diff --git a/SOURCES/skopeo-CVE-2019-10214.patch b/SOURCES/skopeo-CVE-2019-10214.patch new file mode 100644 index 0000000..8450aaf --- /dev/null +++ b/SOURCES/skopeo-CVE-2019-10214.patch @@ -0,0 +1,16 @@ +diff -up ./skopeo-1715c9084124875cb71f006916396e3c7d03014e/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./skopeo-1715c9084124875cb71f006916396e3c7d03014e/vendor/github.com/containers/image/docker/docker_client.go +--- ./skopeo-1715c9084124875cb71f006916396e3c7d03014e/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 15:41:30.949477994 +0200 ++++ ./skopeo-1715c9084124875cb71f006916396e3c7d03014e/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 15:41:30.950478007 +0200 +@@ -480,11 +480,7 @@ func (c *dockerClient) getBearerToken(ct + authReq.SetBasicAuth(c.username, c.password) + } + logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) +- tr := tlsclientconfig.NewTransport() +- // TODO(runcom): insecure for now to contact the external token service +- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +- client := &http.Client{Transport: tr} +- res, err := client.Do(authReq) ++ res, err := c.client.Do(authReq) + if err != nil { + return nil, err + } diff --git a/SPECS/skopeo.spec b/SPECS/skopeo.spec index 43b3989..411e54a 100644 --- a/SPECS/skopeo.spec +++ b/SPECS/skopeo.spec @@ -31,7 +31,7 @@ ExcludeArch: ppc64 %{ix86} Name: %{repo} Epoch: 1 Version: 0.1.32 -Release: 3.git%{shortcommit0}%{?dist} +Release: 5.git%{shortcommit0}%{?dist} Summary: Inspect Docker images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -43,6 +43,7 @@ Source4: registries.conf.5.md Source5: registries.conf Source6: policy.json.5.md Source7: seccomp.json +Patch0: skopeo-CVE-2019-10214.patch BuildRequires: git # If go_compiler is not set to 1, there is no virtual provide. Use golang instead. BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} @@ -73,7 +74,10 @@ This package installs a default signature store configuration and a default policy under `/etc/containers/`. %prep -%autosetup -Sgit -n %{name}-%{commit0} +%setup -q -n %{name}-%{commit0} + +# fix CVE-2019-10214 +%patch0 -p2 %build mkdir -p src/github.com/containers @@ -108,7 +112,7 @@ install -m0644 %{SOURCE3} %{buildroot}%{_datadir}/containers/mounts.conf install -m0644 %{SOURCE7} %{buildroot}%{_datadir}/containers/seccomp.json # install secrets patch directory -install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets +install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets # rhbz#1110876 - update symlinks for subscription management ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm @@ -150,6 +154,13 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/bash-completion/completions/%{name} %changelog +* Thu Sep 12 2019 Jindrich Novy - 1:0.1.32-5.git1715c90 +- Fix CVE-2019-10214 (#1734658). + +* Fri Aug 16 2019 Jindrich Novy - 1:0.1.32-4.git1715c90 +- fix permissions of rhel/secrets + Resolves: #1691543 + * Tue Dec 18 2018 Frantisek Kluknavsky - 1:0.1.32-3.git1715c90 - rebase