Sync from SUSE:ALP:Source:Standard:1.0 google-osconfig-agent revision faf8755ebc72b95cfb44fa6653263111

This commit is contained in:
2026-06-22 10:58:11 +02:00
parent 9342b8f2d6
commit eee3bdfcb4
9 changed files with 449 additions and 184 deletions
+431 -2
View File
@@ -1,3 +1,433 @@
-------------------------------------------------------------------
Wed Jun 17 08:20:00 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Packaging improvements:
* Remove define github project name components no longer needed
* Define shortname corresponding to binary name when different
from package name. Use shortname where applicable to normalize
common lines across Go app packages, similar to name macro.
* Drop BuildRequires: golang-packaging. The original macros for
file movements into GOPATH are obsolete with Go modules. Macro
go_nostrip is no longer needed with current binutils and Go.
* Remove go_nostrip macro which is no longer recommended
* Re-enable binary stripping and debuginfo boo#1210938
* Remove goprep macro which is no longer recommended
* Build PIE with pattern that may become recommended procedure:
%%ifnarch ppc64 GOFLAGS="-buildmode=pie" %%endif go build
A go toolchain buildmode default config would be preferable
but none exist at this time.
* Drop export CGO_ENABLED="0". Use the default unless there is a
defined requirement or benefit.
* For this package, we were seeing the expected error
"-buildmode=pie requires external (cgo) linking, but cgo is not
enabled" when using buildmode=pie and CGO_ENABLED=0. The error
manifested only on s390x and i586 architectures, which was not
expected. Resolve by using default CGO_ENABLED.
* Remove ldflags -s (Omit symbol table and debug info) and -w
(Omit DWARF symbol table). This information is used to produce
separate debuginfo packages and binaries are stripped for
reduced size by GNU strip during RPM build.
* Remove ldflags -X entry for embedding build version metadata.
This information is embedded in binaries with go1.18+ and
available via go version -m or runtime/debug.ReadBuildInfo().
* Drop mod=vendor, go1.14+ will detect vendor dir and auto-enable
* Raise minimum golang API version to 1.25.5 to match go.mod file
* Use single invocation of %setup with -a1 to unpack both tarballs
-------------------------------------------------------------------
Tue Jun 16 08:06:26 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20260615.01
* Upgrade golang.org/x/crypto & golang.org/x/net (#1006)
(bsc#1266171, CVE-2026-39827, CVE-2026-39834, CVE-2026-39828,
CVE-2026-39829, CVE-2026-39831, CVE-2026-42508, CVE-2026-39833,
CVE-2026-39830, CVE-2026-39832, CVE-2026-46597, CVE-2026-46598,
CVE-2026-46595, CVE-2026-39835) (bsc#1266603, CVE-2026-39821)
- from version 20260615.00
* Add unit tests for ospatch_apt_upgrade.go (#938)
-------------------------------------------------------------------
Fri Jun 12 08:59:48 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20260611.00
* Add unit tests for policies/policies.go PART 5 (#998)
- from version 20260610.00
* Add unit tests for policies/policies.go PART 4 (#997)
- from version 20260609.02
* squash commits (#936)
- from version 20260609.01
* Add unit tests for policies/policies.go PART 3 (#996)
- from version 20260609.00
* Add unit tests for policies/policies.go PART 2 (#991)
- from version 20260602.01
* Align format of dates and timestamp collected across Windows packages (#973)
- from version 20260602.00
* Add unit tests for config/config,go (#979)
- from version 20260528.00
* Bump github.com/containerd/containerd (#990)
- from version 20260521.00
* Cover agentconfig functionality by unit tests (#925)
- from version 20260520.04
* Add unit tests for policies/googet.go (#961)
* Bump github.com/go-git/go-git/v5 (#987)
- from version 20260520.02
* Add unit tests for policies/yum.go (#952)
* Add unit tests for policies/apt.go PART 3 (#951)
- from version 20260520.00
