diff --git a/SOURCES/2031.patch b/SOURCES/2031.patch new file mode 100644 index 0000000..b674e80 --- /dev/null +++ b/SOURCES/2031.patch @@ -0,0 +1,147 @@ +From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001 +From: Daniel J Walsh +Date: Tue, 17 Dec 2019 15:24:29 -0500 +Subject: [PATCH] Add support for FIPS-Mode backends + +If host is running in fips mode, then RHEL8.2 and beyond container images +will come with a directory /usr/share/crypto-policies/back-ends/FIPS. +This directory needs to be bind mounted over /etc/crypto-policies/back-ends in +order to make all tools in the container follow the FIPS Mode rules. + +Signed-off-by: Daniel J Walsh +--- + pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++--------- + run_linux.go | 2 +- + 2 files changed, 39 insertions(+), 11 deletions(-) + +diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go +index 80ca05016..ee2e9a7c8 100644 +--- a/pkg/secrets/secrets.go ++++ b/pkg/secrets/secrets.go +@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, string, error) { + } + + // SecretMounts copies, adds, and mounts the secrets to the container root filesystem ++// Deprecated, Please use SecretMountWithUIDGID + func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount { + return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips) + } + +-// SecretMountsWithUIDGID specifies the uid/gid of the owner +-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount { ++// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem ++// mountLabel: MAC/SELinux label for container content ++// containerWorkingDir: Private data for storing secrets on the host mounted in container. ++// mountFile: Additional mount points required for the container. ++// mountPoint: Container image mountpoint ++// uid: to assign to content created for secrets ++// gid: to assign to content created for secrets ++// rootless: indicates whether container is running in rootless mode ++// disableFips: indicates whether system should ignore fips mode ++func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount { + var ( + secretMounts []rspec.Mount + mountFiles []string +@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre + } + for _, file := range mountFiles { + if _, err := os.Stat(file); err == nil { +- mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid) ++ mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid) + if err != nil { + logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err) + } +@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre + // Add FIPS mode secret if /etc/system-fips exists on the host + _, err := os.Stat("/etc/system-fips") + if err == nil { +- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil { ++ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil { + logrus.Errorf("error adding FIPS mode secret to container: %v", err) + } + } else if os.IsNotExist(err) { +@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid int) error { + + // addSecretsFromMountsFile copies the contents of host directory to container directory + // and returns a list of mounts +-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) { ++func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) { + var mounts []rspec.Mount + defaultMountsPaths := getMounts(filePath) + for _, path := range defaultMountsPaths { +@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr + } + + m := rspec.Mount{ +- Source: filepath.Join(mountPrefix, ctrDirOrFile), ++ Source: ctrDirOrFileOnHost, + Destination: ctrDirOrFile, + Type: "bind", + Options: []string{"bind", "rprivate"}, +@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr + // root filesystem if /etc/system-fips exists on hosts. + // This enables the container to be FIPS compliant and run openssl in + // FIPS mode as the host is also in FIPS mode. +-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error { ++func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error { + secretsDir := "/run/secrets" + ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir) + if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) { + if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil { +- return errors.Wrapf(err, "making container directory on host failed") ++ return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost) + } + if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil { +- return errors.Wrap(err, "error applying correct labels") ++ return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost) + } + } + fipsFile := filepath.Join(ctrDirOnHost, "system-fips") +@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, + + if !mountExists(*mounts, secretsDir) { + m := rspec.Mount{ +- Source: filepath.Join(mountPrefix, secretsDir), ++ Source: ctrDirOnHost, + Destination: secretsDir, + Type: "bind", + Options: []string{"bind", "rprivate"}, +@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, + *mounts = append(*mounts, m) + } + ++ srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" ++ destDir := "/etc/crypto-policies/back-ends" ++ srcOnHost := filepath.Join(mountPoint, srcBackendDir) ++ if _, err := os.Stat(srcOnHost); err != nil { ++ if os.IsNotExist(err) { ++ return nil ++ } ++ return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost) ++ } ++ ++ if !mountExists(*mounts, destDir) { ++ m := rspec.Mount{ ++ Source: srcOnHost, ++ Destination: destDir, ++ Type: "bind", ++ Options: []string{"bind", "rprivate"}, ++ } ++ *mounts = append(*mounts, m) ++ } + return nil + } + +diff --git a/run_linux.go b/run_linux.go +index 4c2d73edd..c8e75eada 100644 +--- a/run_linux.go ++++ b/run_linux.go +@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st + } + + // Get the list of secrets mounts. +- secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false) ++ secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false) + + // Add temporary copies of the contents of volume locations at the + // volume locations, unless we already have something there. diff --git a/SOURCES/CVE-2020-1702-1801926.patch b/SOURCES/CVE-2020-1702-1801926.patch new file mode 100644 index 0000000..00ea466 --- /dev/null +++ b/SOURCES/CVE-2020-1702-1801926.patch @@ -0,0 +1,390 @@ +From be1eb6f70fb40e45096b69aeb048d54c526a4a8f Mon Sep 17 00:00:00 2001 +From: Valentin Rothberg +Date: Thu, 6 Feb 2020 09:49:15 +0100 +Subject: [PATCH] [1.11-rhel] update github.com/containers/image + +Note that this includes fixes for +https://access.redhat.com/security/cve/CVE-2020-1702. + +Signed-off-by: Valentin Rothberg +--- + go.mod | 2 +- + go.sum | 2 + + .../image/v5/docker/docker_client.go | 6 +- + .../image/v5/docker/docker_image_dest.go | 3 +- + .../image/v5/docker/docker_image_src.go | 10 ++-- + .../image/v5/docker/tarfile/dest.go | 3 +- + .../containers/image/v5/docker/tarfile/src.go | 9 +-- + .../image/v5/image/docker_schema2.go | 4 +- + .../containers/image/v5/image/oci.go | 4 +- + .../image/v5/internal/iolimits/iolimits.go | 60 +++++++++++++++++++ + .../image/v5/openshift/openshift.go | 4 +- + vendor/modules.txt | 3 +- + 12 files changed, 89 insertions(+), 21 deletions(-) + create mode 100644 vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go + +diff --git a/go.mod b/go.mod +index 684b00ff5..b94792238 100644 +--- a/go.mod ++++ b/go.mod +@@ -5,7 +5,7 @@ go 1.12 + require ( + github.com/blang/semver v3.5.0+incompatible // indirect + github.com/containernetworking/cni v0.7.1 +- github.com/containers/image/v5 v5.0.0 ++ github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0 + github.com/containers/storage v1.14.0 + github.com/cyphar/filepath-securejoin v0.2.2 + github.com/docker/distribution v2.7.1+incompatible +diff --git a/go.sum b/go.sum +index 1cce3ff7e..ef8729952 100644 +--- a/go.sum ++++ b/go.sum +@@ -54,6 +54,8 @@ github.com/containers/image/v4 v4.0.1 h1:idNGHChj0Pyv3vLrxul2oSVMZLeFqpoq3CjLeVg + github.com/containers/image/v4 v4.0.1/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA= + github.com/containers/image/v5 v5.0.0 h1:arnXgbt1ucsC/ndtSpiQY87rA0UjhF+/xQnPzqdBDn4= + github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY= ++github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0 h1:iV4aHKRoPcHp5BISsuiPMyaCjGJfLKp/FUMAG1NeqvE= ++github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY= + github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE= + github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= + github.com/containers/storage v1.13.4 h1:j0bBaJDKbUHtAW1MXPFnwXJtqcH+foWeuXK1YaBV5GA= +diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go +index 0b012c703..bff077a40 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_client.