Update to 0.0.99.4

... and fix CVE-2022-3064. Resolves: #2164980, #2165743
2023-04-05 20:04:01 +02:00 · 2023-04-05 20:04:01 +02:00 · 2c2481e1f5
parent ac6e4bf827
commit 2c2481e1f5
10 changed files with 301 additions and 2500 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 SOURCES/toolbox-0.0.99.3-vendored.tar.xz
 /toolbox-0.0.99.3-vendored.tar.xz
+/toolbox-0.0.99.4-vendored.tar.xz
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (toolbox-0.0.99.3-vendored.tar.xz) = 7e8f45c2cfa6981a6cbf9ac7ae0be9527a0d7159c57b46ca576d7e3212858c004291dd4edf2f4d4fd1792fc1118d650fb9af21d2ffbaba921aadcbfa06e24578
+SHA512 (toolbox-0.0.99.4-vendored.tar.xz) = 882cd6ec1c1a193af8774dfdfd0aff72d376c4fec3e0cc702e2d524353c051e408eab2ac3fb43ec00fe622b46ac89fdbe97aca2f7cfbe3822e5d3ff1743f2fd0
--- a/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch
+++ b/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch
@ -1,4 +1,4 @@
-From cc15d0ac76fa77a2fa0f3c73e1a3ed4e7ceb2b29 Mon Sep 17 00:00:00 2001
+From d461caa5b1a278124d039df93140d2d5bf4eabe7 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Wed, 18 Aug 2021 17:55:21 +0200
 Subject: [PATCH 1/2] cmd/run: Make sosreport work by setting the HOST
@ -10,22 +10,22 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1940037
 1 file changed, 1 insertion(+)

 diff --git a/src/cmd/run.go b/src/cmd/run.go
-index 5954eac55fad..ca363815d4c9 100644
+index 7657ffa50821..23d422623b14 100644
 --- a/src/cmd/run.go
 +++ b/src/cmd/run.go
-@@ -441,6 +441,7 @@ func constructExecArgs(container string,
- 	execArgs = append(execArgs, detachKeys...)
+@@ -501,6 +501,7 @@ func constructExecArgs(container, preserveFDs string,
+ 	execArgs = append(execArgs, envOptions...)
 
 	execArgs = append(execArgs, []string{
 +		"--env", "HOST=/run/host",
 		"--interactive",
- 		"--tty",
- 		"--user", currentUser.Username,
+ 		"--preserve-fds", preserveFDs,
+ 	}...)
 -- 
-2.39.1
+2.39.2


-From a47cd46e0ca32b8af0ea8181c856ce2a8d8307fd Mon Sep 17 00:00:00 2001
+From 3c2c67752e8f88f72058799cbce3612fc937b230 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Fri, 10 Dec 2021 13:42:15 +0100
 Subject: [PATCH 2/2] test/system: Update to test the migration path for
@ -42,10 +42,10 @@ ca899c8a561f357ae32c6ba6813520fd8b682abb and the parts of commit
 create mode 100644 test/system/100-root.bats

 diff --git a/test/system/002-help.bats b/test/system/002-help.bats
-index 689f95e472a1..525d44431ee5 100644
+index 7e4565e9d23d..58a4c2c87ece 100644
 --- a/test/system/002-help.bats
 +++ b/test/system/002-help.bats
-@@ -8,17 +8,6 @@ setup() {
+@@ -23,17 +23,6 @@ setup() {
   _setup_environment
 }
 
@ -97,5 +97,5 @@ index 000000000000..32d87904213e
 +  skip "Testing of entering toolboxes is not implemented"
 +}
 -- 
-2.39.1
+2.39.2

