diff --git a/SOURCES/buildah-CVE-2019-10214.patch b/SOURCES/buildah-CVE-2019-10214.patch new file mode 100644 index 0000000..45fb640 --- /dev/null +++ b/SOURCES/buildah-CVE-2019-10214.patch @@ -0,0 +1,16 @@ +diff -up ./buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go +--- buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 16:00:45.509807991 +0200 ++++ buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 16:00:45.510808003 +0200 +@@ -480,11 +480,7 @@ func (c *dockerClient) getBearerToken(ct + authReq.SetBasicAuth(c.username, c.password) + } + logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) +- tr := tlsclientconfig.NewTransport() +- // TODO(runcom): insecure for now to contact the external token service +- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +- client := &http.Client{Transport: tr} +- res, err := client.Do(authReq) ++ res, err := c.client.Do(authReq) + if err != nil { + return nil, err + } diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec index a0fd7c0..e6bfd67 100644 --- a/SPECS/buildah.spec +++ b/SPECS/buildah.spec @@ -25,11 +25,12 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL Name: %{repo} Version: 1.5 -Release: 3.git%{shortcommit}%{?dist} +Release: 5.git%{shortcommit}%{?dist} Summary: A command line tool used for creating OCI Images License: ASL 2.0 URL: https://%{provider_prefix} Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz +Patch0: buildah-CVE-2019-10214.patch ExclusiveArch: x86_64 %{arm} aarch64 ppc64le s390x # If go_compiler is not set to 1, there is no virtual provide. Use golang instead. BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} @@ -59,6 +60,7 @@ or %prep %autosetup -Sgit -n %{name}-%{commit} + %build mkdir _build pushd _build @@ -90,6 +92,12 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions %{_datadir}/bash-completion/completions/%{name} %changelog +* Tue Sep 17 2019 Jindrich Novy - 1.5-5.gite94b4f9 +- Use autosetup macro again. + +* Thu Sep 12 2019 Jindrich Novy - 1.5-4.gite94b4f9 +- Fix CVE-2019-10214 (#1734660). + * Tue Dec 18 2018 Frantisek Kluknavsky - 1.5-3.gite94b4f9 - re-enable debuginfo