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go +@@ -6,7 +6,6 @@ import ( + "encoding/json" + "fmt" + "io" +- "io/ioutil" + "net/http" + "net/url" + "os" +@@ -17,6 +16,7 @@ import ( + "time" + + "github.com/containers/image/v5/docker/reference" ++ "github.com/containers/image/v5/internal/iolimits" + "github.com/containers/image/v5/pkg/docker/config" + "github.com/containers/image/v5/pkg/sysregistriesv2" + "github.com/containers/image/v5/pkg/tlsclientconfig" +@@ -597,7 +597,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge, + default: + return nil, errors.Errorf("unexpected http code: %d (%s), URL: %s", res.StatusCode, http.StatusText(res.StatusCode), authReq.URL) + } +- tokenBlob, err := ioutil.ReadAll(res.Body) ++ tokenBlob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize) + if err != nil { + return nil, err + } +@@ -690,7 +690,7 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe + return nil, errors.Wrapf(clientLib.HandleErrorResponse(res), "Error downloading signatures for %s in %s", manifestDigest, ref.ref.Name()) + } + +- body, err := ioutil.ReadAll(res.Body) ++ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureListBodySize) + if err != nil { + return nil, err + } +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +index 417d97aec..ce8a1f357 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go +@@ -15,6 +15,7 @@ import ( + "strings" + + "github.com/containers/image/v5/docker/reference" ++ "github.com/containers/image/v5/internal/iolimits" + "github.com/containers/image/v5/manifest" + "github.com/containers/image/v5/pkg/blobinfocache/none" + "github.com/containers/image/v5/types" +@@ -620,7 +621,7 @@ sigExists: + } + defer res.Body.Close() + if res.StatusCode != http.StatusCreated { +- body, err := ioutil.ReadAll(res.Body) ++ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxErrorBodySize) + if err == nil { + logrus.Debugf("Error body %s", string(body)) + } +diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +index 35beb30e5..5436d9b7d 100644 +--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go ++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go +@@ -12,6 +12,7 @@ import ( + "strconv" + + "github.com/containers/image/v5/docker/reference" ++ "github.com/containers/image/v5/internal/iolimits" + "github.com/containers/image/v5/manifest" + "github.com/containers/image/v5/pkg/sysregistriesv2" + "github.com/containers/image/v5/types" +@@ -156,7 +157,8 @@ func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest strin + if res.StatusCode != http.StatusOK { + return nil, "", errors.Wrapf(client.HandleErrorResponse(res), "Error reading manifest %s in %s", tagOrDigest, s.ref.ref.Name()) + } +- manblob, err := ioutil.ReadAll(res.Body) ++ ++ manblob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxManifestBodySize) + if err != nil { + return nil, "", err + } +@@ -342,7 +344,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) ( + } else if res.StatusCode != http.StatusOK { + return nil, false, errors.Errorf("Error reading signature from %s: status %d (%s)", url.String(), res.StatusCode, http.StatusText(res.StatusCode)) + } +- sig, err := ioutil.ReadAll(res.Body) ++ sig, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureBodySize) + if err != nil { + return nil, false, err + } +@@ -401,7 +403,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere + return err + } + defer get.Body.Close() +- manifestBody, err := ioutil.ReadAll(get.Body) ++ manifestBody, err := iolimits.ReadAtMost(get.Body, iolimits.MaxManifestBodySize) + if err != nil { + return err + } +@@ -424,7 +426,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere + } + defer delete.Body.Close() + +- body, err := ioutil.ReadAll(delete.Body) ++ body, err := iolimits.ReadAtMost(delete.Body, iolimits.MaxErrorBodySize) + if err != nil { + return err + } +diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go +index b02c60bb3..9748ca112 100644 +--- a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go ++++ b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go +@@ -13,6 +13,7 @@ import ( + "time" + + "github.com/containers/image/v5/docker/reference" ++ "github.com/containers/image/v5/internal/iolimits" + "github.com/containers/image/v5/internal/tmpdir" + "github.com/containers/image/v5/manifest" + "github.com/containers/image/v5/types" +@@ -135,7 +136,7 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t + } + + if isConfig { +- buf, err := ioutil.ReadAll(stream) ++ buf, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize) + if err != nil { + return types.BlobInfo{}, errors.Wrap(err, "Error reading Config file stream") + } +diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/src.go