diff --git a/SOURCES/2031.patch b/SOURCES/2031.patch
new file mode 100644
index 0000000..b674e80
--- /dev/null
+++ b/SOURCES/2031.patch
@@ -0,0 +1,147 @@
+From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
+From: Daniel J Walsh <dwalsh@redhat.com>
+Date: Tue, 17 Dec 2019 15:24:29 -0500
+Subject: [PATCH] Add support for FIPS-Mode backends
+
+If host is running in fips mode, then RHEL8.2 and beyond container images
+will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
+This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
+order to make all tools in the container follow the FIPS Mode rules.
+
+Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
+---
+ pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
+ run_linux.go           |  2 +-
+ 2 files changed, 39 insertions(+), 11 deletions(-)
+
+diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
+index 80ca05016..ee2e9a7c8 100644
+--- a/pkg/secrets/secrets.go
++++ b/pkg/secrets/secrets.go
+@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, string, error) {
+ }
+ 
+ // SecretMounts copies, adds, and mounts the secrets to the container root filesystem
++// Deprecated, Please use SecretMountWithUIDGID
+ func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
+ 	return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
+ }
+ 
+-// SecretMountsWithUIDGID specifies the uid/gid of the owner
+-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
++// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
++// mountLabel: MAC/SELinux label for container content
++// containerWorkingDir: Private data for storing secrets on the host mounted in container.
++// mountFile: Additional mount points required for the container.
++// mountPoint: Container image mountpoint
++// uid: to assign to content created for secrets
++// gid: to assign to content created for secrets
++// rootless: indicates whether container is running in rootless mode
++// disableFips: indicates whether system should ignore fips mode
++func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
+ 	var (
+ 		secretMounts []rspec.Mount
+ 		mountFiles   []string
+@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
+ 	}
+ 	for _, file := range mountFiles {
+ 		if _, err := os.Stat(file); err == nil {
+-			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
++			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
+ 			if err != nil {
+ 				logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
+ 			}
+@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
+ 	// Add FIPS mode secret if /etc/system-fips exists on the host
+ 	_, err := os.Stat("/etc/system-fips")
+ 	if err == nil {
+-		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
++		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
+ 			logrus.Errorf("error adding FIPS mode secret to container: %v", err)
+ 		}
+ 	} else if os.IsNotExist(err) {
+@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid int) error {
+ 
+ // addSecretsFromMountsFile copies the contents of host directory to container directory
+ // and returns a list of mounts
+-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
++func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
+ 	var mounts []rspec.Mount
+ 	defaultMountsPaths := getMounts(filePath)
+ 	for _, path := range defaultMountsPaths {
+@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
+ 		}
+ 
+ 		m := rspec.Mount{
+-			Source:      filepath.Join(mountPrefix, ctrDirOrFile),
++			Source:      ctrDirOrFileOnHost,
+ 			Destination: ctrDirOrFile,
+ 			Type:        "bind",
+ 			Options:     []string{"bind", "rprivate"},
+@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
+ // root filesystem if /etc/system-fips exists on hosts.
+ // This enables the container to be FIPS compliant and run openssl in
+ // FIPS mode as the host is also in FIPS mode.
+-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
++func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
+ 	secretsDir := "/run/secrets"
+ 	ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
+ 	if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
+ 		if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
+-			return errors.Wrapf(err, "making container directory on host failed")
++			return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
+ 		}
+ 		if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
+-			return errors.Wrap(err, "error applying correct labels")
++			return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
+ 		}
+ 	}
+ 	fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
+@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
+ 
+ 	if !mountExists(*mounts, secretsDir) {
+ 		m := rspec.Mount{
+-			Source:      filepath.Join(mountPrefix, secretsDir),
++			Source:      ctrDirOnHost,
+ 			Destination: secretsDir,
+ 			Type:        "bind",
+ 			Options:     []string{"bind", "rprivate"},
+@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
+ 		*mounts = append(*mounts, m)
+ 	}
+ 
++	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
++	destDir := "/etc/crypto-policies/back-ends"
++	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++	if _, err := os.Stat(srcOnHost); err != nil {
++		if os.IsNotExist(err) {
++			return nil
++		}
++		return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
++	}
++
++	if !mountExists(*mounts, destDir) {
++		m := rspec.Mount{
++			Source:      srcOnHost,
++			Destination: destDir,
++			Type:        "bind",
++			Options:     []string{"bind", "rprivate"},
++		}
++		*mounts = append(*mounts, m)
++	}
+ 	return nil
+ }
+ 
+diff --git a/run_linux.go b/run_linux.go
+index 4c2d73edd..c8e75eada 100644
+--- a/run_linux.go
++++ b/run_linux.go
+@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
+ 	}
+ 
+ 	// Get the list of secrets mounts.