* Add unit tests for policies/zypper.go (#953)
- from version 20260519.00
* Add unit tests for policies/policies.go PART 1 (#949)
- from version 20260513.01
* Bump github.com/go-git/go-git/v5 (#981), this also updates
golang.org/x/net to v0.53.0 (bsc#1265762, CVE-2026-33814)
- from version 20260513.00
* upgrade a few packages (#980)
- from version 20260512.02
* Add/improve unit tests for agentendpoint/exec_task.go (#933)
- from version 20260512.01
* Cover google_update.go by unit tests (#941)
- from version 20260512.00
* Change zone for arm64 builds because of stockout (#978)
-------------------------------------------------------------------
Thu May 21 07:39:20 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Add CVE-2026-33186.patch to fix authorization bypass in grpc-go due to improper
validation of the HTTP/2 :path pseudo-header (bsc#1260264, CVE-2026-33186)
-------------------------------------------------------------------
Wed May 13 07:43:51 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20260511.00
* switch to t2a-standard-2 on ARM package build (#977)
- from version 20260505.03
* Cover zypper_patch by unit tests (#958)
- from version 20260505.02
* Remove unused functions DisableAutoUpdates (#970)
- from version 20260505.01
* Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#966)
- from version 20260505.00
* Upgrade a few dependencies across the repo (#968)
+ github.com/go-git/go-git/v5 5.16.2->5.18.0 (bsc#1264923, CVE-2026-41506)
+ github.com/go-jose/go-jose/v4 4.1.3->4.1.4 (bsc#1262926, CVE-2026-34986)
+ github.com/go-viper/mapstructure/v2 2.3.0->2.4.0
+ go.opentelemetry.io/otel 1.40.0->1.41.0
+ go.opentelemetry.io/otel/sdk 1.39.0->1.43.0
- from version 20260504.01
* bump github.com/docker/cli to 29.2.0 (#962)
- from version 20260504.00
* Bump github.com/opencontainers/selinux (#960)
- Add missing CVE reference to previous changelog entry
- Drop CVE-2026-34986.patch, merged upstream
-------------------------------------------------------------------
Mon May 4 08:56:50 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20260428.00
* Add/improve unit tests for agentendpoint/agentendpoint.go (#930)
- from version 20260427.03
* Cover config/file.go by unit tests (#935)
- from version 20260422.01
* Cover patch_linux.go by unit tests (#932)
- from version 20260422.00
* upgrade grpc package in main package and e2e tests (#959)
(bsc#1260264, CVE-2026-33186)
- from version 20260417.04
* Bump OSV-Scalibr version to v0.4.3 (#956)
- from version 20260417.03
* Add unit tests for updates_linux.go (#937)
- from version 20260417.02
* Add zone to CreateDisk step (#955)
- from version 20260417.01
* Change disk type for deb11 (#954)
- from version 20260417.00
* Add unit tests for policies/apt.go PART 1 (#950)
- from version 20260410.02
* Add unit tests for packages/pty_linux.go (#943)
- from version 20260410.01
* fix disk type for arm workflows (#948)
- from version 20260410.00
* Change machine type for arm based workflows (#946)
- Drop CVE-2026-33186.patch, merged upstream
-------------------------------------------------------------------
Mon Apr 27 12:30:24 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Add CVE-2026-34986.patch to fix crafted JWE input with a missing encrypted
key can lead to a denial of service (bsc#1262926, CVE-2026-34986)
-------------------------------------------------------------------
Wed Apr 1 14:16:50 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20260330.00
* bump timeouts for all workflows (#940)
- from version 20260326.00
* Cover exec_resource.go by unit tests (#934)
- from version 20260318.00
* Integrate OSConfig agent with ReportVmInventory (#923)
- from version 20260313.02
* remove cacheonly flag from yum upgrade (#924)
- from version 20260313.01
* conditions python version override (#927)
- from version 20260313.00
* Fix presubmits by explicitly set python version for rpm based systems (#926)
- from version 20260311.00