--- a/toolbox-Don-t-use-podman-1-when-generating-the-comp.patch
+++ b/toolbox-Don-t-use-podman-1-when-generating-the-comp.patch
@ -0,0 +1,89 @@
+From fc5f568c5d82f4a16982268fa67092e52be91fbe Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <rishi@fedoraproject.org>
+Date: Tue, 28 Feb 2023 17:12:04 +0100
+Subject: [PATCH] cmd/root: Don't use podman(1) when generating the completions
+
+Ever since commit bafbbe81c9220cb3, the shell completions are generated
+while building Toolbx using the 'completion' command.  This involves
+running toolbox(1) itself, and hence invoking 'podman version' to decide
+if 'podman system migrate' is needed or not.
+
+Unfortunately, some build environments, like Fedora's, are set up inside
+a chroot(2) or systemd-nspawn(1) or similar, where 'podman version' may
+not work because it does various things with namespaces(7) and clone(2)
+that can, under certain circumstances, encounter an EPERM.
+
+Therefore, it's better to avoid using podman(1) when generating the
+shell completions, especially, since they are generated by Cobra itself
+and podman(1) is not involved at all.
+
+Note that podman(1) is needed when the generated shell completions are
+actually used in interactive command line environments.  The shell
+completions invoke the hidden '__complete' command to get the results
+that are presented to the user, and, if needed, 'podman system migrate'
+will continue to be run as part of that.
+
+This partially reverts commit f3e005d0142d7ec76d5ac8f0a2f331a52fd46011
+because podman(1) is now only an optional runtime dependency for the
+system tests.
+
+https://github.com/containers/podman/issues/17657
+---
+ meson.build     | 2 +-
+ src/cmd/root.go | 9 +++++++--
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index 6f044bb204e3..653a3d3ac588 100644
+--- a/meson.build
+++ b/meson.build
+@@ -18,12 +18,12 @@ subid_dep = cc.find_library('subid', has_headers: ['shadow/subid.h'])
+ 
+ go = find_program('go')
+ go_md2man = find_program('go-md2man')
+-podman = find_program('podman')
+ 
+ bats = find_program('bats', required: false)
+ codespell = find_program('codespell', required: false)
+ htpasswd = find_program('htpasswd', required: false)
+ openssl = find_program('openssl', required: false)
+podman = find_program('podman', required: false)
+ shellcheck = find_program('shellcheck', required: false)
+ skopeo = find_program('skopeo', required: false)
+ 
+diff --git a/src/cmd/root.go b/src/cmd/root.go
+index 304b03dcd889..9975ccc7a4c8 100644
+--- a/src/cmd/root.go
+++ b/src/cmd/root.go
+@@ -166,7 +166,7 @@ func preRun(cmd *cobra.Command, args []string) error {
+ 
+ 	logrus.Debugf("TOOLBOX_PATH is %s", toolboxPath)
+ 
+-	if err := migrate(); err != nil {
+	if err := migrate(cmd, args); err != nil {
+ 		return err
+ 	}
+ 
+@@ -211,13 +211,18 @@ func rootRun(cmd *cobra.Command, args []string) error {
+ 	return rootRunImpl(cmd, args)
+ }
+ 
+-func migrate() error {
+func migrate(cmd *cobra.Command, args []string) error {
+ 	logrus.Debug("Migrating to newer Podman")
+ 
+ 	if utils.IsInsideContainer() {
+ 		return nil
+ 	}
+ 
+	if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName {
+		logrus.Debugf("Migration not needed: command %s doesn't need it", cmdName)
+		return nil
+	}
+
+ 	configDir, err := os.UserConfigDir()
+ 	if err != nil {
+ 		logrus.Debugf("Migrating to newer Podman: failed to get the user config directory: %s", err)
+-- 
+2.39.1
+
--- a/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch
+++ b/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch
@ -0,0 +1,149 @@
+From 52de8d4a933ab6a4b1b6ef1c02c7e9f1f834c4a5 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <rishi@fedoraproject.org>
+Date: Wed, 1 Mar 2023 19:41:56 +0100
+Subject: [PATCH 1/3] cmd/root: Sprinkle a debug log
+
+https://github.com/containers/toolbox/pull/1251
+---
+ src/cmd/root.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cmd/root.go b/src/cmd/root.go
+index 304b03dcd889..82fbfd651c33 100644
+--- a/src/cmd/root.go
+++ b/src/cmd/root.go
+@@ -215,6 +215,7 @@ func migrate() error {
+ 	logrus.Debug("Migrating to newer Podman")
+ 
+ 	if utils.IsInsideContainer() {
+		logrus.Debug("Migration not needed: running inside a container")
+ 		return nil
+ 	}
+ 
+-- 
+2.39.2
+
+
+From 0beab62c935cd1166d6b03f58c519bbc7b040221 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <rishi@fedoraproject.org>
+Date: Wed, 1 Mar 2023 19:46:11 +0100
+Subject: [PATCH 2/3] cmd/root: Shuffle some code around and sprinkle some
+ debug logs
+
+Having a separate convenience function reduces the indentation levels by
+at least one, and sometimes two, and makes it easy to have more detailed
