diff --git a/.gitignore b/.gitignore index 4df02f6..67507a5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/skopeo-1715c90.tar.gz +SOURCES/skopeo-e079f9d.tar.gz diff --git a/.skopeo.metadata b/.skopeo.metadata index 115d79b..8e88cea 100644 --- a/.skopeo.metadata +++ b/.skopeo.metadata @@ -1 +1 @@ -f258c639bda55165978c076e13bac72388e4ff14 SOURCES/skopeo-1715c90.tar.gz +523696cfb03e7d0554183fe7a55510fd37b60b90 SOURCES/skopeo-e079f9d.tar.gz diff --git a/SOURCES/registries.conf b/SOURCES/registries.conf index 4c307b8..936596d 100644 --- a/SOURCES/registries.conf +++ b/SOURCES/registries.conf @@ -9,7 +9,7 @@ # and 'registries.block'. [registries.search] -registries = ['registry.redhat.io', 'quay.io', 'docker.io'] +registries = ['registry.redhat.io', 'registry.access.redhat.com', 'quay.io', 'docker.io'] # If you need to access insecure registries, add the registry's fully-qualified name. # An insecure registry is one that does not have a valid SSL certificate or only does HTTP. diff --git a/SOURCES/skopeo-CVE-2019-10214.patch b/SOURCES/skopeo-CVE-2019-10214.patch new file mode 100644 index 0000000..8b1a0d8 --- /dev/null +++ b/SOURCES/skopeo-CVE-2019-10214.patch @@ -0,0 +1,16 @@ +diff -up ./skopeo-e079f9d61b2508b57e9510752d7e893b544c3cb8/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./skopeo-e079f9d61b2508b57e9510752d7e893b544c3cb8/vendor/github.com/containers/image/docker/docker_client.go +--- ./skopeo-e079f9d61b2508b57e9510752d7e893b544c3cb8/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 15:41:52.774748876 +0200 ++++ ./skopeo-e079f9d61b2508b57e9510752d7e893b544c3cb8/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 15:41:52.775748889 +0200 +@@ -523,11 +523,7 @@ func (c *dockerClient) getBearerToken(ct + authReq.SetBasicAuth(c.username, c.password) + } + logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) +- tr := tlsclientconfig.NewTransport() +- // TODO(runcom): insecure for now to contact the external token service +- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +- client := &http.Client{Transport: tr} +- res, err := client.Do(authReq) ++ res, err := c.client.Do(authReq) + if err != nil { + return nil, err + } diff --git a/SPECS/skopeo.spec b/SPECS/skopeo.spec index 43b3989..af6342a 100644 --- a/SPECS/skopeo.spec +++ b/SPECS/skopeo.spec @@ -10,7 +10,7 @@ %if 0%{?rhel} > 7 && ! 0%{?fedora} %define gobuild(o:) \ -go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; +go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; %endif # distro %global provider github @@ -21,7 +21,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} %global import_path %{provider_prefix} %global git0 https://%{import_path} -%global commit0 1715c9084124875cb71f006916396e3c7d03014e +%global commit0 e079f9d61b2508b57e9510752d7e893b544c3cb8 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # manually listed arches due https://bugzilla.redhat.com/show_bug.cgi?id=1391932 (removed ppc64) @@ -30,9 +30,9 @@ ExcludeArch: ppc64 %{ix86} Name: %{repo} Epoch: 1 -Version: 0.1.32 -Release: 3.git%{shortcommit0}%{?dist} -Summary: Inspect Docker images and repositories on registries +Version: 0.1.37 +Release: 5%{?dist} +Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -43,6 +43,7 @@ Source4: registries.conf.5.md Source5: registries.conf Source6: policy.json.5.md Source7: seccomp.json +Patch0: skopeo-CVE-2019-10214.patch BuildRequires: git # If go_compiler is not set to 1, there is no virtual provide. Use golang instead. BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} @@ -72,8 +73,26 @@ Recommends: slirp4netns This package installs a default signature store configuration and a default policy under `/etc/containers/`. +%package tests +Summary: Tests for %{name} + +Requires: %{name} = %{epoch}:%{version}-%{release} +#Requires: bats (which RHEL8 doesn't have. If it ever does, un-comment this) +Requires: gnupg +Requires: jq +Requires: podman + +%description tests +%{summary} + +This package contains system tests for %{name} + + %prep -%autosetup -Sgit -n %{name}-%{commit0} +%setup -q -n %{name}-%{commit0} + +# fix CVE-2019-10214 +%patch0 -p2 %build mkdir -p src/github.com/containers @@ -96,6 +115,7 @@ make docs %install make DESTDIR=%{buildroot} install mkdir -p %{buildroot}%{_sysconfdir} +mkdir -p %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d} install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf mkdir -p %{buildroot}%{_mandir}/man5 go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5 @@ -108,12 +128,16 @@ install -m0644 %{SOURCE3} %{buildroot}%{_datadir}/containers/mounts.conf install -m0644 %{SOURCE7} %{buildroot}%{_datadir}/containers/seccomp.json # install secrets patch directory -install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets +install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets # rhbz#1110876 - update symlinks for subscription management ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo +# system tests +install -d -p %{buildroot}/%{_datadir}/%{name}/test/system +cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/ + %check %if 0%{?with_check} export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} @@ -125,7 +149,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %files -n containers-common %dir %{_sysconfdir}/containers +%dir %{_sysconfdir}/containers/certs.d %dir %{_sysconfdir}/containers/registries.d +%dir %{_sysconfdir}/containers/oci +%dir %{_sysconfdir}/containers/oci/hooks.d %config(noreplace) %{_sysconfdir}/containers/policy.json %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml %config(noreplace) %{_sysconfdir}/containers/storage.conf @@ -144,12 +171,39 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %license LICENSE %doc README.md %{_bindir}/%{name} -%{_mandir}/man1/%{name}.1* +%{_mandir}/man1/ %dir %{_datadir}/bash-completion %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/%{name} +%files tests +%license LICENSE +%{_datadir}/%{name}/test + %changelog +* Thu Sep 12 2019 Jindrich Novy - 1:0.1.37-5 +- Fix CVE-2019-10214 (#1734651). + +* Thu Aug 15 2019 Jindrich Novy - 1:0.1.37-4 +- fix permissions of rhel/secrets + Resolves: #1691543 + +* Fri Jun 14 2019 Lokesh Mandvekar - 1:0.1.37-3 +- Resolves: #1719994 - add registry.access.redhat.com to registries.conf + +* Fri Jun 14 2019 Lokesh Mandvekar - 1:0.1.37-2 +- Resolves: #1721247 - enable fips mode + +* Fri Jun 14 2019 Lokesh Mandvekar - 1:0.1.37-1 +- Resolves: #1720654 - rebase to v0.1.37 + +* Tue Jun 4 2019 Eduardo Santiago - 1:0.1.36-1.git6307635 +- built upstream tag v0.1.36, including system tests + +* Tue Apr 30 2019 Lokesh Mandvekar - 1:0.1.32-4.git1715c90 +- Fixes @openshift/machine-config-operator#669 +- install /etc/containers/oci/hooks.d and /etc/containers/certs.d + * Tue Dec 18 2018 Frantisek Kluknavsky - 1:0.1.32-3.git1715c90 - rebase