pool/podman
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory
pool:devel
rpm:factory
rpm:devel
..
compare: rpm:devel
Branches Tags
rpm:factory
rpm:devel
pool:factory
pool:devel

No commits in common. "factory" and "devel" have entirely different histories.
factory ... devel

12 changed files with 117 additions and 1161 deletions
Show Stats Expand all files Collapse all files

84
0001-Backport-fix-for-CVE-2024-6104.patch Normal file
View File

@ -0,0 +1,84 @@
From 1a3445769d0a3c392487ec9480c0bfad07bde063 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
Date: Sun, 30 Jun 2024 16:09:52 +0200
Subject: [PATCH] Backport fix for CVE-2024-6104
This is https://github.com/hashicorp/go-retryablehttp/pull/158 only directly
applied to the vendor/ source tree
See also https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
---
.../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++-----
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
index 12ac50bcc..efee53c40 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
@@ -658,9 +658,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if logger != nil {
switch v := logger.(type) {
case LeveledLogger:
- v.Debug("performing request", "method", req.Method, "url", req.URL)
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
case Logger:
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
}
}
@@ -715,9 +715,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if err != nil {
switch v := logger.(type) {
case LeveledLogger:
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
case Logger:
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
}
} else {
// Call this here to maintain the behavior of logging all requests,
@@ -753,7 +753,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
if logger != nil {
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
if resp != nil {
desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
}
@@ -818,11 +818,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
// communicate why
if err == nil {
return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
- req.Method, req.URL, attempt)
+ req.Method, redactURL(req.URL), attempt)
}
return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
- req.Method, req.URL, attempt, err)
+ req.Method, redactURL(req.URL), attempt, err)
}
// Try to read the response body so we can reuse this connection.
@@ -903,3 +903,17 @@ func (c *Client) StandardClient() *http.Client {
Transport: &RoundTripper{Client: c},
}
}
+
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
+// We can switch to using it directly if we'll bump the minimum required go version.
+func redactURL(u *url.URL) string {
+ if u == nil {
+ return ""
+ }
+
+ ru := *u
+ if _, has := ru.User.Password(); has {
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
+ }
+ return ru.String()
+}
--
2.45.2

134
0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
View File

@ -1,134 +0,0 @@
From 7766adad2e935fcf5fec3ec3b1bb0a0169fdf4c3 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Wed, 12 Mar 2025 19:54:12 +0530
Subject: [PATCH] CVE-2025-22869: ssh: limit the size of the internal packet
queue while waiting for KEX
In the SSH protocol, clients and servers execute the key exchange to
generate one-time session keys used for encryption and authentication.
The key exchange is performed initially after the connection is
established and then periodically after a configurable amount of data.
While a key exchange is in progress, we add the received packets to an
internal queue until we receive SSH_MSG_KEXINIT from the other side.
This can result in high memory usage if the other party is slow to
respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a
malicious client never responds to an SSH_MSG_KEXINIT packet during a
large file transfer.
We now limit the internal queue to 64 packets: this means 2MB with the
typical 32KB packet size.
When the internal queue is full we block further writes until the
pending key exchange is completed or there is a read or write error.
Thanks to Yuichi Watanabe for reporting this issue.
Fixes: CVE-2025-22869
Bugs: bsc#1239330
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
1 file changed, 37 insertions(+), 10 deletions(-)
diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
index 56cdc7c21c3b..a68d20f7f396 100644
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
@@ -25,6 +25,11 @@ const debugHandshake = false
// quickly.
const chanSize = 16
+// maxPendingPackets sets the maximum number of packets to queue while waiting
+// for KEX to complete. This limits the total pending data to maxPendingPackets
+// * maxPacket bytes, which is ~16.8MB.
+const maxPendingPackets = 64
+
// keyingTransport is a packet based transport that supports key
// changes. It need not be thread-safe. It should pass through
// msgNewKeys in both directions.
@@ -73,11 +78,19 @@ type handshakeTransport struct {
incoming chan []byte
readError error
- mu sync.Mutex
- writeError error
- sentInitPacket []byte
- sentInitMsg *kexInitMsg
- pendingPackets [][]byte // Used when a key exchange is in progress.
+ mu sync.Mutex
+ // Condition for the above mutex. It is used to notify a completed key
+ // exchange or a write failure. Writes can wait for this condition while a
+ // key exchange is in progress.
+ writeCond *sync.Cond
+ writeError error
+ sentInitPacket []byte
+ sentInitMsg *kexInitMsg
+ // Used to queue writes when a key exchange is in progress. The length is
+ // limited by pendingPacketsSize. Once full, writes will block until the key
+ // exchange is completed or an error occurs. If not empty, it is emptied
+ // all at once when the key exchange is completed in kexLoop.
+ pendingPackets [][]byte
writePacketsLeft uint32
writeBytesLeft int64
@@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
config: config,
}
+ t.writeCond = sync.NewCond(&t.mu)
t.resetReadThresholds()
t.resetWriteThresholds()
@@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
defer t.mu.Unlock()
if t.writeError == nil && err != nil {
t.writeError = err
+ t.writeCond.Broadcast()
}
}
@@ -362,6 +377,8 @@ write:
}
}
t.pendingPackets = t.pendingPackets[:0]
+ // Unblock writePacket if waiting for KEX.
+ t.writeCond.Broadcast()
t.mu.Unlock()
}
@@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
}
if t.sentInitMsg != nil {
- // Copy the packet so the writer can reuse the buffer.
- cp := make([]byte, len(p))
- copy(cp, p)
- t.pendingPackets = append(t.pendingPackets, cp)
- return nil
+ if len(t.pendingPackets) < maxPendingPackets {
+ // Copy the packet so the writer can reuse the buffer.
+ cp := make([]byte, len(p))
+ copy(cp, p)
+ t.pendingPackets = append(t.pendingPackets, cp)
+ return nil
+ }
+ for t.sentInitMsg != nil {
+ // Block and wait for KEX to complete or an error.
+ t.writeCond.Wait()
+ if t.writeError != nil {
+ return t.writeError
+ }
+ }
}
if t.writeBytesLeft > 0 {
@@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
if err := t.pushPacket(p); err != nil {
t.writeError = err
+ t.writeCond.Broadcast()
}
return nil
--
2.46.0