* Bump osconfig version (#922)
- from version 20260309.02
* Extend OSV scalibr extractor (#921)
- from version 20260309.01
* upgrade golang.org/x/crypto and it's transitive deps (#918)
- from version 20260309.00
* Add purl to pkg info (#920)
- from version 20260306.00
* Add 'Type' field to PkgInfo (#919)
- from version 20260303.01
* Upgrade go.opentelemetry.io/otel/sdk (#913)
- from version 20260303.00
* Bump github.com/vbatts/tar-split from 0.11.5 to 0.12.2 (#908)
- from version 20260302.00
* Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.7 (#906)
- from version 20260126.00
* Bump go.opentelemetry.io/otel/sdk from 1.38.0 to 1.39.0 (#905)
* Bump github.com/sirupsen/logrus (#894)
-------------------------------------------------------------------
Fri Jan 23 14:29:15 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20260119.00
* Bump cloud.google.com/go/storage from 1.56.0 to 1.58.0 (#899)
- Add missing Bugzilla and CVE references for CVE-2023-45288
- Drop CVE-2025-47911.patch, fixed upstream
- Drop CVE-2025-58190.patch, fixed upstream
-------------------------------------------------------------------
Wed Jan 7 11:45:40 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20251230.00
* chore: Migrate gsutil usage to gcloud storage (#904)
- from version 20251223.00
* fix e2e tests for report inventory (#903)
- from version 20251222.01
* Revert "Bump cloud.google.com/go/longrunning from 0.6.3 to 0.7.0 (#882)" (#902)
- from version 20251222.00
* Bump golang to the new version (#900)
- from version 20251218.00
* add new CODEOWNERS (#901)
- from version 20251217.00
* Bump cloud.google.com/go/longrunning from 0.6.3 to 0.7.0 (#882)
- Bump the golang compiler version to 1.24.5
-------------------------------------------------------------------
Tue Dec 9 08:38:50 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20251202.00
* Revert "Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.5 (#887)" (#893)
-------------------------------------------------------------------
Tue Dec 2 12:47:38 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20251201.00
* Revert "Bump github.com/containerd/containerd (#890)" (#892)
-------------------------------------------------------------------
Thu Nov 27 10:31:37 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20251126.00
* Bump github.com/containerd/containerd (#890)
* Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.5 (#887)
-------------------------------------------------------------------
Fri Nov 7 11:04:38 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20251028.00
* Bump go.opentelemetry.io/otel/sdk/metric from 1.35.0 to 1.38.0 (#886)
* Bump github.com/tidwall/pretty from 1.2.0 to 1.2.1 (#880)
- from version 20251023.02
* Create multiple_os.yaml (#883)
- from version 20251023.00
* Bump github.com/docker/go-connections from 0.4.0 to 0.6.0 (#877)
* Add test runner for e2e tests (#876)
- Reword previous changelog entry so that the added patches are accepted
-------------------------------------------------------------------
Tue Oct 14 10:56:31 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20250925.00
* Bump cloud.google.com/go/auth/oauth2adapt from 0.2.7 to 0.2.8 (#870)
* Bump google.golang.org/protobuf from 1.36.6 to 1.36.9 (#874)
* Bump go.opentelemetry.io/otel from 1.35.0 to 1.38.0 (#872)
* Bump github.com/golang/glog from 1.2.4 to 1.2.5 (#830)
-------------------------------------------------------------------
Wed Oct 8 16:20:08 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Add CVE-2025-47911.patch to fix an issue in the HTML parser where a large
number of open elements can cause the parser to become extremely slow by
limiting the stack size of open elements (bsc#1251453, CVE-2025-47911)
- Add CVE-2025-58190.patch to fix an issue in the HTML parser where a specific
HTML document can cause the parser to enter an infinite loop when trying
to parse a </tbody> and implied </tr> next to each other.