+-	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
++	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
+ 
+ 	// Add temporary copies of the contents of volume locations at the
+ 	// volume locations, unless we already have something there.
diff --git a/SOURCES/CVE-2020-1702-1801930.patch b/SOURCES/CVE-2020-1702-1801930.patch
new file mode 100644
index 0000000..00ea466
--- /dev/null
+++ b/SOURCES/CVE-2020-1702-1801930.patch
@@ -0,0 +1,390 @@
+From be1eb6f70fb40e45096b69aeb048d54c526a4a8f Mon Sep 17 00:00:00 2001
+From: Valentin Rothberg <rothberg@redhat.com>
+Date: Thu, 6 Feb 2020 09:49:15 +0100
+Subject: [PATCH] [1.11-rhel] update github.com/containers/image
+
+Note that this includes fixes for
+https://access.redhat.com/security/cve/CVE-2020-1702.
+
+Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
+---
+ go.mod                                        |  2 +-
+ go.sum                                        |  2 +
+ .../image/v5/docker/docker_client.go          |  6 +-
+ .../image/v5/docker/docker_image_dest.go      |  3 +-
+ .../image/v5/docker/docker_image_src.go       | 10 ++--
+ .../image/v5/docker/tarfile/dest.go           |  3 +-
+ .../containers/image/v5/docker/tarfile/src.go |  9 +--
+ .../image/v5/image/docker_schema2.go          |  4 +-
+ .../containers/image/v5/image/oci.go          |  4 +-
+ .../image/v5/internal/iolimits/iolimits.go    | 60 +++++++++++++++++++
+ .../image/v5/openshift/openshift.go           |  4 +-
+ vendor/modules.txt                            |  3 +-
+ 12 files changed, 89 insertions(+), 21 deletions(-)
+ create mode 100644 vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
+
+diff --git a/go.mod b/go.mod
+index 684b00ff5..b94792238 100644
+--- a/go.mod
++++ b/go.mod
+@@ -5,7 +5,7 @@ go 1.12
+ require (
+ 	github.com/blang/semver v3.5.0+incompatible // indirect
+ 	github.com/containernetworking/cni v0.7.1
+-	github.com/containers/image/v5 v5.0.0
++	github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
+ 	github.com/containers/storage v1.14.0
+ 	github.com/cyphar/filepath-securejoin v0.2.2
+ 	github.com/docker/distribution v2.7.1+incompatible
+diff --git a/go.sum b/go.sum
+index 1cce3ff7e..ef8729952 100644
+--- a/go.sum
++++ b/go.sum
+@@ -54,6 +54,8 @@ github.com/containers/image/v4 v4.0.1 h1:idNGHChj0Pyv3vLrxul2oSVMZLeFqpoq3CjLeVg
+ github.com/containers/image/v4 v4.0.1/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
+ github.com/containers/image/v5 v5.0.0 h1:arnXgbt1ucsC/ndtSpiQY87rA0UjhF+/xQnPzqdBDn4=
+ github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
++github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0 h1:iV4aHKRoPcHp5BISsuiPMyaCjGJfLKp/FUMAG1NeqvE=
++github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
+ github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
+ github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
+ github.com/containers/storage v1.13.4 h1:j0bBaJDKbUHtAW1MXPFnwXJtqcH+foWeuXK1YaBV5GA=
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
+index 0b012c703..bff077a40 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_client.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
+@@ -6,7 +6,6 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
+-	"io/ioutil"
+ 	"net/http"
+ 	"net/url"
+ 	"os"
+@@ -17,6 +16,7 @@ import (
+ 	"time"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/pkg/docker/config"
+ 	"github.com/containers/image/v5/pkg/sysregistriesv2"
+ 	"github.com/containers/image/v5/pkg/tlsclientconfig"
+@@ -597,7 +597,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
+ 	default:
+ 		return nil, errors.Errorf("unexpected http code: %d (%s), URL: %s", res.StatusCode, http.StatusText(res.StatusCode), authReq.URL)
+ 	}
+-	tokenBlob, err := ioutil.ReadAll(res.Body)
++	tokenBlob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -690,7 +690,7 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe
+ 		return nil, errors.Wrapf(clientLib.HandleErrorResponse(res), "Error downloading signatures for %s in %s", manifestDigest, ref.ref.Name())
+ 	}
+ 
+-	body, err := ioutil.ReadAll(res.Body)
++	body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureListBodySize)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+index 417d97aec..ce8a1f357 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+@@ -15,6 +15,7 @@ import (
+ 	"strings"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/blobinfocache/none"
