diff --git a/SOURCES/podman-CVE-2020-10696.patch b/SOURCES/podman-CVE-2020-10696.patch new file mode 100644 index 0000000..b2569a4 --- /dev/null +++ b/SOURCES/podman-CVE-2020-10696.patch @@ -0,0 +1,58 @@ +From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001 +From: TomSweeneyRedHat +Date: Tue, 24 Mar 2020 20:10:22 -0400 +Subject: [PATCH] Fix potential CVE in tarfile w/ symlink + +Stealing @nalind 's workaround to avoid refetching +content after a file read failure. Under the right +circumstances that could be a symlink to a file meant +to overwrite a good file with bad data. + +Testing: +``` +goodstuff + +[1] 14901 + +127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - +127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - +no FROM statement found + +goodstuff +``` + +Signed-off-by: TomSweeneyRedHat +--- + imagebuildah/util.go | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/imagebuildah/util.go b/imagebuildah/util.go +index 29ea60970..5f14c9883 100644 +--- a/vendor/github.com/containers/buildah/imagebuildah/util.go ++++ b/vendor/github.com/containers/buildah/imagebuildah/util.go +@@ -14,6 +14,7 @@ import ( + + "github.com/containers/buildah" + "github.com/containers/storage/pkg/chrootarchive" ++ "github.com/containers/storage/pkg/ioutils" + "github.com/opencontainers/runtime-spec/specs-go" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" +@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error { + } + dockerfile := filepath.Join(dir, "Dockerfile") + // Assume this is a Dockerfile +- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil { ++ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil { + return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile) + } + } +@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error { + if err := chrootarchive.Untar(reader, dir, nil); err != nil { + dockerfile := filepath.Join(dir, "Dockerfile") + // Assume this is a Dockerfile +- if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil { ++ if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil { + return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile) + } + } diff --git a/SPECS/podman.spec b/SPECS/podman.spec index a2fddcd..c7f3a57 100644 --- a/SPECS/podman.spec +++ b/SPECS/podman.spec @@ -29,7 +29,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Name: podman Version: 1.6.4 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 URL: https://%{name}.io/ @@ -50,6 +50,9 @@ Patch4: podman-1805212.patch # related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1807310 # patch: https://github.com/containers/libpod/pull/5349.patch Patch5: podman-1807310.patch +# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696 +# backported: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch +Patch6: podman-CVE-2020-10696.patch Provides: %{name}-manpages = %{version}-%{release} Obsoletes: %{name}-manpages < %{version}-%{release} BuildRequires: golang >= 1.12.12-4 @@ -349,6 +352,10 @@ exit 0 %{_datadir}/%{name}/test %changelog +* Tue Mar 31 2020 Jindrich Novy - 1.6.4-11 +- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process" +- Resolves: #1817747 + * Thu Mar 19 2020 Jindrich Novy - 1.6.4-10 - use the full PR 5348 to fix "no route to host from inside container" - Resolves: #1806901