+debug logs.
+
+This will make the subsequent commit easier to read.
+
+https://github.com/containers/toolbox/issues/1246
+---
+ src/cmd/root.go | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/src/cmd/root.go b/src/cmd/root.go
+index 82fbfd651c33..4c740ec60d38 100644
+--- a/src/cmd/root.go
+++ b/src/cmd/root.go
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright © 2019 – 2022 Red Hat Inc.
+ * Copyright © 2019 – 2023 Red Hat Inc.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -139,13 +139,8 @@ func preRun(cmd *cobra.Command, args []string) error {
+ 	if !utils.IsInsideContainer() {
+ 		logrus.Debugf("Running on a cgroups v%d host", cgroupsVersion)
+ 
+-		if currentUser.Uid != "0" {
+-			logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", currentUser.Username)
+-
+-			if _, err := utils.ValidateSubIDRanges(currentUser); err != nil {
+-				logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
+-				return newSubIDError()
+-			}
+		if _, err := validateSubIDRanges(cmd, args, currentUser); err != nil {
+			return err
+ 		}
+ 	}
+ 
+@@ -387,3 +382,24 @@ func setUpLoggers() error {
+ 
+ 	return nil
+ }
+
+func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bool, error) {
+	logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", user.Username)
+
+	if user.Uid == "0" {
+		logrus.Debugf("Look-up not needed: user %s doesn't need them", user.Username)
+		return true, nil
+	}
+
+	if utils.IsInsideContainer() {
+		logrus.Debug("Look-up not needed: running inside a container")
+		return true, nil
+	}
+
+	if _, err := utils.ValidateSubIDRanges(user); err != nil {
+		logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
+		return false, newSubIDError()
+	}
+
+	return true, nil
+}
+-- 
+2.39.2
+
+
+From d09c9cd1de41b6e85a6953902c9982778a423f3c Mon Sep 17 00:00:00 2001
+From: Jan Zerebecki <jan.suse@zerebecki.de>
+Date: Wed, 1 Mar 2023 19:52:28 +0100
+Subject: [PATCH 3/3] cmd/root: Don't validate subordinate IDs when generating
+ the completions
+
+Ever since commit bafbbe81c9220cb3, the shell completions are generated
+while building Toolbx using the 'completion' command.  This involves
+running toolbox(1) itself, and hence validating the subordinate user and
+group ID ranges.
+
+Unfortunately, some build environments, like openSUSE's, don't have
+subordinate ID ranges set up.  Therefore, it's better to not validate
+the subordinate ID ranges when generating the shell completions, since
+they are generated by Cobra itself and subordinate ID ranges are not
+involved at all.
+
+Note that subordinate ID ranges may be needed when the generated shell
+completions are actually used in interactive command line environments.
+The shell completions invoke the hidden '__complete' command to get the
+results that are presented to the user, and, if needed, the subordinate
+ID ranges will continue to be used by podman(1) as part of that.
+
+Some changes by Debarshi Ray.
+
+https://github.com/containers/toolbox/issues/1246
+https://github.com/containers/toolbox/pull/1249
+---
+ src/cmd/root.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/cmd/root.go b/src/cmd/root.go
+index 4c740ec60d38..efee8ce9990b 100644
+--- a/src/cmd/root.go
+++ b/src/cmd/root.go
+@@ -396,6 +396,11 @@ func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bo
+ 		return true, nil
+ 	}
+ 
+	if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName {
+		logrus.Debugf("Look-up not needed: command %s doesn't need them", cmdName)
+		return true, nil
+	}
+
+ 	if _, err := utils.ValidateSubIDRanges(user); err != nil {
+ 		logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
+ 		return false, newSubIDError()
+-- 
+2.39.2
+
--- a/toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch
+++ b/toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch
@ -1,16 +1,8 @@
-From 024cf19e52544814cdee80693a6dc12b5a92943c Mon Sep 17 00:00:00 2001
+From c943fe330ddfb91b94efb22a450e491316d2173c Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 29 Jun 2020 17:57:47 +0200
-Subject: [PATCH] build: Make the build flags match RHEL's %{gobuild} for PPC64
-
-The Go toolchain doesn't play well with passing compiler and linker
-flags via environment variables. The linker flags require a second
-level of quoting, which leaves the build system without a quote level
-to assign the flags to an environment variable like GOFLAGS.
-
-This is one reason why RHEL doesn't have a RPM macro with only the
-flags. The %{gobuild} RPM macro includes the entire 'go build ...'
-invocation.
+Subject: [PATCH] build: Make the build flags match RHEL's %{gobuildflags} for
+ PPC64

