From 2b02b1df903834f0bdc15da93278d8a1a2ce7c29 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Fri, 16 Apr 2021 11:39:06 +0800
Subject: [PATCH] Fix CVE-2021-29136

(cherry picked from commit 4fd8a04a2ddd59c910145e5acc0f51084c5346e4)
---
 CVE-2021-29136.patch | 35 +++++++++++++++++++++++++++++++++++
 umoci.spec           |  6 +++++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-29136.patch

diff --git a/CVE-2021-29136.patch b/CVE-2021-29136.patch
new file mode 100644
index 0000000..ea0e057
--- /dev/null
+++ b/CVE-2021-29136.patch
@@ -0,0 +1,35 @@
+From d9efc31daf2206f7d3fdb839863cf7a576a2eb57 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Wed, 24 Mar 2021 00:17:06 +1100
+Subject: [PATCH] layer: don't permit / type to be changed on extraction
+
+If users can change the type of / to a symlink, they can cause umoci to
+overwrite host files. This is obviously bad, and is not caught by the
+rest of our directory escape detection code because the root itself has
+been changed to a different directory.
+
+Fixes: CVE-2021-29136
+Reported-by: Robin Peraglie <robin@cure53.de>
+Tested-by: Daniel Dao <dqminh89@gmail.com>
+Reviewed-by: Tycho Andersen <tycho@tycho.pizza>
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ oci/layer/tar_extract.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
+index 1b8c3d67..d7414105 100644
+--- a/oci/layer/tar_extract.go
++++ b/oci/layer/tar_extract.go
+@@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) (
+ 	if filepath.Join("/", hdr.Name) == "/" {
+ 		// If we got an entry for the root, then unsafeDir is the full path.
+ 		unsafeDir, file = hdr.Name, "."
++		// If we're being asked to change the root type, bail because they may
++		// change it to a symlink which we could inadvertently follow.
++		if hdr.Typeflag != tar.TypeDir {
++			return errors.New("malicious tar entry -- refusing to change type of root directory")
++		}
+ 	}
+ 	dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval)
+ 	if err != nil {
diff --git a/umoci.spec b/umoci.spec
index 4064438..0055e4f 100644
--- a/umoci.spec
+++ b/umoci.spec
@@ -4,12 +4,13 @@
 
 Name:           umoci
 Version:        0.4.5
-Release:        3
+Release:        4
 Summary:        Open Container Image manipulation tool
 License:        Apache-2.0
 URL:            https://github.com/opencontainers/umoci
 Source0:        https://github.com/opencontainers/umoci/archive/v0.4.5.tar.gz
 BuildRequires:  fdupes go >= 1.6 go-md2man
+Patch0:         CVE-2021-29136.patch
 
 %description
 Umoci modifies Open Container images. Umoci intends to be a complete manipulation tool for OCI images.
@@ -48,6 +49,9 @@ done
 %{_mandir}/man1/umoci*
 
 %changelog
+* Fri Apr 16 2021 wangyue <wangyue92@huawei.com> - 0.4.5-4
+- Fix CVE-2021-29136
+
 * Wed Sep 9 2020 Ge Wang <wangge20@huawei.com> - 0.4.5-3
 - Modify Source0 Url
 
-- 
Gitee