diff --git a/SOURCES/podman-1882267.patch b/SOURCES/podman-1882267.patch new file mode 100644 index 0000000..f0fd7b0 --- /dev/null +++ b/SOURCES/podman-1882267.patch @@ -0,0 +1,23 @@ +From bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea Mon Sep 17 00:00:00 2001 +From: Matthew Heon +Date: Thu, 24 Sep 2020 10:42:13 -0400 +Subject: [PATCH] Fix https://bugzilla.redhat.com/show_bug.cgi?id=1882267 + +Signed-off-by: Matthew Heon +--- + cmd/podman/sigproxy.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go +index 16861bad04..92d7f4e4a9 100644 +--- a/cmd/podman/sigproxy.go ++++ b/cmd/podman/sigproxy.go +@@ -19,7 +19,7 @@ func ProxySignals(ctr *libpod.Container) { + for s := range sigBuffer { + // Ignore SIGCHLD and SIGPIPE - these are mostly likely + // intended for the podman command itself. +- if s == signal.SIGCHLD || s == signal.SIGPIPE { ++ if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG { + continue + } + diff --git a/SOURCES/podman-CVE-2019-10214.patch b/SOURCES/podman-CVE-2019-10214.patch deleted file mode 100644 index 8a71751..0000000 --- a/SOURCES/podman-CVE-2019-10214.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go ---- ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 15:16:38.812884788 +0200 -+++ ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 15:16:38.813884801 +0200 -@@ -530,11 +530,7 @@ func (c *dockerClient) getBearerToken(ct - authReq.SetBasicAuth(c.username, c.password) - } - logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) -- tr := tlsclientconfig.NewTransport() -- // TODO(runcom): insecure for now to contact the external token service -- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} -- client := &http.Client{Transport: tr} -- res, err := client.Do(authReq) -+ res, err := c.client.Do(authReq) - if err != nil { - return nil, err - } -diff -up ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go ---- ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 15:16:38.815884828 +0200 -+++ ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 15:16:38.816884841 +0200 -@@ -530,11 +530,7 @@ func (c *dockerClient) getBearerToken(ct - authReq.SetBasicAuth(c.username, c.password) - } - logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) -- tr := tlsclientconfig.NewTransport() -- // TODO(runcom): insecure for now to contact the external token service -- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} -- client := &http.Client{Transport: tr} -- res, err := client.Do(authReq) -+ res, err := c.client.Do(authReq) - if err != nil { - return nil, err - } diff --git a/SOURCES/podman-CVE-2020-10696.patch b/SOURCES/podman-CVE-2020-10696.patch new file mode 100644 index 0000000..be12aca --- /dev/null +++ b/SOURCES/podman-CVE-2020-10696.patch @@ -0,0 +1,48 @@ +From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001 +From: TomSweeneyRedHat +Date: Tue, 24 Mar 2020 20:10:22 -0400 +Subject: [PATCH] Fix potential CVE in tarfile w/ symlink + +Stealing @nalind 's workaround to avoid refetching +content after a file read failure. Under the right +circumstances that could be a symlink to a file meant +to overwrite a good file with bad data. + +Testing: +``` +goodstuff + +[1] 14901 + +127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - +127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - +no FROM statement found + +goodstuff +``` + +Signed-off-by: TomSweeneyRedHat +--- + imagebuildah/util.go | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go +--- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696 ++++ b/vendor/github.com/containers//buildah/imagebuildah/util.go +@@ -12,6 +12,7 @@ import ( + + "github.com/containers/buildah" + "github.com/containers/storage/pkg/chrootarchive" ++ "github.com/containers/storage/pkg/ioutils" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" + ) +@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string + } + dockerfile := filepath.Join(dir, "Dockerfile") + // Assume this is a Dockerfile +- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil { ++ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil { + return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile) + } + } diff --git a/SPECS/podman.spec b/SPECS/podman.spec index 72904fa..e5d2d43 100644 --- a/SPECS/podman.spec +++ b/SPECS/podman.spec @@ -16,7 +16,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL %bcond_without varlink %else %bcond_with varlink -%endif # rhel8 and fedora varlink +%endif %global provider github %global provider_tld com @@ -36,13 +36,18 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL Name: podman Version: 1.0.0 -Release: 4.git%{shortcommit}%{?dist} +Release: 6.git%{shortcommit}%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 URL: %{git_podman} Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz -Patch0: podman-CVE-2019-10214.patch +# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696 +# backported: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch +Patch0: podman-CVE-2020-10696.patch +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1882267 +# patch: https://github.com/mheon/libpod/commit/bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea.patch +Patch1: podman-1882267.patch # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required #ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}} @@ -196,15 +201,12 @@ executing %{name} commands, it also creates links between all Docker CLI man pages and %{name}. %prep -%setup -q -n %{repo}-%{commit} +%autosetup -Sgit -n %{repo}-%{commit} mv pkg/hooks/README.md pkg/hooks/README-hooks.md # untar cri-o tar zxf %{SOURCE1} -# fix CVE-2019-10214 -%patch0 -p2 - %build mkdir -p $(pwd)/_build pushd $(pwd)/_build @@ -284,12 +286,21 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_mandir}/man1/docker*.1* %changelog -* Tue Nov 26 2019 Jindrich Novy - 1.0.0-4.git921f98f -- rebuild because of CVE-2019-9512 and CVE-2019-9514 -- Resolves: #1766293, #1766321 +* Thu Sep 24 2020 Jindrich Novy - 1.0.0-6.git921f98f +- fix "podman run errors out/segfaults in container-tools-1.0-8.3.0" +- Resolves: #1882267 -* Thu Sep 12 2019 Jindrich Novy - 1.0.0-3.git921f98f -- Fix CVE-2019-10214 (#1734656). +* Fri Jun 26 2020 Jindrich Novy - 1.0.0-5.git921f98f +- bump release to preserve upgrade path +- Resolves: #1821193 + +* Fri Apr 03 2020 Jindrich Novy - 1.0.0-4.git921f98f +- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process" +- Resolves: #1818122 + +* Thu Nov 28 2019 Jindrich Novy - 1.0.0-3.git921f98f +- rebuild because of CVE-2019-9512 and CVE-2019-9514 +- Resolves: #1766294, #1766322 * Mon Feb 11 2019 Frantisek Kluknavsky - 1.0.0-2.git921f98f - rebase