 The Go toolchain also doesn't like the LDFLAGS environment variable as
 exported by RHEL's %{meson} RPM macro, and RHEL's RPM toolchain doesn't
@ -18,28 +10,28 @@ like the compressed DWARF data generated by the Go toolchain.

 Note that these flags are only meant for the "ppc64" CPU architecture,
 and should be kept updated to match RHEL's Go guidelines. Use
-'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
+'rpm --eval "%{gobuildflags}"' to expand the %{gobuildflags} macro.
 ---
 src/go-build-wrapper | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

 diff --git a/src/go-build-wrapper b/src/go-build-wrapper
-index ef4aafc8b024..00d7e9fca0e0 100755
+index c572d6dfb02b..1addef1f186b 100755
 --- a/src/go-build-wrapper
 +++ b/src/go-build-wrapper
-@@ -32,9 +32,9 @@ if ! cd "$1"; then
+@@ -33,9 +33,9 @@ if ! cd "$1"; then
     exit 1
 fi
 
 -tags=""
-+tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
- if $6; then
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-},libtrust_openssl"
+ if $7; then
 -    tags="-tags migration_path_for_coreos_toolbox"
 +    tags="$tags,migration_path_for_coreos_toolbox"
 fi
 
- if ! libc_dir=$("$4" --print-file-name=libc.so); then
-@@ -69,11 +69,16 @@ fi
+ if ! libc_dir=$("$5" --print-file-name=libc.so); then
+@@ -70,11 +70,16 @@ fi
 
 dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
 
@ -50,14 +42,14 @@ index ef4aafc8b024..00d7e9fca0e0 100755
 +        -compiler gc \
         $tags \
 -        -trimpath \
-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
-+        -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -extldflags '-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
+-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
+        -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
 +        -a \
 +        -v \
 +        -x \
-         -o "$2/toolbox"
+         -o "$2/$3"
 
 exit "$?"
 -- 
-2.31.1
+2.39.2

--- a/toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch
+++ b/toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch
@ -1,45 +1,36 @@
-From 89129bd096c8bfac4ff84fc19726898cc901c1fc Mon Sep 17 00:00:00 2001
+From 606f135e4900c7d808341515b74811e3a3714cff Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 29 Jun 2020 17:57:47 +0200
-Subject: [PATCH] build: Make the build flags match RHEL's %{gobuild}
+Subject: [PATCH] build: Make the build flags match RHEL's %{gobuildflags}

-The Go toolchain doesn't play well with passing compiler and linker
-flags via environment variables. The linker flags require a second
-level of quoting, which leaves the build system without a quote level
-to assign the flags to an environment variable like GOFLAGS.
-
-This is one reason why RHEL doesn't have a RPM macro with only the
-flags. The %{gobuild} RPM macro includes the entire 'go build ...'
-invocation.
-
-The Go toolchain also doesn't like the LDFLAGS environment variable as
+The Go toolchain doesn't like the LDFLAGS environment variable as
 exported by RHEL's %{meson} RPM macro, and RHEL's RPM toolchain doesn't
 like the compressed DWARF data generated by the Go toolchain.

 Note that these flags are meant for every CPU architecture other than
 PPC64, and should be kept updated to match RHEL's Go guidelines. Use
-'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
+'rpm --eval "%{gobuildflags}"' to expand the %{gobuildflags} macro.
 ---
 src/go-build-wrapper | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

 diff --git a/src/go-build-wrapper b/src/go-build-wrapper
-index ef4aafc8b024..e82e42ca8151 100755
+index c572d6dfb02b..c492a4e73445 100755
 --- a/src/go-build-wrapper
 +++ b/src/go-build-wrapper
-@@ -32,9 +32,9 @@ if ! cd "$1"; then
+@@ -33,9 +33,9 @@ if ! cd "$1"; then
     exit 1
 fi
 
 -tags=""
-+tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
- if $6; then
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-},libtrust_openssl"
+ if $7; then
 -    tags="-tags migration_path_for_coreos_toolbox"
 +    tags="$tags,migration_path_for_coreos_toolbox"
 fi
 