b/vendor/github.com/containers/image/v5/docker/tarfile/src.go +index ad0a3d2cb..bbf604da6 100644 +--- a/vendor/github.com/containers/image/v5/docker/tarfile/src.go ++++ b/vendor/github.com/containers/image/v5/docker/tarfile/src.go +@@ -11,6 +11,7 @@ import ( + "path" + "sync" + ++ "github.com/containers/image/v5/internal/iolimits" + "github.com/containers/image/v5/internal/tmpdir" + "github.com/containers/image/v5/manifest" + "github.com/containers/image/v5/pkg/compression" +@@ -187,13 +188,13 @@ func findTarComponent(inputFile io.Reader, path string) (*tar.Reader, *tar.Heade + } + + // readTarComponent returns full contents of componentPath. +-func (s *Source) readTarComponent(path string) ([]byte, error) { ++func (s *Source) readTarComponent(path string, limit int) ([]byte, error) { + file, err := s.openTarComponent(path) + if err != nil { + return nil, errors.Wrapf(err, "Error loading tar component %s", path) + } + defer file.Close() +- bytes, err := ioutil.ReadAll(file) ++ bytes, err := iolimits.ReadAtMost(file, limit) + if err != nil { + return nil, err + } +@@ -224,7 +225,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error { + } + + // Read and parse config. +- configBytes, err := s.readTarComponent(tarManifest[0].Config) ++ configBytes, err := s.readTarComponent(tarManifest[0].Config, iolimits.MaxConfigBodySize) + if err != nil { + return err + } +@@ -250,7 +251,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error { + // loadTarManifest loads and decodes the manifest.json. + func (s *Source) loadTarManifest() ([]ManifestItem, error) { + // FIXME? Do we need to deal with the legacy format? +- bytes, err := s.readTarComponent(manifestFileName) ++ bytes, err := s.readTarComponent(manifestFileName, iolimits.MaxTarFileManifestSize) + if err != nil { + return nil, err + } +diff --git a/vendor/github.com/containers/image/v5/image/docker_schema2.go b/vendor/github.com/containers/image/v5/image/docker_schema2.go +index 254c13f78..29c5047d7 100644 +--- a/vendor/github.com/containers/image/v5/image/docker_schema2.go ++++ b/vendor/github.com/containers/image/v5/image/docker_schema2.go +@@ -7,10 +7,10 @@ import ( + "encoding/hex" + "encoding/json" + "fmt" +- "io/ioutil" + "strings" + + "github.com/containers/image/v5/docker/reference" ++ "github.com/containers/image/v5/internal/iolimits" + "github.com/containers/image/v5/manifest" + "github.com/containers/image/v5/pkg/blobinfocache/none" + "github.com/containers/image/v5/types" +@@ -102,7 +102,7 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) { + return nil, err + } + defer stream.Close() +- blob, err := ioutil.ReadAll(stream) ++ blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize) + if err != nil { + return nil, err + } +diff --git a/vendor/github.com/containers/image/v5/image/oci.go b/vendor/github.com/containers/image/v5/image/oci.go +index 18a38d463..406da262f 100644 +--- a/vendor/github.com/containers/image/v5/image/oci.go ++++ b/vendor/github.com/containers/image/v5/image/oci.go +@@ -4,9 +4,9 @@ import ( + "context" + "encoding/json" + "fmt" +- "io/ioutil" + + "github.com/containers/image/v5/docker/reference" ++ "github.com/containers/image/v5/internal/iolimits" + "github.com/containers/image/v5/manifest" + "github.com/containers/image/v5/pkg/blobinfocache/none" + "github.com/containers/image/v5/types" +@@ -67,7 +67,7 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) { + return nil, err + } + defer stream.Close() +- blob, err := ioutil.ReadAll(stream) ++ blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize) + if err != nil { + return nil, err + } +diff --git a/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go +new file mode 100644 +index 000000000..3fed1995c +--- /dev/null ++++ b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go +@@ -0,0 +1,60 @@ ++package iolimits ++ ++import ( ++ "io" ++ "io/ioutil" ++ ++ "github.com/pkg/errors" ++) ++ ++// All constants below are intended to be used as limits for `ReadAtMost`. The ++// immediate use-case for limiting the size of in-memory copied data is to ++// protect against OOM DOS attacks as described inCVE-2020-1702. Instead of ++// copying data until running out of memory, we error out after hitting the ++// specified limit. ++const ( ++ // megaByte denotes one megabyte and is intended to be used as a limit in ++ // `ReadAtMost`. ++ megaByte = 1 << 20 ++ // MaxManifestBodySize is the maximum allowed size of