(bsc#1251704, CVE-2025-58190)
-------------------------------------------------------------------
Tue Sep 16 12:12:32 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20250902.01
* Bump github.com/googleapis/enterprise-certificate-proxy (#829)
- from version 20250902.00
* update github.com/go-jose/go-jose/v4 (#869)
* Upgrade scalibr and other deps (#866)
- from version 20250901.00
* Fix possibility of path traversal for zip and tar archival (#868)
- from version 20250825.00
* set CODEOWNERS file as required by org (#863)
- from version 20250819.00
* Fix/rhel10 build centos image (#860)
- from version 20250814.00
* Fix/rhel10 build image (#859)
- from version 20250813.00
* Fix: Add RHEL 10 support to RPM startup script (#858)
- from version 20250811.00
* Remove old/sles-15-sp4-sap as image is deprecated (#857)
-------------------------------------------------------------------
Mon Aug 11 13:30:16 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20250806.00
* Fixed JSON identifier for the universe domain (#855)
- from version 20250729.00
* Bump github.com/google/s2a-go from 0.1.8 to 0.1.9 (#828)
- from version 20250725.02
* Update utils.go (#854)
* Upgrade golang.org/x/oauth2 package to the latest. (#853)
* Bump golang.org/x/time from 0.9.0 to 0.12.0 (#839)
- from version 20250725.01
* Bump golang.org/x/oauth2 (#848)
* Port fix for debian 11 to goo package manager. (#852)
- from version 20250725.00
* Update Golang version in common.sh and skip backports
repo for debian 11 (#850)
- from version 20250723.01
* Add workflows to build package for el10 (#849)
- from version 20250721.00
* Make OS Config agent TPC aware (#846)
- from version 20250718.00
* Create workflows for new Debian 13. (#847)
- Drop CVE-2025-22868.patch, merged upstream
-------------------------------------------------------------------
Fri Jul 11 11:51:22 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20250703.00
* Fix sles images (#844)
- from version 20250702.00
* Remove rhel-sap 8-4 add rhel-sap 8-10 (#843)
- from version 20250701.00
* Bump the go_modules group across 1 directory with 2 updates (#840)
-------------------------------------------------------------------
Wed Jun 25 11:23:00 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20250606.00
* Change base docker images Google's official base images. (#838)
-------------------------------------------------------------------
Thu Jun 12 13:35:19 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20250416.02 (bsc#1244304, bsc#1244503)
-------------------------------------------------------------------
Wed May 28 09:01:24 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20250523.01
* Add a simple no-op OS policy for user testing (#837)
- from version 20250523.00
* Introduce scalibr inventory extractor for dpkg/rpm/cos
os/filesystem extractors (linux) (#834)
* Trace GetInstalledPackages memory levels (#835)
- from version 20250520.00
* Trace GetInstalledPackages memory levels (#835)
-------------------------------------------------------------------
Wed May 14 08:37:59 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20250513.00
* Fix rpm extractor, handle (none) value correctly. (#833)
- from version 20250512.01
* Bump github.com/envoyproxy/go-control-plane from 0.13.1 to 0.13.4 (#816)
- from version 20250512.00
* Bump golang.org/x/net from 0.39.0 to 0.40.0 (#819)
- from version 20250508.01