- if ! libc_dir=$("$4" --print-file-name=libc.so); then
-@@ -69,11 +69,17 @@ fi
+ if ! libc_dir=$("$5" --print-file-name=libc.so); then
+@@ -70,11 +70,17 @@ fi
 
 dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
 
@ -51,14 +42,14 @@ index ef4aafc8b024..e82e42ca8151 100755
 +        -compiler gc \
         $tags \
 -        -trimpath \
-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
-+        -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -extldflags '-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
+-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
+        -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
 +        -a \
 +        -v \
 +        -x \
-         -o "$2/toolbox"
+         -o "$2/$3"
 
 exit "$?"
 -- 
-2.31.1
+2.39.2

--- a/toolbox-Support-RHEL-9-containers.patch
+++ b/toolbox-Support-RHEL-9-containers.patch
@ -1,211 +0,0 @@
-From 9bffb4630b2fc026fe32ddcb2674499c863aac32 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
-Date: Sat, 8 Jan 2022 19:53:53 +0200
-Subject: [PATCH 1/3] pkg/utils: Use new UBI toolbox image
-
-Red Hat has published a new UBI image made specificaly for Toolbx.
-Make use of it from now on.
-
-Fixes: https://github.com/containers/toolbox/issues/961
-
-https://github.com/containers/toolbox/issues/976
-(cherry picked from commit f456c173b6fd69ad390a419d23dafcf3f25b15a8)
---
- src/pkg/utils/utils.go        | 2 +-
- test/system/libs/helpers.bash | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/pkg/utils/utils.go b/src/pkg/utils/utils.go
-index ab59afc22283..3119fee74375 100644
--- a/src/pkg/utils/utils.go
-+++ b/src/pkg/utils/utils.go
-@@ -104,7 +104,7 @@ var (
- 		},
- 		"rhel": {
- 			"rhel-toolbox",
-			"ubi",
-+			"toolbox",
- 			parseReleaseRHEL,
- 			"registry.access.redhat.com",
- 			"ubi8",
-diff --git a/test/system/libs/helpers.bash b/test/system/libs/helpers.bash
-index 548c4c0e745f..e29273a644dd 100644
--- a/test/system/libs/helpers.bash
-+++ b/test/system/libs/helpers.bash
-@@ -18,7 +18,7 @@ readonly SKOPEO=$(command -v skopeo)
- # Images
- declare -Ag IMAGES=([busybox]="quay.io/toolbox_tests/busybox" \
-                    [fedora]="registry.fedoraproject.org/fedora-toolbox" \
-                   [rhel]="registry.access.redhat.com/ubi8")
-+                   [rhel]="registry.access.redhat.com/ubi8/toolbox")
- 
- 
- function cleanup_all() {
-- 
-2.39.1
-
-
-From 643384caf11050a1e8d694176a6e09d732461975 Mon Sep 17 00:00:00 2001
-From: Debarshi Ray <rishi@fedoraproject.org>
-Date: Sun, 29 Jan 2023 09:41:16 +0100
-Subject: [PATCH 2/3] pkg/utils: Be more strict about what is acceptable
-
-https://github.com/containers/toolbox/issues/1065
-(cherry picked from commit 262c90e06fdb91e0b693fae33a519eb2756de75b)
---
- src/pkg/utils/utils.go | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/src/pkg/utils/utils.go b/src/pkg/utils/utils.go
-index 3119fee74375..b4c012e8fe3a 100644
--- a/src/pkg/utils/utils.go
-+++ b/src/pkg/utils/utils.go
-@@ -1,5 +1,5 @@
- /*
- * Copyright © 2019 – 2021 Red Hat Inc.
-+ * Copyright © 2019 – 2023 Red Hat Inc.
-  *
-  * Licensed under the Apache License, Version 2.0 (the "License");
-  * you may not use this file except in compliance with the License.
-@@ -278,6 +278,19 @@ func GetEnvOptionsForPreservedVariables() []string {
- func GetFullyQualifiedImageFromDistros(image, release string) (string, error) {
- 	logrus.Debugf("Resolving fully qualified name for image %s from known registries", image)
- 
-+	if image == "" {
-+		panic("image not specified")
-+	}
-+
-+	if release == "" {
-+		panic("release not specified")
-+	}
-+
-+	if tag := ImageReferenceGetTag(image); tag != "" && release != tag {
-+		panicMsg := fmt.Sprintf("image %s does not match release %s", image, release)
-+		panic(panicMsg)
-+	}
-+
- 	if ImageReferenceHasDomain(image) {
- 		return image, nil
- 	}
-- 