+ 	"github.com/containers/image/v5/types"
+@@ -620,7 +621,7 @@ sigExists:
+ 		}
+ 		defer res.Body.Close()
+ 		if res.StatusCode != http.StatusCreated {
+-			body, err := ioutil.ReadAll(res.Body)
++			body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxErrorBodySize)
+ 			if err == nil {
+ 				logrus.Debugf("Error body %s", string(body))
+ 			}
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+index 35beb30e5..5436d9b7d 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+@@ -12,6 +12,7 @@ import (
+ 	"strconv"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/sysregistriesv2"
+ 	"github.com/containers/image/v5/types"
+@@ -156,7 +157,8 @@ func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest strin
+ 	if res.StatusCode != http.StatusOK {
+ 		return nil, "", errors.Wrapf(client.HandleErrorResponse(res), "Error reading manifest %s in %s", tagOrDigest, s.ref.ref.Name())
+ 	}
+-	manblob, err := ioutil.ReadAll(res.Body)
++
++	manblob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxManifestBodySize)
+ 	if err != nil {
+ 		return nil, "", err
+ 	}
+@@ -342,7 +344,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
+ 		} else if res.StatusCode != http.StatusOK {
+ 			return nil, false, errors.Errorf("Error reading signature from %s: status %d (%s)", url.String(), res.StatusCode, http.StatusText(res.StatusCode))
+ 		}
+-		sig, err := ioutil.ReadAll(res.Body)
++		sig, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureBodySize)
+ 		if err != nil {
+ 			return nil, false, err
+ 		}
+@@ -401,7 +403,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
+ 		return err
+ 	}
+ 	defer get.Body.Close()
+-	manifestBody, err := ioutil.ReadAll(get.Body)
++	manifestBody, err := iolimits.ReadAtMost(get.Body, iolimits.MaxManifestBodySize)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -424,7 +426,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
+ 	}
+ 	defer delete.Body.Close()
+ 
+-	body, err := ioutil.ReadAll(delete.Body)
++	body, err := iolimits.ReadAtMost(delete.Body, iolimits.MaxErrorBodySize)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
+index b02c60bb3..9748ca112 100644
+--- a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
++++ b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
+@@ -13,6 +13,7 @@ import (
+ 	"time"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/internal/tmpdir"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/types"
+@@ -135,7 +136,7 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t
+ 	}
+ 
+ 	if isConfig {
+-		buf, err := ioutil.ReadAll(stream)
++		buf, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
+ 		if err != nil {
+ 			return types.BlobInfo{}, errors.Wrap(err, "Error reading Config file stream")
+ 		}
+diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/src.go b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
+index ad0a3d2cb..bbf604da6 100644
+--- a/vendor/github.com/containers/image/v5/docker/tarfile/src.go
++++ b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
+@@ -11,6 +11,7 @@ import (
+ 	"path"
+ 	"sync"
+ 
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/internal/tmpdir"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/compression"
+@@ -187,13 +188,13 @@ func findTarComponent(inputFile io.Reader, path string) (*tar.Reader, *tar.Heade
+ }
+ 
+ // readTarComponent returns full contents of componentPath.
+-func (s *Source) readTarComponent(path string) ([]byte, error) {
++func (s *Source) readTarComponent(path string, limit int) ([]byte, error) {
+ 	file, err := s.openTarComponent(path)
+ 	if err != nil {
+ 		return nil, errors.Wrapf(err, "Error loading tar component %s", path)
+ 	}
+ 	defer file.Close()
+-	bytes, err := ioutil.ReadAll(file)
++	bytes, err := iolimits.ReadAtMost(file, limit)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -224,7 +225,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
+ 	}
+ 
+ 	// Read and parse config.
+-	configBytes, err := s.readTarComponent(tarManifest[0].Config)
++	configBytes, err := s.readTarComponent(tarManifest[0].Config, iolimits.MaxConfigBodySize)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -250,7 +251,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
+ // loadTarManifest loads and decodes the manifest.json.
+ func (s *Source) loadTarManifest() ([]ManifestItem, error) {
+ 	// FIXME? Do we need to deal with the legacy format?
