diff --git a/SOURCES/buildah-CVE-2020-10696.patch b/SOURCES/buildah-CVE-2020-10696.patch new file mode 100644 index 0000000..b0c58fd --- /dev/null +++ b/SOURCES/buildah-CVE-2020-10696.patch @@ -0,0 +1,58 @@ +From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001 +From: TomSweeneyRedHat +Date: Tue, 24 Mar 2020 20:10:22 -0400 +Subject: [PATCH] Fix potential CVE in tarfile w/ symlink + +Stealing @nalind 's workaround to avoid refetching +content after a file read failure. Under the right +circumstances that could be a symlink to a file meant +to overwrite a good file with bad data. + +Testing: +``` +goodstuff + +[1] 14901 + +127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - +127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - +no FROM statement found + +goodstuff +``` + +Signed-off-by: TomSweeneyRedHat +--- + imagebuildah/util.go | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/imagebuildah/util.go b/imagebuildah/util.go +index 29ea60970..5f14c9883 100644 +--- a/imagebuildah/util.go ++++ b/imagebuildah/util.go +@@ -14,6 +14,7 @@ import ( + + "github.com/containers/buildah" + "github.com/containers/storage/pkg/chrootarchive" ++ "github.com/containers/storage/pkg/ioutils" + "github.com/opencontainers/runtime-spec/specs-go" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" +@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error { + } + dockerfile := filepath.Join(dir, "Dockerfile") + // Assume this is a Dockerfile +- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil { ++ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil { + return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile) + } + } +@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error { + if err := chrootarchive.Untar(reader, dir, nil); err != nil { + dockerfile := filepath.Join(dir, "Dockerfile") + // Assume this is a Dockerfile +- if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil { ++ if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil { + return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile) + } + } diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec index ee204d7..506aefe 100644 --- a/SPECS/buildah.spec +++ b/SPECS/buildah.spec @@ -25,7 +25,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Name: %{repo} Version: 1.11.6 -Release: 6%{?dist} +Release: 7%{?dist} Summary: A command line tool used for creating OCI Images License: ASL 2.0 URL: https://%{name}.io @@ -39,6 +39,9 @@ Patch2: CVE-2020-1702-1801930.patch # related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1756986 # backported: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2181.patch Patch3: buildah-1756986.patch +# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696 +# patch: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch +Patch4: buildah-CVE-2020-10696.patch BuildRequires: golang >= 1.12.12-4 BuildRequires: git BuildRequires: glib2-devel @@ -124,6 +127,10 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install %{_datadir}/%{name}/test %changelog +* Wed Apr 01 2020 Jindrich Novy - 1.11.6-7 +- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process" +- Resolves: #1819393 + * Mon Feb 24 2020 Jindrich Novy - 1.11.6-6 - fix "COPY command takes long time with buildah" - Resolves: #1806118