-2.39.1
-
-
-From 1ce213fabb3321937421404350e57f376cb9134d Mon Sep 17 00:00:00 2001
-From: Debarshi Ray <rishi@fedoraproject.org>
-Date: Sun, 29 Jan 2023 09:47:13 +0100
-Subject: [PATCH 3/3] pkg/utils: Support RHEL 9 Toolbx containers
-
-The URLs for the RHEL Toolbx images based on the Red Hat Universal Base
-Images (or UBI) are a bit more complicated to construct, in comparison
-to the URLs for Fedora's fedora-toolbox images.  It's not enough to just
-concatenate the registry, the image's basename and the release.  Some
-parts of the URL depend on the release's major number, which requires
-custom code.
-
-So far, the release's major number was hard coded to 8 since only RHEL 8
-Toolbx containers were supported.
-
-To support other RHEL major releases, it's necessary to have custom code
-to construct the URLs for the Toolbx images.
-
-https://github.com/containers/toolbox/issues/1065
-(cherry picked from commit 0a29b374e649437126d8bbe12707fb44d20073d3)
---
- src/pkg/utils/utils.go | 47 +++++++++++++++++++++---------------------
- 1 file changed, 23 insertions(+), 24 deletions(-)
-
-diff --git a/src/pkg/utils/utils.go b/src/pkg/utils/utils.go
-index b4c012e8fe3a..4e4abeca4817 100644
--- a/src/pkg/utils/utils.go
-+++ b/src/pkg/utils/utils.go
-@@ -38,15 +38,14 @@ import (
- 	"golang.org/x/sys/unix"
- )
- 
-+type GetFullyQualifiedImageFunc func(string, string) string
- type ParseReleaseFunc func(string) (string, error)
- 
- type Distro struct {
- 	ContainerNamePrefix    string
- 	ImageBasename          string
-+	GetFullyQualifiedImage GetFullyQualifiedImageFunc
- 	ParseRelease           ParseReleaseFunc
-	Registry               string
-	Repository             string
-	RepositoryNeedsRelease bool
- }
- 
- const (
-@@ -97,18 +96,14 @@ var (
- 		"fedora": {
- 			"fedora-toolbox",
- 			"fedora-toolbox",
-+			getFullyQualifiedImageFedora,
- 			parseReleaseFedora,
-			"registry.fedoraproject.org",
-			"",
-			false,
- 		},
- 		"rhel": {
- 			"rhel-toolbox",
- 			"toolbox",
-+			getFullyQualifiedImageRHEL,
- 			parseReleaseRHEL,
-			"registry.access.redhat.com",
-			"ubi8",
-			false,
- 		},
- 	}
- )
-@@ -305,21 +300,8 @@ func GetFullyQualifiedImageFromDistros(image, release string) (string, error) {
- 			continue
- 		}
- 
-		var repository string
-
-		if distroObj.RepositoryNeedsRelease {
-			repository = fmt.Sprintf(distroObj.Repository, release)
-		} else {
-			repository = distroObj.Repository
-		}
-
-		imageFull := distroObj.Registry
-
-		if repository != "" {
-			imageFull = imageFull + "/" + repository
-		}
-
-		imageFull = imageFull + "/" + image
-+		getFullyQualifiedImageImpl := distroObj.GetFullyQualifiedImage
-+		imageFull := getFullyQualifiedImageImpl(image, release)
- 
- 		logrus.Debugf("Resolved image %s to %s", image, imageFull)
- 
-@@ -329,6 +311,23 @@ func GetFullyQualifiedImageFromDistros(image, release string) (string, error) {
- 	return "", fmt.Errorf("failed to resolve image %s", image)
- }
- 
-+func getFullyQualifiedImageFedora(image, release string) string {
-+	imageFull := "registry.fedoraproject.org/" + image
-+	return imageFull
-+}
-+
-+func getFullyQualifiedImageRHEL(image, release string) string {
-+	i := strings.IndexRune(release, '.')
-+	if i == -1 {
-+		panicMsg := fmt.Sprintf("release %s not in '<major>.<minor>' format", release)
-+		panic(panicMsg)
-+	}
-+
-+	releaseMajor := release[:i]
-+	imageFull := "registry.access.redhat.com/ubi" + releaseMajor + "/" + image
-+	return imageFull
-+}
-+
- // GetGroupForSudo returns the name of the sudoers group.
- //
- // Some distros call it 'sudo' (eg. Ubuntu) and some call it 'wheel' (eg. Fedora).
-- 
-2.39.1
-
--- a/toolbox-Unbreak-sorting-and-clearly-identify-copied-images-in-list.patch
+++ b/toolbox-Unbreak-sorting-and-clearly-identify-copied-images-in-list.patch
--- a/toolbox.spec
+++ b/toolbox.spec
@ -2,33 +2,27 @@

