diff --git a/SOURCES/buildah-CVE-2019-10214.patch b/SOURCES/buildah-CVE-2019-10214.patch deleted file mode 100644 index 45fb640..0000000 --- a/SOURCES/buildah-CVE-2019-10214.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up ./buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go ---- buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 16:00:45.509807991 +0200 -+++ buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 16:00:45.510808003 +0200 -@@ -480,11 +480,7 @@ func (c *dockerClient) getBearerToken(ct - authReq.SetBasicAuth(c.username, c.password) - } - logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) -- tr := tlsclientconfig.NewTransport() -- // TODO(runcom): insecure for now to contact the external token service -- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} -- client := &http.Client{Transport: tr} -- res, err := client.Do(authReq) -+ res, err := c.client.Do(authReq) - if err != nil { - return nil, err - } diff --git a/SOURCES/buildah-CVE-2020-10696.patch b/SOURCES/buildah-CVE-2020-10696.patch new file mode 100644 index 0000000..34991cb --- /dev/null +++ b/SOURCES/buildah-CVE-2020-10696.patch @@ -0,0 +1,48 @@ +From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001 +From: TomSweeneyRedHat +Date: Tue, 24 Mar 2020 20:10:22 -0400 +Subject: [PATCH] Fix potential CVE in tarfile w/ symlink + +Stealing @nalind 's workaround to avoid refetching +content after a file read failure. Under the right +circumstances that could be a symlink to a file meant +to overwrite a good file with bad data. + +Testing: +``` +goodstuff + +[1] 14901 + +127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - +127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - +no FROM statement found + +goodstuff +``` + +Signed-off-by: TomSweeneyRedHat +--- + imagebuildah/util.go | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go +--- a/imagebuildah/util.go.CVE-2020-10696 ++++ b/imagebuildah/util.go +@@ -12,6 +12,7 @@ import ( + + "github.com/containers/buildah" + "github.com/containers/storage/pkg/chrootarchive" ++ "github.com/containers/storage/pkg/ioutils" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" + ) +@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string + } + dockerfile := filepath.Join(dir, "Dockerfile") + // Assume this is a Dockerfile +- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil { ++ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil { + return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile) + } + } diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec index 0b159c6..02758ec 100644 --- a/SPECS/buildah.spec +++ b/SPECS/buildah.spec @@ -11,7 +11,7 @@ %if 0%{?rhel} > 7 && ! 0%{?fedora} %define gobuild(o:) \ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; -%endif # distro +%endif %global provider github %global provider_tld com @@ -25,12 +25,14 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL Name: %{repo} Version: 1.5 -Release: 6.git%{shortcommit}%{?dist} +Release: 8.git%{shortcommit}%{?dist} Summary: A command line tool used for creating OCI Images License: ASL 2.0 URL: https://%{provider_prefix} Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz -Patch0: buildah-CVE-2019-10214.patch +# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696 +# backported: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch +Patch0: buildah-CVE-2020-10696.patch ExclusiveArch: x86_64 %{arm} aarch64 ppc64le s390x # If go_compiler is not set to 1, there is no virtual provide. Use golang instead. BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} @@ -60,7 +62,6 @@ or %prep %autosetup -Sgit -n %{name}-%{commit} - %build mkdir _build pushd _build @@ -92,15 +93,13 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions %{_datadir}/bash-completion/completions/%{name} %changelog -* Tue Nov 26 2019 Jindrich Novy - 1.5-6.gite94b4f9 -- rebuild because of CVE-2019-9512 and CVE-2019-9514 -- Resolves: #1766309 - -* Tue Sep 17 2019 Jindrich Novy - 1.5-5.gite94b4f9 -- Use autosetup macro again. +* Thu Jun 25 2020 Jindrich Novy - 1.5-8.gite94b4f9 +- bump release to preserve upgrade path +- Related: #1821193 -* Thu Sep 12 2019 Jindrich Novy - 1.5-4.gite94b4f9 -- Fix CVE-2019-10214 (#1734660). +* Fri Apr 03 2020 Jindrich Novy - 1.5-4.gite94b4f9 +- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process" +- Resolves: #1818127 * Tue Dec 18 2018 Frantisek Kluknavsky - 1.5-3.gite94b4f9 - re-enable debuginfo