diff --git a/.buildah.metadata b/.buildah.metadata index b4e4c93..524f7f1 100644 --- a/.buildah.metadata +++ b/.buildah.metadata @@ -1 +1 @@ -d3fcf1950a92f35210dc390cde164f6e428826d1 SOURCES/buildah-e94b4f9.tar.gz +d8c4ecf4ff637f6341209f8ae685caae51c77fc7 SOURCES/buildah-00eb895.tar.gz diff --git a/.gitignore b/.gitignore index 875c12c..446fb64 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/buildah-e94b4f9.tar.gz +SOURCES/buildah-00eb895.tar.gz diff --git a/SOURCES/buildah-CVE-2019-10214.patch b/SOURCES/buildah-CVE-2019-10214.patch new file mode 100644 index 0000000..ea2cb77 --- /dev/null +++ b/SOURCES/buildah-CVE-2019-10214.patch @@ -0,0 +1,16 @@ +diff -up ./buildah-00eb895d6f2f13d658a9cb78714382e494974afc/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./buildah-00eb895d6f2f13d658a9cb78714382e494974afc/vendor/github.com/containers/image/docker/docker_client.go +--- buildah-00eb895d6f2f13d658a9cb78714382e494974afc/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 16:01:08.889098180 +0200 ++++ buildah-00eb895d6f2f13d658a9cb78714382e494974afc/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 16:01:08.890098192 +0200 +@@ -523,11 +523,7 @@ func (c *dockerClient) getBearerToken(ct + authReq.SetBasicAuth(c.username, c.password) + } + logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) +- tr := tlsclientconfig.NewTransport() +- // TODO(runcom): insecure for now to contact the external token service +- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +- client := &http.Client{Transport: tr} +- res, err := client.Do(authReq) ++ res, err := c.client.Do(authReq) + if err != nil { + return nil, err + } diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec index a0fd7c0..bb5c921 100644 --- a/SPECS/buildah.spec +++ b/SPECS/buildah.spec @@ -5,47 +5,46 @@ %global _find_debuginfo_dwz_opts %{nil} %global _dwz_low_mem_die_limit 0 %else -%global debug_package %{nil} +%global debug_package %{nil} %endif %if 0%{?rhel} > 7 && ! 0%{?fedora} %define gobuild(o:) \ -go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; +go build -buildmode pie -compiler gc -tags="rpm_crashtraceback seccomp selinux ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; %endif # distro -%global provider github -%global provider_tld com -%global project containers -%global repo buildah -# https://github.com/projectatomic/buildah -%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} -%global import_path %{provider_prefix} -%global commit e94b4f98048e7371685731b97eefd6265e2f1fb3 -%global shortcommit %(c=%{commit}; echo ${c:0:7}) - -Name: %{repo} -Version: 1.5 -Release: 3.git%{shortcommit}%{?dist} -Summary: A command line tool used for creating OCI Images -License: ASL 2.0 -URL: https://%{provider_prefix} -Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz +%global provider github +%global provider_tld com +%global project containers +%global repo buildah +# https://github.com/containers/buildah +%global import_path %{provider}.%{provider_tld}/%{project}/%{repo} +%global commit 00eb895d6f2f13d658a9cb78714382e494974afc +%global shortcommit %(c=%{commit}; echo ${c:0:7}) + +Name: %{repo} +Version: 1.9.0 +Release: 5%{?dist} +Summary: A command line tool used for creating OCI Images +License: ASL 2.0 +URL: https://%{name}.io +Source0: https://%{import_path}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz +Patch0: buildah-CVE-2019-10214.patch ExclusiveArch: x86_64 %{arm} aarch64 ppc64le s390x # If go_compiler is not set to 1, there is no virtual provide. Use golang instead. -BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} -BuildRequires: git -BuildRequires: glib2-devel -BuildRequires: ostree-devel -BuildRequires: glibc-static -BuildRequires: go-md2man -BuildRequires: gpgme-devel -BuildRequires: device-mapper-devel -BuildRequires: libassuan-devel -BuildRequires: libseccomp-devel -Requires: runc >= 1.0.0-26 -Requires: containers-common -Requires: container-selinux -Provides: %{repo} = %{version}-%{release} +BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} +BuildRequires: git +BuildRequires: glib2-devel +BuildRequires: ostree-devel +BuildRequires: glibc-static +BuildRequires: go-md2man +BuildRequires: gpgme-devel +BuildRequires: device-mapper-devel +BuildRequires: libassuan-devel +BuildRequires: libseccomp-devel +Requires: runc >= 1.0.0-26 +Requires: containers-common +Requires: container-selinux %description The %{name} package provides a command line tool which can be used to @@ -56,9 +55,22 @@ or * save container's root file system layer to create a new image * delete a working container or an image +%package tests +Summary: Tests for %{name} +Requires: %{name} = %{version}-%{release} +Requires: bzip2 +Requires: podman +Requires: golang + +%description tests +%{summary} + +This package contains system tests for %{name} + %prep %autosetup -Sgit -n %{name}-%{commit} + %build mkdir _build pushd _build @@ -68,15 +80,20 @@ popd mv vendor src -export GOPATH=$(pwd)/_build:$(pwd):%{gopath} -export BUILDTAGS='seccomp exclude_graphdriver_btrfs' +export GOPATH=$(pwd)/_build:$(pwd) +export BUILDTAGS='seccomp selinux exclude_graphdriver_btrfs' %gobuild -o %{name} %{import_path}/cmd/%{name} +make imgtype make docs %install export GOPATH=$(pwd)/_build:$(pwd):%{gopath} make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions +install -d -p %{buildroot}/%{_datadir}/%{name}/test/system +cp -pav tests/. %{buildroot}/%{_datadir}/%{name}/test/system +cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype + #define license tag if not already defined %{!?_licensedir:%global license %doc} @@ -89,7 +106,33 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/%{name} +%files tests +%license LICENSE +%{_bindir}/%{name}-imgtype +%{_datadir}/%{name}/test + %changelog +* Tue Sep 17 2019 Jindrich Novy - 1.9.0-5 +- Use autosetup macro again. + +* Thu Sep 12 2019 Jindrich Novy - 1.9.0-4 +- Fix CVE-2019-10214 (#1734653). + +* Sat Jun 15 2019 Lokesh Mandvekar - 1.9.0-3 +- Resolves: #1721247 - enable fips mode + +* Sat Jun 15 2019 Lokesh Mandvekar - 1.9.0-2 +- Resolves: #1720654 - tests subpackage depends on golang explicitly + +* Sat Jun 15 2019 Lokesh Mandvekar - 1.9.0-1 +- Resolves: #1720654 - rebase to v1.9.0 + +* Fri Jun 14 2019 Lokesh Mandvekar - 1.8.3-1 +- Resolves: #1720654 - rebase to v1.8.3 + +* Tue Apr 9 2019 Eduardo Santiago - 1.8-0.git021d607 +- package system tests + * Tue Dec 18 2018 Frantisek Kluknavsky - 1.5-3.gite94b4f9 - re-enable debuginfo @@ -608,7 +651,7 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions - Bump for inclusion of OCI 1.0 Runtime and Image Spec * Tue Jul 18 2017 Dan Walsh 0.2.0-1.gitac2aad6 -- buildah run: Add support for -- ending options parsing +- buildah run: Add support for -- ending options parsing - buildah Add/Copy support for glob syntax - buildah commit: Add flag to remove containers on commit - buildah push: Improve man page and help information