2
_service
View File

@ -2,7 +2,7 @@
<service name="obs_scm" mode="manual">
<param name="url">https://github.com/containers/podman.git</param>
<param name="scm">git</param>
<param name="revision">v5.4.1</param>
<param name="revision">v5.2.2</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>

2
_servicedata
View File

@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/containers/podman.git</param>
<param name="changesrevision">b79bc8afe796cba51dd906270a7e1056ccdfcf9e</param></service></servicedata>
<param name="changesrevision">fcee48106a12dd531702d729d17f40f6e152027f</param></service></servicedata>

3
podman-5.1.1.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1cc6d2195d65f529b4169d96ac8dd20f4a832b314b990eb9faf9588cced425c9
size 109453838

3
podman-5.1.2.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:86ae9f9404e0f605de8cb2f056dd61a8929038c4e6eecacb7b5fc903ad4f2471
size 109458446

3
podman-5.2.0.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:af6c274fbcbd4b432e137f8ca0c43bd638d2a286bd3cb0a2455e05c22bb64a7a
size 109566478

3
podman-5.2.2.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1f2e5bd13e4c0ca13561fe124f44c93898450405ef15e93c6cce1d10d24105c2
size 109693454

3
podman-5.4.1.obscpio
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:16be7292e16b91a3d8ee4ad8dd5d1284c3c910c3392fbc8e66186d9be850c6bc
size 119042062

1009
podman.changes
View File

File diff suppressed because it is too large Load Diff

6
podman.obsinfo
View File

@ -1,4 +1,4 @@
name: podman
version: 5.4.1
mtime: 1741713733
commit: b79bc8afe796cba51dd906270a7e1056ccdfcf9e
version: 5.2.2
mtime: 1724262191
commit: fcee48106a12dd531702d729d17f40f6e152027f

26
podman.spec
View File

@ -22,7 +22,7 @@
%bcond_without apparmor
Name: podman
Version: 5.4.1
Version: 5.2.2
Release: 0
Summary: Daemon-less container engine for managing containers, pods and images
License: Apache-2.0
@ -30,7 +30,6 @@ Group: System/Management
URL: https://%{project}
Source0: %{name}-%{version}.tar.gz
Source1: podman.conf
Patch0: 0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
BuildRequires: man
BuildRequires: bash-completion
BuildRequires: device-mapper-devel
@ -50,7 +49,7 @@ BuildRequires: libgpgme-devel
BuildRequires: libostree-devel
BuildRequires: libseccomp-devel
# at least go 1.18 is needed from go.mod
BuildRequires: golang(API) >= 1.22
BuildRequires: golang(API) >= 1.21
BuildRequires: pkgconfig(libselinux)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(systemd)
@ -75,7 +74,17 @@ Suggests: netavark
%else
Requires: netavark
%endif
# use crun on Tumbleweed & ALP for WASM support
%if 0%{suse_version} >= 1600
# crun is only available for selected archs (because of criu)
%ifarch x86_64 aarch64 ppc64le armv7l armv7hl s390x
Requires: crun
%else
Requires: runc >= 1.0.1
%endif
%else
Requires: runc >= 1.0.1
%endif
Requires: passt
Requires: timezone
Suggests: katacontainers
@ -131,7 +140,7 @@ Provides: %{name}-shell = %{version}
capabilities specified in user quadlets.
It is a symlink to %{_bindir}/%{name} and execs into the `%{name}sh` container
when `%{_bindir}/%{name}sh` is set as a login shell or set as os.Args[0].
when `%{_bindir}/%{name}sh is set as a login shell or set as os.Args[0].
%build
# Build podman
@ -184,7 +193,6 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
%{_mandir}/man1/podman*.1*
%{_mandir}/man5/podman*.5*
%{_mandir}/man5/quadlet*.5*
%{_mandir}/man7/podman*.7*
%exclude %{_mandir}/man1/podman-remote*.1*
# Configs
%dir %{_prefix}/lib/modules-load.d
@ -214,7 +222,6 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
%{_userunitdir}/podman-restart.service
%{_userunitdir}/podman-auto-update.timer
%{_userunitdir}/podman-clean-transient.service
%{_userunitdir}/podman-user-wait-network-online.service
%{_systemdusergeneratordir}/podman-user-generator
%{_systemdgeneratordir}/podman-system-generator
%ghost /run/podman
@ -248,19 +255,18 @@ install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
%pre
%service_add_pre podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
%systemd_user_pre podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service podman-user-wait-network-online.service
%post
%service_add_post podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
%tmpfiles_create %{_tmpfilesdir}/podman.conf
%systemd_user_post podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service podman-user-wait-network-online.service
%systemd_user_post podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer
%preun
%service_del_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
%systemd_user_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service podman-user-wait-network-online.service
%systemd_user_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
%postun
%service_del_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
%systemd_user_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service podman-user-wait-network-online.service
%systemd_user_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
%changelog