+-	bytes, err := s.readTarComponent(manifestFileName)
++	bytes, err := s.readTarComponent(manifestFileName, iolimits.MaxTarFileManifestSize)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/vendor/github.com/containers/image/v5/image/docker_schema2.go b/vendor/github.com/containers/image/v5/image/docker_schema2.go
+index 254c13f78..29c5047d7 100644
+--- a/vendor/github.com/containers/image/v5/image/docker_schema2.go
++++ b/vendor/github.com/containers/image/v5/image/docker_schema2.go
+@@ -7,10 +7,10 @@ import (
+ 	"encoding/hex"
+ 	"encoding/json"
+ 	"fmt"
+-	"io/ioutil"
+ 	"strings"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/blobinfocache/none"
+ 	"github.com/containers/image/v5/types"
+@@ -102,7 +102,7 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
+ 			return nil, err
+ 		}
+ 		defer stream.Close()
+-		blob, err := ioutil.ReadAll(stream)
++		blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
+ 		if err != nil {
+ 			return nil, err
+ 		}
+diff --git a/vendor/github.com/containers/image/v5/image/oci.go b/vendor/github.com/containers/image/v5/image/oci.go
+index 18a38d463..406da262f 100644
+--- a/vendor/github.com/containers/image/v5/image/oci.go
++++ b/vendor/github.com/containers/image/v5/image/oci.go
+@@ -4,9 +4,9 @@ import (
+ 	"context"
+ 	"encoding/json"
+ 	"fmt"
+-	"io/ioutil"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/blobinfocache/none"
+ 	"github.com/containers/image/v5/types"
+@@ -67,7 +67,7 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
+ 			return nil, err
+ 		}
+ 		defer stream.Close()
+-		blob, err := ioutil.ReadAll(stream)
++		blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
+ 		if err != nil {
+ 			return nil, err
+ 		}
+diff --git a/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
+new file mode 100644
+index 000000000..3fed1995c
+--- /dev/null
++++ b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
+@@ -0,0 +1,60 @@
++package iolimits
++
++import (
++	"io"
++	"io/ioutil"
++
++	"github.com/pkg/errors"
++)
++
++// All constants below are intended to be used as limits for `ReadAtMost`. The
++// immediate use-case for limiting the size of in-memory copied data is to
++// protect against OOM DOS attacks as described inCVE-2020-1702. Instead of
++// copying data until running out of memory, we error out after hitting the
++// specified limit.
++const (
++	// megaByte denotes one megabyte and is intended to be used as a limit in
++	// `ReadAtMost`.
++	megaByte = 1 << 20
++	// MaxManifestBodySize is the maximum allowed size of a manifest. The limit
++	// of 4 MB aligns with the one of a Docker registry:
++	// https://github.com/docker/distribution/blob/a8371794149d1d95f1e846744b05c87f2f825e5a/registry/handlers/manifests.go#L30
++	MaxManifestBodySize = 4 * megaByte
++	// MaxAuthTokenBodySize is the maximum allowed size of an auth token.
++	// The limit of 1 MB is considered to be greatly sufficient.
++	MaxAuthTokenBodySize = megaByte
++	// MaxSignatureListBodySize is the maximum allowed size of a signature list.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxSignatureListBodySize = 4 * megaByte
++	// MaxSignatureBodySize is the maximum allowed size of a signature.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxSignatureBodySize = 4 * megaByte
++	// MaxErrorBodySize is the maximum allowed size of an error-response body.
++	// The limit of 1 MB is considered to be greatly sufficient.
++	MaxErrorBodySize = megaByte
++	// MaxConfigBodySize is the maximum allowed size of a config blob.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxConfigBodySize = 4 * megaByte
++	// MaxOpenShiftStatusBody is the maximum allowed size of an OpenShift status body.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxOpenShiftStatusBody = 4 * megaByte
++	// MaxTarFileManifestSize is the maximum allowed size of a (docker save)-like manifest (which may contain multiple images)
++	// The limit of 1 MB is considered to be greatly sufficient.
++	MaxTarFileManifestSize = megaByte
++)
++
++// ReadAtMost reads from reader and errors out if the specified limit (in bytes) is exceeded.