* cosmetic refactoring to osinfo package (#826)
- from version 20250508.00
* Refactor /inventory with dependency injection (#825)
* Add debian, ubuntu (InstalledDebPackages) snapshots (#821)
* cover packages_linux.go file with tests (#824)
* Add debian (10,11,12) GetPackageUpdates output snapshots (#822)
- from version 20250507.00
* Add InstalledRPMPackages snapshot tests (#823)
- from version 20250506.02
* Yum tests: simplify initialization of exit errors (#820)
- from version 20250506.01
* Improve test coverage for gem package manager (#818)
- from version 20250506.00
* after go/x/crypto update 0.32.0 -> 0.37.0 (#817)
- from version 20250505.01
* Improve packages package coverage (#814)
* Bump golang.org/x/net from 0.34.0 to 0.39.0 (#807)
- from version 20250505.00
* Bump golang.org/x/crypto from 0.32.0 to 0.37.0 (#806)
- from version 20250430.00
* Snapshot YumUpdates (GetPackageUpdates) output (#813)
- from version 20250428.00
* Snapshot ZypperPatches, ZypperUpdates (GetPackageUpdates) output
for sles 12, 15 testdata (#812)
- from version 20250423.00
* Introduce MatchSnapshot large test results matcher function, snapshot
apt-deb GetPackageUpdates (#811)
- from version 20250416.02
* defaultSleeper: tolerate 10% difference to reduce test flakiness (#810)
* Add output of some packagemanagers to the testdata (#808)
- from version 20250416.01
* Refactor OS Info package (#809)
- from version 20250416.00
* Report RPM inventory as YUM instead of empty SoftwarePackage
when neither Zypper nor YUM are installed. (#805)
- from version 20250414.00
* Update hash computation algorithm (#799)
-------------------------------------------------------------------
Mon Apr 14 08:11:40 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20250320.00
* Bump github.com/envoyproxy/protoc-gen-validate from 1.1.0 to 1.2.1 (#797)
- from version 20250318.00
* Bump go.opentelemetry.io/otel/sdk/metric from 1.32.0 to 1.35.0 (#793)
- from version 20250317.02
* Bump cel.dev/expr from 0.18.0 to 0.22.0 (#792)
* Bump github.com/golang/glog from 1.2.3 to 1.2.4 in the go_modules group (#785)
- from version 20250317.01
* Bump cloud.google.com/go/logging from 1.12.0 to 1.13.0 (#774)
- from version 20250317.00
* Add tests for retryutil package. (#795)
- from version 20250306.00
* Update OWNERS (#794)
- from version 20250206.01
* Use separate counters for pre- and post-patch reboots. (#788)
- from version 20250206.00
* Update owners (#789)
- from version 20250203.00
* Fix the vet errors for contants in logging (#786)
- from version 20250122.00
* change available package check (#783)
- from version 20250121.00
* Fix Inventory reporting e2e tests. (#782)
- from version 20250120.00
* fix e2e tests (#781)
- Add -buildmode=pie to go build command line (bsc#1239948)
- Drop CVE-2024-45339.patch, merged upstream
- Renumber patches
-------------------------------------------------------------------
Tue Mar 11 11:28:22 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
@@ -314,7 +744,7 @@ Thu May 16 12:33:50 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.c
* Updating dependencies and respective checksums (#556)
- from version 20240501.01
* Update go.mod (#554)
- from version 20240501.00
- from version 20240501.00 (bsc#1236533, CVE-2023-45288)
* Bump golang.org/x/net from 0.17.0 to 0.23.0 (#542)
- from version 20240430.01
* Remove SBOM generation logic from package build workflows (#553)