a manifest. The limit ++ // of 4 MB aligns with the one of a Docker registry: ++ // https://github.com/docker/distribution/blob/a8371794149d1d95f1e846744b05c87f2f825e5a/registry/handlers/manifests.go#L30 ++ MaxManifestBodySize = 4 * megaByte ++ // MaxAuthTokenBodySize is the maximum allowed size of an auth token. ++ // The limit of 1 MB is considered to be greatly sufficient. ++ MaxAuthTokenBodySize = megaByte ++ // MaxSignatureListBodySize is the maximum allowed size of a signature list. ++ // The limit of 4 MB is considered to be greatly sufficient. ++ MaxSignatureListBodySize = 4 * megaByte ++ // MaxSignatureBodySize is the maximum allowed size of a signature. ++ // The limit of 4 MB is considered to be greatly sufficient. ++ MaxSignatureBodySize = 4 * megaByte ++ // MaxErrorBodySize is the maximum allowed size of an error-response body. ++ // The limit of 1 MB is considered to be greatly sufficient. ++ MaxErrorBodySize = megaByte ++ // MaxConfigBodySize is the maximum allowed size of a config blob. ++ // The limit of 4 MB is considered to be greatly sufficient. ++ MaxConfigBodySize = 4 * megaByte ++ // MaxOpenShiftStatusBody is the maximum allowed size of an OpenShift status body. ++ // The limit of 4 MB is considered to be greatly sufficient. ++ MaxOpenShiftStatusBody = 4 * megaByte ++ // MaxTarFileManifestSize is the maximum allowed size of a (docker save)-like manifest (which may contain multiple images) ++ // The limit of 1 MB is considered to be greatly sufficient. ++ MaxTarFileManifestSize = megaByte ++) ++ ++// ReadAtMost reads from reader and errors out if the specified limit (in bytes) is exceeded. ++func ReadAtMost(reader io.Reader, limit int) ([]byte, error) { ++ limitedReader := io.LimitReader(reader, int64(limit+1)) ++ ++ res, err := ioutil.ReadAll(limitedReader) ++ if err != nil { ++ return nil, err ++ } ++ ++ if len(res) > limit { ++ return nil, errors.Errorf("exceeded maximum allowed size of %d bytes", limit) ++ } ++ ++ return res, nil ++} +diff --git a/vendor/github.com/containers/image/v5/openshift/openshift.go b/vendor/github.com/containers/image/v5/openshift/openshift.go +index 016de4803..c37e1b751 100644 +--- a/vendor/github.com/containers/image/v5/openshift/openshift.go ++++ b/vendor/github.com/containers/image/v5/openshift/openshift.go +@@ -7,13 +7,13 @@ import ( + "encoding/json" + "fmt" + "io" +- "io/ioutil" + "net/http" + "net/url" + "strings" + + "github.com/containers/image/v5/docker" + "github.com/containers/image/v5/docker/reference" ++ "github.com/containers/image/v5/internal/iolimits" + "github.com/containers/image/v5/manifest" + "github.com/containers/image/v5/types" + "github.com/containers/image/v5/version" +@@ -102,7 +102,7 @@ func (c *openshiftClient) doRequest(ctx context.Context, method, path string, re + return nil, err + } + defer res.Body.Close() +- body, err := ioutil.ReadAll(res.Body) ++ body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxOpenShiftStatusBody) + if err != nil { + return nil, err + } +diff --git a/vendor/modules.txt b/vendor/modules.txt +index 840dae067..3f72f3f34 100644 +--- a/vendor/modules.txt ++++ b/vendor/modules.txt +@@ -48,7 +48,7 @@ github.com/containernetworking/cni/pkg/types + github.com/containernetworking/cni/pkg/types/020 + github.com/containernetworking/cni/pkg/types/current + github.com/containernetworking/cni/pkg/version +-# github.com/containers/image/v5 v5.0.0 ++# github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0 + github.com/containers/image/v5/copy + github.com/containers/image/v5/directory + github.com/containers/image/v5/directory/explicitfilepath +@@ -59,6 +59,7 @@ github.com/containers/image/v5/docker/policyconfiguration + github.com/containers/image/v5/docker/reference + github.com/containers/image/v5/docker/tarfile + github.com/containers/image/v5/image ++github.com/containers/image/v5/internal/iolimits + github.com/containers/image/v5/internal/pkg/keyctl + github.com/containers/image/v5/internal/tmpdir + github.com/containers/image/v5/manifest diff --git a/SOURCES/buildah-1784950.patch b/SOURCES/buildah-1784950.patch deleted file mode 100644 index 11ec21d..0000000 --- a/SOURCES/buildah-1784950.patch +++ /dev/null @@ -1,145 +0,0 @@ -From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001 -From: Daniel J Walsh -Date: Tue, 17 Dec 2019 15:24:29 -0500 -Subject: [PATCH] Add support for FIPS-Mode backends - -If host is running in fips mode, then RHEL8.2 