++func ReadAtMost(reader io.Reader, limit int) ([]byte, error) {
++	limitedReader := io.LimitReader(reader, int64(limit+1))
++
++	res, err := ioutil.ReadAll(limitedReader)
++	if err != nil {
++		return nil, err
++	}
++
++	if len(res) > limit {
++		return nil, errors.Errorf("exceeded maximum allowed size of %d bytes", limit)
++	}
++
++	return res, nil
++}
+diff --git a/vendor/github.com/containers/image/v5/openshift/openshift.go b/vendor/github.com/containers/image/v5/openshift/openshift.go
+index 016de4803..c37e1b751 100644
+--- a/vendor/github.com/containers/image/v5/openshift/openshift.go
++++ b/vendor/github.com/containers/image/v5/openshift/openshift.go
+@@ -7,13 +7,13 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
+-	"io/ioutil"
+ 	"net/http"
+ 	"net/url"
+ 	"strings"
+ 
+ 	"github.com/containers/image/v5/docker"
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/types"
+ 	"github.com/containers/image/v5/version"
+@@ -102,7 +102,7 @@ func (c *openshiftClient) doRequest(ctx context.Context, method, path string, re
+ 		return nil, err
+ 	}
+ 	defer res.Body.Close()
+-	body, err := ioutil.ReadAll(res.Body)
++	body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxOpenShiftStatusBody)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index 840dae067..3f72f3f34 100644
+--- a/vendor/modules.txt
++++ b/vendor/modules.txt
+@@ -48,7 +48,7 @@ github.com/containernetworking/cni/pkg/types
+ github.com/containernetworking/cni/pkg/types/020
+ github.com/containernetworking/cni/pkg/types/current
+ github.com/containernetworking/cni/pkg/version
+-# github.com/containers/image/v5 v5.0.0
++# github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
+ github.com/containers/image/v5/copy
+ github.com/containers/image/v5/directory
+ github.com/containers/image/v5/directory/explicitfilepath
+@@ -59,6 +59,7 @@ github.com/containers/image/v5/docker/policyconfiguration
+ github.com/containers/image/v5/docker/reference
+ github.com/containers/image/v5/docker/tarfile
+ github.com/containers/image/v5/image
++github.com/containers/image/v5/internal/iolimits
+ github.com/containers/image/v5/internal/pkg/keyctl
+ github.com/containers/image/v5/internal/tmpdir
+ github.com/containers/image/v5/manifest
diff --git a/SOURCES/buildah-1756986.patch b/SOURCES/buildah-1756986.patch
new file mode 100644
index 0000000..e70ea76
--- /dev/null
+++ b/SOURCES/buildah-1756986.patch
@@ -0,0 +1,98 @@
+From 6d7ab38f33edb9ab87a290a0c68cfd27b55b061f Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Wed, 8 Jan 2020 11:02:05 -0500
+Subject: [PATCH 1/2] Check for .dockerignore specifically
+
+When generating the list of exclusions to process .dockerignore
+contents, don't include .dockerignore if we don't have a .dockerignore
+file in the context directory.  That way, if the file doesn't exist, and
+the caller didn't pass in any patterns, we get no patterns instead of
+just one ".dockerignore" pattern, and we can hit the faster copy path.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+
+Closes: #2072
+Approved by: giuseppe
+---
+ add.go | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/add.go b/add.go
+index b5119e369..e82a5ef9a 100644
+--- a/add.go
++++ b/add.go
+@@ -215,7 +215,12 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
+ 	if contextDir == "" {
+ 		return nil, nil
+ 	}
+-	patterns := []string{".dockerignore"}
++	// If there's no .dockerignore file, then we don't have to add a
++	// pattern to tell copy logic to ignore it later.
++	var patterns []string
++	if _, err := os.Stat(filepath.Join(contextDir, ".dockerignore")); err == nil || !os.IsNotExist(err) {
++		patterns = []string{".dockerignore"}
++	}
+ 	for _, ignoreSpec := range lines {
+ 		ignoreSpec = strings.TrimSpace(ignoreSpec)
+ 		// ignore comments passed back from .dockerignore
+@@ -224,7 +229,8 @@ func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternM
+ 		}
+ 		// if the spec starts with '!' it means the pattern
+ 		// should be included. make a note so that we can move
+-		// it to the front of the updated pattern
++		// it to the front of the updated pattern, and insert
++		// the context dir's path in between
+ 		includeFlag := ""
+ 		if strings.HasPrefix(ignoreSpec, "!") {
+ 			includeFlag = "!"