@@ -455,7 +885,6 @@ Thu Aug 31 12:31:38 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.c
* Added burov, dowgird, paulinakania and Gulio to OWNERS (#482)
-------------------------------------------------------------------
Fri Jul 7 09:33:36 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 20230706.02 (bsc#1212418, bsc#1212759)
+9 -27
View File
@@ -16,51 +16,33 @@
#
%global provider github
%global provider_tld com
%global project GoogleCloudPlatform
%global repo osconfig
%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
%global import_path %{provider_prefix}
%define shortname osconfig
Name: google-osconfig-agent
Version: 20250115.01
Version: 20260615.01
Release: 0
Summary: Google Cloud Guest Agent
License: Apache-2.0
Group: System/Daemons
URL: https://%{provider_prefix}
Source0: %{repo}-%{version}.tar.gz
Source0: %{shortname}-%{version}.tar.gz
Source1: vendor.tar.gz
Source2: rpmlintrc
# PATCH-FIX-UPSTREAM - gh/golang/glog#74 - Fix vulnerability when creating log files (CVE-2024-45339)
Patch0: CVE-2024-45339.patch
# PATCH-FIX-UPSTREAM - Fix unexpected memory consumption during token parsing in golang.org/x/oauth2
Patch1: CVE-2025-22868.patch
BuildRequires: golang(API) >= 1.22.4
BuildRequires: golang-packaging
BuildRequires: golang(API) >= 1.25.5
Requires: google-guest-configs
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%{go_nostrip}
%{go_provides}
%description
Google Cloud OSConfig Agent
%prep
%setup -q -n %{repo}-%{version}
%setup -q -D -T -a 1 -n %{repo}-%{version}
%patch -P0 -p0
pushd vendor/golang.org/x/oauth2
%patch -P1 -p1
popd
%setup -n %{shortname}-%{version} -a1
%build
%goprep %{import_path}
CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=%{version}-%{release}" -mod=vendor -o google_osconfig_agent
%ifnarch ppc64
export GOFLAGS="-buildmode=pie"
%endif
go build -o google_osconfig_agent
%install
install -d %{buildroot}%{_bindir}
+3 -3
View File
@@ -3,8 +3,8 @@
<param name="url">https://github.com/GoogleCloudPlatform/osconfig</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">20250115.01</param>
<param name="revision">20250115.01</param>
<param name="versionformat">20260615.01</param>
<param name="revision">20260615.01</param>
<param name="changesgenerate">enable</param>
</service>
<service name="recompress" mode="disabled">
@@ -15,6 +15,6 @@
<param name="basename">osconfig</param>
</service>
<service name="go_modules" mode="disabled">
<param name="archive">osconfig-20250115.01.tar.gz</param>
<param name="archive">osconfig-20260615.01.tar.gz</param>
</service>
</services>
+1 -1
View File
@@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/GoogleCloudPlatform/osconfig</param>
<param name="changesrevision">61118e25e4aa0e456a6b960d6e6f8bdcb4b678a2</param></service></servicedata>
<param name="changesrevision">5b74d2e70f06700a7a5b1901efd6f602d6ad0b84</param></service></servicedata>
-105
View File
@@ -1,105 +0,0 @@
diff -Nru vendor.orig/github.com/golang/glog/glog_file.go vendor/github.com/golang/glog/glog_file.go
--- vendor.orig/github.com/golang/glog/glog_file.go 2025-01-27 09:02:41.000000000 +0100
+++ vendor/github.com/golang/glog/glog_file.go 2025-02-17 10:28:28.777320262 +0100
@@ -116,32 +116,53 @@
// contains tag ("INFO", "FATAL", etc.) and t. If the file is created
// successfully, create also attempts to update the symlink for that tag, ignoring
// errors.