and beyond container images -will come with a directory /usr/share/crypto-policies/back-ends/FIPS. -This directory needs to be bind mounted over /etc/crypto-policies/back-ends in -order to make all tools in the container follow the FIPS Mode rules. - -Signed-off-by: Daniel J Walsh ---- - pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++--------- - run_linux.go | 2 +- - 2 files changed, 39 insertions(+), 11 deletions(-) - -diff -up ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go.1784950 ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go ---- buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go.1784950 2020-02-19 16:26:58.582289704 +0100 -+++ buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/pkg/secrets/secrets.go 2020-02-19 16:26:58.584289732 +0100 -@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, - } - - // SecretMounts copies, adds, and mounts the secrets to the container root filesystem -+// Deprecated, Please use SecretMountWithUIDGID - func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount { - return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips) - } - --// SecretMountsWithUIDGID specifies the uid/gid of the owner --func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount { -+// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem -+// mountLabel: MAC/SELinux label for container content -+// containerWorkingDir: Private data for storing secrets on the host mounted in container. -+// mountFile: Additional mount points required for the container. -+// mountPoint: Container image mountpoint -+// uid: to assign to content created for secrets -+// gid: to assign to content created for secrets -+// rootless: indicates whether container is running in rootless mode -+// disableFips: indicates whether system should ignore fips mode -+func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount { - var ( - secretMounts []rspec.Mount - mountFiles []string -@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, - } - for _, file := range mountFiles { - if _, err := os.Stat(file); err == nil { -- mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid) -+ mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid) - if err != nil { - logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err) - } -@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, - // Add FIPS mode secret if /etc/system-fips exists on the host - _, err := os.Stat("/etc/system-fips") - if err == nil { -- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil { -+ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil { - logrus.Errorf("error adding FIPS mode secret to container: %v", err) - } - } else if os.IsNotExist(err) { -@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid in - - // addSecretsFromMountsFile copies the contents of host directory to container directory - // and returns a list of mounts --func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) { -+func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) { - var mounts []rspec.Mount - defaultMountsPaths := getMounts(filePath) - for _, path := range defaultMountsPaths { -@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, - } - - m := rspec.Mount{ -- Source: filepath.Join(mountPrefix, ctrDirOrFile), -+ Source: ctrDirOrFileOnHost, - Destination: ctrDirOrFile, - Type: "bind", - Options: []string{"bind", "rprivate"}, -@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, - // root filesystem if /etc/system-fips exists on hosts. - // This enables the container to be FIPS compliant and run openssl in - // FIPS mode as the host is also in FIPS mode. --func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error { -+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error { - secretsDir := "/run/secrets" - ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir) - if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) { - if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil { -- return errors.Wrapf(err, "making container directory on host failed") -+ return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost) - } - if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil { -- return errors.Wrap(err, "error applying correct labels") -+ return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost) - } - } - fipsFile := filepath.Join(ctrDirOnHost, "system-fips") -@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.M - - if !mountExists(*mounts, secretsDir) { - m := rspec.Mount{ -- Source: filepath.Join(mountPrefix, secretsDir), -+ Source: ctrDirOnHost, - Destination: secretsDir, - Type: "bind", - Options: []string{"bind", "rprivate"}, -@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.M - *mounts = append(*mounts, m) - } - -+ srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" -+ destDir := "/etc/crypto-policies/back-ends" -+ srcOnHost := filepath.Join(mountPoint, srcBackendDir) -+ if _, err := os.Stat(srcOnHost); err != nil { -+ if os.IsNotExist(err) { -+ return nil -+ } -+ return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost) -+ } -+ -+ if !mountExists(*mounts, destDir) { -+ m := rspec.Mount{ -+ Source: srcOnHost, -+ Destination: destDir, -+ Type: "bind", -+ Options: []string{"bind", "rprivate"}, -+ } -+ *mounts = append(*mounts, m) -+ } - return nil - } - -diff -up ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go.1784950 ./buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go ---- buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go.1784950 2020-02-19 16:26:58.555289325 +0100 -+++ buildah-9513cb8c7bec0f7789c696aee4d252ebf85194cc/run_linux.go 2020-02-19 16:26:58.557289353 +0100 -@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint - } - - // Get the list of secrets mounts. -- secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false) -+ secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false) - - // Add temporary copies of the contents of volume locations at the - // volume locations, unless we already have something there. diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec index c4e478b..ff75f7c 100644 --- a/SPECS/buildah.spec +++ b/SPECS/buildah.spec @@ -25,19 +25,20 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Name: %{repo} Version: 1.11.6 -Release: 6%{?dist} +Release: 7%{?dist} Summary: A command line tool used for creating OCI Images License: ASL 2.0 URL: https://%{name}.io Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch -# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1784950 -# backported: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch -Patch1: buildah-1784950.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1784952 +Patch1: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1702 +# https://github.com/containers/buildah/commit/be1eb6f70fb40e45096b69aeb048d54c526a4a8f.patch +Patch2: CVE-2020-1702-1801926.patch # related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1756986 -# patch: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2181.patch -Patch2: buildah-1756986.patch - +# backported: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2181.patch +Patch3: buildah-1756986.patch BuildRequires: golang >= 1.12.12-4 BuildRequires: git BuildRequires: glib2-devel @@ -123,40 +124,46 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install %{_datadir}/%{name}/test %changelog -* Tue Feb 25 2020 Jindrich Novy - 1.11.6-6 +* Mon Feb 24 2020 Jindrich Novy - 1.11.6-7 - fix "COPY command takes long time with buildah" -- Resolves: #1806119 +- Resolves: #1806120 + +* Mon Feb 17 2020 Jindrich Novy - 1.11.6-6 +- fix CVE-2020-1702 +- Resolves: #1801926 -* Wed Feb 19 2020 Jindrich Novy - 1.11.6-5 -- fix "Podman support for FIPS Mode requires a bind mount inside the container" -- Resolves: #1804188 +* Thu Feb 13 2020 Jindrich Novy - 1.11.6-5 +- adding the first phase of FIPS fix +- Related: #1784952 * Wed Dec 11 2019 Jindrich Novy - 1.11.6-4 - compile in FIPS mode -- Related: RHELPLAN-25138 +- Related: RHELPLAN-25139 * Mon Dec 09 2019 Jindrich Novy - 1.11.6-3 - be sure to use golang >= 1.12.12-4 -- Related: RHELPLAN-25138 +- Related: RHELPLAN-25139 -* Sat Dec 07 2019 Jindrich Novy - 1.11.6-2 +* Fri Dec 06 2019 Jindrich Novy - 1.11.6-2 - fix chroot: unmount with MNT_DETACH instead of UnmountMountpoints() - bug reference 1772179 -- Related: RHELPLAN-25138 +- Related: RHELPLAN-25139 * Thu Dec 05 2019 Jindrich Novy - 1.11.6-1 - update to buildah 1.11.6 -- Related: RHELPLAN-25138 +- Related: RHELPLAN-25139 * Thu Nov 21 2019 Jindrich Novy - 1.11.5-1 - update to buildah 1.11.5 -- Related: RHELPLAN-25138 +- Related: RHELPLAN-25139 * Thu Nov 07 2019 Jindrich Novy - 1.11.4-2 - fix %%gobuild macro to not to ignore BUILDTAGS +- Related: RHELPLAN-25139 * Thu Nov 07 2019 Jindrich Novy - 1.11.4-1 - update to 1.11.4 +- Related: RHELPLAN-25139 * Tue Sep 17 2019 Jindrich Novy - 1.9.0-5 - Use autosetup macro again.