diff --git a/SOURCES/podman-CVE-2019-10214.patch b/SOURCES/podman-CVE-2019-10214.patch new file mode 100644 index 0000000..8a71751 --- /dev/null +++ b/SOURCES/podman-CVE-2019-10214.patch @@ -0,0 +1,32 @@ +diff -up ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go +--- ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 15:16:38.812884788 +0200 ++++ ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/cri-o-9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 15:16:38.813884801 +0200 +@@ -530,11 +530,7 @@ func (c *dockerClient) getBearerToken(ct + authReq.SetBasicAuth(c.username, c.password) + } + logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) +- tr := tlsclientconfig.NewTransport() +- // TODO(runcom): insecure for now to contact the external token service +- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +- client := &http.Client{Transport: tr} +- res, err := client.Do(authReq) ++ res, err := c.client.Do(authReq) + if err != nil { + return nil, err + } +diff -up ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go +--- ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 15:16:38.815884828 +0200 ++++ ./libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 15:16:38.816884841 +0200 +@@ -530,11 +530,7 @@ func (c *dockerClient) getBearerToken(ct + authReq.SetBasicAuth(c.username, c.password) + } + logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) +- tr := tlsclientconfig.NewTransport() +- // TODO(runcom): insecure for now to contact the external token service +- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +- client := &http.Client{Transport: tr} +- res, err := client.Do(authReq) ++ res, err := c.client.Do(authReq) + if err != nil { + return nil, err + } diff --git a/SPECS/podman.spec b/SPECS/podman.spec index b0dc832..72904fa 100644 --- a/SPECS/podman.spec +++ b/SPECS/podman.spec @@ -36,12 +36,13 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL Name: podman Version: 1.0.0 -Release: 3.git%{shortcommit}%{?dist} +Release: 4.git%{shortcommit}%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 URL: %{git_podman} Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz +Patch0: podman-CVE-2019-10214.patch # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required #ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}} @@ -195,12 +196,15 @@ executing %{name} commands, it also creates links between all Docker CLI man pages and %{name}. %prep -%autosetup -Sgit -n %{repo}-%{commit} +%setup -q -n %{repo}-%{commit} mv pkg/hooks/README.md pkg/hooks/README-hooks.md # untar cri-o tar zxf %{SOURCE1} +# fix CVE-2019-10214 +%patch0 -p2 + %build mkdir -p $(pwd)/_build pushd $(pwd)/_build @@ -280,9 +284,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_mandir}/man1/docker*.1* %changelog -* Thu Nov 28 2019 Jindrich Novy - 1.0.0-3.git921f98f +* Tue Nov 26 2019 Jindrich Novy - 1.0.0-4.git921f98f - rebuild because of CVE-2019-9512 and CVE-2019-9514 -- Resolves: #1766294, #1766322 +- Resolves: #1766293, #1766321 + +* Thu Sep 12 2019 Jindrich Novy - 1.0.0-3.git921f98f +- Fix CVE-2019-10214 (#1734656). * Mon Feb 11 2019 Frantisek Kluknavsky - 1.0.0-2.git921f98f - rebase