diff --git a/CVE-2021-29136.patch b/CVE-2021-29136.patch deleted file mode 100644 index ea0e0578d37305be2d689158d105a271e819fee2..0000000000000000000000000000000000000000 --- a/CVE-2021-29136.patch +++ /dev/null @@ -1,35 +0,0 @@ -From d9efc31daf2206f7d3fdb839863cf7a576a2eb57 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Wed, 24 Mar 2021 00:17:06 +1100 -Subject: [PATCH] layer: don't permit / type to be changed on extraction - -If users can change the type of / to a symlink, they can cause umoci to -overwrite host files. This is obviously bad, and is not caught by the -rest of our directory escape detection code because the root itself has -been changed to a different directory. - -Fixes: CVE-2021-29136 -Reported-by: Robin Peraglie -Tested-by: Daniel Dao -Reviewed-by: Tycho Andersen -Signed-off-by: Aleksa Sarai ---- - oci/layer/tar_extract.go | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go -index 1b8c3d67..d7414105 100644 ---- a/oci/layer/tar_extract.go -+++ b/oci/layer/tar_extract.go -@@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) ( - if filepath.Join("/", hdr.Name) == "/" { - // If we got an entry for the root, then unsafeDir is the full path. - unsafeDir, file = hdr.Name, "." -+ // If we're being asked to change the root type, bail because they may -+ // change it to a symlink which we could inadvertently follow. -+ if hdr.Typeflag != tar.TypeDir { -+ return errors.New("malicious tar entry -- refusing to change type of root directory") -+ } - } - dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval) - if err != nil { diff --git a/fix-bad-build-flags.patch b/fix-bad-build-flags.patch new file mode 100644 index 0000000000000000000000000000000000000000..ca269d9fa8262e505d3abceba8ab8e141e950f95 --- /dev/null +++ b/fix-bad-build-flags.patch @@ -0,0 +1,53 @@ +From a5d1ee156b76c4f823ae2554a0fd2e2ab9aaccaa Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 8 Apr 2021 18:55:40 +1000 +Subject: [PATCH] makefile: fix bad build flags + +Fix mistake in the Makefile which prevents the version field (as well as +some other build flags) from being passed to "go build". Update the +"runc --version" integration test to make sure that the contents of +VERSION are actually present. + +Fixes: 6fbd32e48b66 ("Make Makefile more portable") +Signed-off-by: Aleksa Sarai +--- + Makefile | 2 +- + test/help.bats | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/Makefile b/Makefile +index d760e928..1fdcf650 100644 +--- a/Makefile ++++ b/Makefile +@@ -71,7 +71,7 @@ BASE_LDFLAGS := -s -w -X ${PROJECT}.gitCommit=${COMMIT} -X ${PROJECT}.version=${ + + # Specific build flags for build type. + ifeq ($(GOOS), linux) +- TEST_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS} -X ${PROJECT}/pkg/testutils.binaryType=test" DYN_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS}" ++ DYN_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS}" + TEST_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS} -X ${PROJECT}/pkg/testutils.binaryType=test" + else + DYN_BUILD_FLAGS := ${BASE_FLAGS} -ldflags "${BASE_LDFLAGS}" +diff --git a/test/help.bats b/test/help.bats +index 3d6dc975..a3826435 100644 +--- a/test/help.bats ++++ b/test/help.bats +@@ -17,13 +17,15 @@ + load helpers + + @test "umoci --version" { ++ VERSION="$(cat "$INTEGRATION_ROOT/../VERSION")" ++ + umoci --version + [ "$status" -eq 0 ] +- [[ "$output" =~ "umoci version "+ ]] ++ [[ "$output" =~ "umoci version $VERSION"+ ]] + + umoci -v + [ "$status" -eq 0 ] +- [[ "$output" =~ "umoci version "+ ]] ++ [[ "$output" =~ "umoci version $VERSION"+ ]] + } + + @test "umoci --help" { + \ No newline at end of file diff --git a/umoci.spec b/umoci.spec index 2e51e0a62938cf4ed55c1fcad8070363de012a7a..e2447e04ef3ce04492a9554a6afba5bc4df59c2a 100644 --- a/umoci.spec +++ b/umoci.spec @@ -3,14 +3,14 @@ %define tempdir github.com/openSUSE/umoci Name: umoci -Version: 0.4.5 -Release: 5 +Version: 0.4.7 +Release: 2 Summary: Open Container Image manipulation tool -License: Apache-2.0 +License: ISC and MIT and Apache-2.0 URL: https://github.com/opencontainers/umoci -Source0: https://github.com/opencontainers/umoci/archive/v0.4.5.tar.gz +Source0: https://github.com/opencontainers/umoci/archive/v0.4.7.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz -Patch0: CVE-2021-29136.patch +Patch0000: fix-bad-build-flags.patch BuildRequires: fdupes go >= 1.6 %description @@ -35,7 +35,7 @@ mkdir -pv $HOME/go/src/%{tempdir} rm -rf $HOME/go/src/%{tempdir}/* cp -ar * $HOME/go/src/%{tempdir} make umoci -make local-doc +make docs %install install -D -m 0755 %{name} %{buildroot}/%{_bindir}/%{name} @@ -55,6 +55,12 @@ done %{_mandir}/man1/umoci* %changelog +* Tue Feb 15 2022 caodongxia - 0.4.7-2 +- fix bad build flags + +* Tue Jan 18 2022 SimpleUpdate Robot - 0.4.7-1 +- Upgrade to version 0.4.7 + * Fri Apr 16 2021 wangyue - 0.4.5-5 - Fix CVE-2021-29136 diff --git a/v0.4.5.tar.gz b/v0.4.5.tar.gz deleted file mode 100644 index 5cc9059519e1c6dd5f16d61b7ae5669db8c33b38..0000000000000000000000000000000000000000 Binary files a/v0.4.5.tar.gz and /dev/null differ diff --git a/v0.4.7.tar.gz b/v0.4.7.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..dffa19e82112d3fa695b21223fefeb22771e9535 Binary files /dev/null and b/v0.4.7.tar.gz differ