-func create(tag string, t time.Time) (f *os.File, filename string, err error) {
+func create(tag string, t time.Time, dir string) (f *os.File, filename string, err error) {
+ if dir != "" {
+ f, name, err := createInDir(dir, tag, t)
+ if err == nil {
+ return f, name, err
+ }
+ return nil, "", fmt.Errorf("log: cannot create log: %v", err)
+ }
+
onceLogDirs.Do(createLogDirs)
if len(logDirs) == 0 {
return nil, "", errors.New("log: no log dirs")
}
- name, link := logName(tag, t)
var lastErr error
for _, dir := range logDirs {
- fname := filepath.Join(dir, name)
- f, err := os.Create(fname)
+ f, name, err := createInDir(dir, tag, t)
if err == nil {
- symlink := filepath.Join(dir, link)
- os.Remove(symlink) // ignore err
- os.Symlink(name, symlink) // ignore err
- if *logLink != "" {
- lsymlink := filepath.Join(*logLink, link)
- os.Remove(lsymlink) // ignore err
- os.Symlink(fname, lsymlink) // ignore err
- }
- return f, fname, nil
+ return f, name, err
}
lastErr = err
}
return nil, "", fmt.Errorf("log: cannot create log: %v", lastErr)
}
+func createInDir(dir, tag string, t time.Time) (f *os.File, name string, err error) {
+ name, link := logName(tag, t)
+ fname := filepath.Join(dir, name)
+ // O_EXCL is important here, as it prevents a vulnerability. The general idea is that logs often
+ // live in an insecure directory (like /tmp), so an unprivileged attacker could create fname in
+ // advance as a symlink to a file the logging process can access, but the attacker cannot. O_EXCL
+ // fails the open if it already exists, thus prevent our this code from opening the existing file
+ // the attacker points us to.
+ f, err = os.OpenFile(fname, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
+ if err == nil {
+ symlink := filepath.Join(dir, link)
+ os.Remove(symlink) // ignore err
+ os.Symlink(name, symlink) // ignore err
+ if *logLink != "" {
+ lsymlink := filepath.Join(*logLink, link)
+ os.Remove(lsymlink) // ignore err
+ os.Symlink(fname, lsymlink) // ignore err
+ }
+ return f, fname, nil
+ }
+ return nil, "", err
+}
+
// flushSyncWriter is the interface satisfied by logging destinations.
type flushSyncWriter interface {
Flush() error
@@ -248,6 +269,7 @@
names []string
sev logsink.Severity
nbytes uint64 // The number of bytes written to this file
+ madeAt time.Time
}
func (sb *syncBuffer) Sync() error {
@@ -255,9 +277,14 @@
}
func (sb *syncBuffer) Write(p []byte) (n int, err error) {
+ // Rotate the file if it is too large, but ensure we only do so,
+ // if rotate doesn't create a conflicting filename.
if sb.nbytes+uint64(len(p)) >= MaxSize {
- if err := sb.rotateFile(time.Now()); err != nil {
- return 0, err
+ now := timeNow()
+ if now.After(sb.madeAt.Add(1*time.Second)) || now.Second() != sb.madeAt.Second() {
+ if err := sb.rotateFile(now); err != nil {
+ return 0, err
+ }
}
}
n, err = sb.Writer.Write(p)
@@ -275,7 +302,8 @@
func (sb *syncBuffer) rotateFile(now time.Time) error {
var err error
pn := "<none>"
- file, name, err := create(sb.sev.String(), now)
+ file, name, err := create(sb.sev.String(), now, "")
+ sb.madeAt = now
if sb.file != nil {
// The current log file becomes the previous log at the end of
-41
View File
@@ -1,41 +0,0 @@
From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001
From: Neal Patel <nealpatel@google.com>
Date: Thu, 30 Jan 2025 14:10:09 -0500
Subject: [PATCH] jws: split token into fixed number of parts
Thanks to 'jub0bs' for reporting this issue.
Fixes #71490
Fixes CVE-2025-22868
Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
jws/jws.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/jws/jws.go b/jws/jws.go
index 9501564..6f03a49 100644
--- a/jws/jws.go
+++ b/jws/jws.go
@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
// Verify tests whether the provided JWT token's signature was produced by the private key
// associated with the supplied public key.
func Verify(token string, key *rsa.PublicKey) error {
- parts := strings.Split(token, ".")
- if len(parts) != 3 {
+ if strings.Count(token, ".") != 2 {
return errors.New("jws: invalid token received, token must have 3 parts")
}
+ parts := strings.SplitN(token, ".", 3)
signedContent := parts[0] + "." + parts[1]
signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
if err != nil {
--
2.48.1
Binary file not shown.
Binary file not shown.
BIN
View File
Binary file not shown.