+
+From f999964084ce75c833b0cffd17fb09b947dad506 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Wed, 8 Jan 2020 11:04:57 -0500
+Subject: [PATCH 2/2] copyFileWithTar: close source files at the right time
+
+Close source files after we've finished reading from them, rather than
+leaving it for later.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+
+Closes: #2072
+Approved by: giuseppe
+---
+ util.go | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/util.go b/util.go
+index b4670e41c..2f923357c 100644
+--- a/util.go
++++ b/util.go
+@@ -165,11 +165,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
+ 				if err != nil {
+ 					return errors.Wrapf(err, "error opening %q to copy its contents", src)
+ 				}
+-				defer func() {
+-					if err := f.Close(); err != nil {
+-						logrus.Debugf("error closing %s: %v", fi.Name(), err)
+-					}
+-				}()
+ 			}
+ 		}
+ 
+@@ -200,6 +195,9 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
+ 					logrus.Debugf("error copying contents of %s: %v", fi.Name(), err)
+ 					copyErr = err
+ 				}
++				if err = srcFile.Close(); err != nil {
++					logrus.Debugf("error closing %s: %v", fi.Name(), err)
++				}
+ 			}
+ 			if err = writer.Close(); err != nil {
+ 				logrus.Debugf("error closing write pipe for %s: %v", hdr.Name, err)
+@@ -213,7 +211,6 @@ func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOp
+ 		if err == nil {
+ 			err = copyErr
+ 		}
+-		f = nil
+ 		if pipeWriter != nil {
+ 			pipeWriter.Close()
+ 		}
diff --git a/SOURCES/buildah-CVE-2020-10696.patch b/SOURCES/buildah-CVE-2020-10696.patch
new file mode 100644
index 0000000..b0c58fd
--- /dev/null
+++ b/SOURCES/buildah-CVE-2020-10696.patch
@@ -0,0 +1,58 @@
+From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
+From: TomSweeneyRedHat <tsweeney@redhat.com>
+Date: Tue, 24 Mar 2020 20:10:22 -0400
+Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
+
+Stealing @nalind 's workaround to avoid refetching
+content after a file read failure.  Under the right
+circumstances that could be a symlink to a file meant
+to overwrite a good file with bad data.
+
+Testing:
+```
+goodstuff
+
+[1] 14901
+
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+no FROM statement found
+
+goodstuff
+```
+
+Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
+---
+ imagebuildah/util.go | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/imagebuildah/util.go b/imagebuildah/util.go
+index 29ea60970..5f14c9883 100644
+--- a/imagebuildah/util.go
++++ b/imagebuildah/util.go
+@@ -14,6 +14,7 @@ import (
+ 
+ 	"github.com/containers/buildah"
+ 	"github.com/containers/storage/pkg/chrootarchive"
++	"github.com/containers/storage/pkg/ioutils"
+ 	"github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error {
+ 		}
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
++		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
+ 		}
+ 	}
+@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error {
+ 	if err := chrootarchive.Untar(reader, dir, nil); err != nil {
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil {
++		if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile)
+ 		}
+ 	}
diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec
index f657f89..506aefe 100644
--- a/SPECS/buildah.spec
+++ b/SPECS/buildah.spec
@@ -25,13 +25,23 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl 
 
 Name: %{repo}
 Version: 1.11.6
-Release: 4%{?dist}
+Release: 7%{?dist}
 Summary: A command line tool used for creating OCI Images
 License: ASL 2.0
 URL: https://%{name}.io
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch
-
+# https://bugzilla.redhat.com/show_bug.cgi?id=1784952
+Patch1: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1702
+# https://github.com/containers/buildah/commit/be1eb6f70fb40e45096b69aeb048d54c526a4a8f.patch
+Patch2: CVE-2020-1702-1801930.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1756986
+# backported:  https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2181.patch
+Patch3: buildah-1756986.patch
+# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
+# patch:       https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
+Patch4: buildah-CVE-2020-10696.patch
 BuildRequires: golang >= 1.12.12-4
 BuildRequires: git
 BuildRequires: glib2-devel
@@ -117,6 +127,20 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
 %{_datadir}/%{name}/test
 
 %changelog
+* Wed Apr 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-7
+- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
+- Resolves: #1819393
+
+* Mon Feb 24 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-6
+- fix "COPY command takes long time with buildah"
+- Resolves: #1806118
+
+* Mon Feb 17 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-5
+- fix CVE-2020-1702
+- Resolves: #1801930
+- adding the first phase of FIPS fix
+- Related: #1784952
+
 * Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-4
 - compile in FIPS mode
 - Related: RHELPLAN-25139