 # RHEL's RPM toolchain doesn't like the compressed DWARF data generated by the
 # Go toolchain.
-%global _dwz_low_mem_die_limit 0
-%global _find_debuginfo_dwz_opts %{nil}
+#%%global _dwz_low_mem_die_limit 0
+#%%global _find_debuginfo_dwz_opts %%{nil}

 Name:          toolbox
-Version:       0.0.99.3
+Version:       0.0.99.4

 %global goipath github.com/containers/%{name}
 %gometa

-Release:       7%{?dist}
+Release:       1%{?dist}
 Summary:       Tool for containerized command line environments on Linux

 License:       ASL 2.0
 URL:           https://containertoolbx.org/

-# https://github.com/containers/%%{name}/releases/download/%%{version}/%%{name}-%%{version}.tar.xz
-# A vendored tarball was created from the upstream tarball:
-# $ cd src
-# $ go mod vendor
-Source0:       %{name}-%{version}-vendored.tar.xz
+Source0:       https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}-vendored.tar.xz
 Source1:       %{name}.conf

-# https://bugzilla.redhat.com/show_bug.cgi?id=2152907
-Patch0:        toolbox-Unbreak-sorting-and-clearly-identify-copied-images-in-list.patch
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=2165610
-Patch1:        toolbox-Support-RHEL-9-containers.patch
+# Upstream
+Patch0:        toolbox-Don-t-use-podman-1-when-generating-the-comp.patch
+Patch1:        toolbox-Don-t-validate-subordinate-IDs-when-generat.patch

 # RHEL specific
 Patch100:      toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch
@ -40,6 +34,8 @@ BuildRequires: golang >= 1.19.4
 BuildRequires: /usr/bin/go-md2man
 BuildRequires: meson >= 0.58.0
 BuildRequires: pkgconfig(bash-completion)
+BuildRequires: shadow-utils-subid-devel
+BuildRequires: systemd
 BuildRequires: systemd-rpm-macros

 Requires:      containers-common
@ -67,7 +63,6 @@ The %{name}-tests package contains system tests for %{name}.

 %prep
 %setup -q
-
 %patch0 -p1
 %patch1 -p1

@ -102,9 +97,11 @@ ln -s src/pkg pkg
 ln -s src/vendor vendor

 %meson \
+    -Dfish_completions_dir=%{_datadir}/fish/vendor_completions.d \
    -Dmigration_path_for_coreos_toolbox=true \
    -Dprofile_dir=%{_sysconfdir}/profile.d \
-    -Dtmpfiles_dir=%{_tmpfilesdir}
+    -Dtmpfiles_dir=%{_tmpfilesdir} \
+    -Dzsh_completions_dir=%{_datadir}/zsh/site-functions

 %meson_build

@ -116,11 +113,14 @@ install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf

 %files
 %doc CODE-OF-CONDUCT.md NEWS README.md SECURITY.md
-%license COPYING
+%license COPYING src/vendor/modules.txt
 %{_bindir}/%{name}
 %{_datadir}/bash-completion
+%{_datadir}/fish
+%{_datadir}/zsh
 %{_mandir}/man1/%{name}.1*
 %{_mandir}/man1/%{name}-*.1*
+%{_mandir}/man5/%{name}.conf.5*
 %config(noreplace) %{_sysconfdir}/containers/%{name}.conf
 %{_sysconfdir}/profile.d/%{name}.sh
 %{_tmpfilesdir}/%{name}.conf
@ -130,6 +130,11 @@ install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf


 %changelog
+* Tue Apr 04 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-1
+- Update to 0.0.99.4
+- Fix CVE-2022-3064
+Resolves: #2164980, #2165743
+
 * Mon Feb 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.3-7
 - Rebuild for CVE-2022-41717
 Resolves: #2163737