7: seccomp.json +Patch0: skopeo-CVE-2019-10214.patch BuildRequires: git # If go_compiler is not set to 1, there is no virtual provide. Use golang instead. BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} @@ -73,7 +74,10 @@ This package installs a default signature store configuration and a default policy under `/etc/containers/`. %prep -%autosetup -Sgit -n %{name}-%{commit0} +%setup -q -n %{name}-%{commit0} + +# fix CVE-2019-10214 +%patch0 -p2 %build mkdir -p src/github.com/containers @@ -108,7 +112,7 @@ install -m0644 %{SOURCE3} %{buildroot}%{_datadir}/containers/mounts.conf install -m0644 %{SOURCE7} %{buildroot}%{_datadir}/containers/seccomp.json # install secrets patch directory -install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets +install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets # rhbz#1110876 - update symlinks for subscription management ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm @@ -150,9 +154,16 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/bash-completion/completions/%{name} %changelog -* Thu Nov 28 2019 Jindrich Novy - 1:0.1.32-4.git1715c90 +* Tue Nov 26 2019 Jindrich Novy - 1:0.1.32-6.git1715c90 - rebuild because of CVE-2019-9512 and CVE-2019-9514 -- Resolves: #1772130, #1772135 +- Resolves: #1772129, #1772134 + +* Thu Sep 12 2019 Jindrich Novy - 1:0.1.32-5.git1715c90 +- Fix CVE-2019-10214 (#1734658). + +* Fri Aug 16 2019 Jindrich Novy - 1:0.1.32-4.git1715c90 +- fix permissions of rhel/secrets + Resolves: #1691543 * Tue Dec 18 2018 Frantisek Kluknavsky - 1:0.1.32-3.git1715c90 - rebase