Accepting request 883279 from home:cyphar:umoci

- Update to umoci v0.4.7. CVE-2021-29136 bsc#1184147

OBS-URL: https://build.opensuse.org/request/show/883279
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/umoci?expand=0&rev=52

umoci-0.4.6.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d0b495ee61781c23ad9f0e1f431646cfd74fa10ca35f0547004c7b6cb9eb071b
-size 1546000

umoci-0.4.6.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl7ynQoACgkQnhiqJn3b
-jbRvhA/8Cy+8BejZaClgcn8gedWP70wAGDirhuJUbpxTIoBOPUxl5LK1q/K7AvqL
-VKDJLXQpAuVDTivER10IC/daL04J/3aNGKE+IwaLPG0spwyR4l8xuJAmMCB04dev
-tha0lrxyK6XygRYm5QHxJfSVEBfMfxY3LPeSVFDg4cIFNlr1jl3inGDPEMYftXy5
-pjNspsWgsIciUMadc+EzTiDwoY+EQjDLJP5V5kiDJQc/GoJclCIdLPYPzLsMwonv
-VEWZ8M5uplZ/5GyfEjcuiH2uyYojooHltWR6fa0aNE+2+oMHhH6l+MVFxvOSjVTi
-Z+8Y0SH9duJ6cTpXgFJvknGRjoB6kaMPkroLQtKjxNNuziuuRwUwobp6B6971yjE
-/TUVokPMQuoWcVk2TIg59P3IYTHoeU3etp/d1WIvVPy5jBtbU+msrgwuUBZzDyls
-ehuLGL+PbG3MrgwC1vJeUVQjmr49sXkneg6KtvQcIK6fGXHYH5GVlciWr9M3OaTd
-cI9riQQLHm/j3CwCAd1nluf77PH6aYmkFUPJ6rymH1Hxv2yJaMi1JweNcgismPVA
-PIncI+ozOllUYyB/WsTThwYIvt8k0dl1uhtVMUdUQtymgtI/tSEwANJ0T7b4j87c
-0qzHQlwU0mrF3HtOZj3U+wNA0k5jRRWjKN03rcmXDx4zDXubn7s=
-=q4px
------END PGP SIGNATURE-----

umoci-0.4.7.tar.xz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmBq/PMPHGFzYXJhaUBz
+dXNlLmRlAAoJEJ4YqiZ92420uLUQAMgUBXRyvVePDAb/g4WVwwKbFrT8xPy0gQfT
+h+zj/4MTtd2iu5ypGVhca1yhtqt6AutJXOgxhIU9bY+wo7oqCV9TJRoiZZDiyhRU
+FUPmYszKqpBN2TIyyK4J9kqvfi7zlrYJOi4esRkay7ZgYz4el348aBIWNkak0Ip0
+NKhoWEGf41HabB0Ep/Rhy7JHe15ZtPLG6uH3TkjilWu4GB2rEkQusAztSnvrRP3Z
+9k/plJCwa04WJQW1r6kr1i5bqhTq82kP5yrzO52GbKdQWyLdESwxN8yFfWMl8Igb
+LOOBYKjnk/MtKLUOFK09mbfbQpaSqG0NLzMg42kEeqF8TpyBF5+/YTdLbSalGQhx
++BDTSOd4GB6lgV8zyBOBGcmNZmV977gW4AjHOZT8i3FPD4iaH3Bnwg2R5aqbIJK5
+AI40+NQMaAk+kME0FoAJnwov6w2kdDdOpyovfQ1l878HGlg8iZ5uf9bo6XuQGpr/
+lZHy8k9xC3mGr7OWmHrhL08TQlGK7wMQW7hgXKbAC8p8SSNU2aAqwEDdNohRSiu5
+g6Xg87zpc6Z4JsfYtI513ByWHdpE0jbcpv3BvSuEHnKGVfCjRBRBSOxAq7UZ1Koa
+6rbic/liobiul27LdMi022nhVA8KqClbYDoe8bOiZU2ZhcvevrK+nb89ucbSkUs4
+nlm2tviX
+=Q3Fv
+-----END PGP SIGNATURE-----

umoci.changes

@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Tue Apr  6 11:13:10 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to umoci v0.4.7. CVE-2021-29136 bsc#1184147
+
+  A security flaw was found in umoci, and has been fixed in this release. If
+  umoci was used to unpack a malicious image (using either umoci unpack or
+  umoci raw unpack) that contained a symlink entry for /., umoci would apply
+  subsequent layers to the target of the symlink (resolved on the host
+  filesystem). This means that if you ran umoci as root, a malicious image
+  could overwrite any file on the system (assuming you didn't have any other
+  access control restrictions). Thanks to Robin Peraglie from Cure53 for
+  discovering this bug. CVE-2021-29136
+
+  Other changes in this release:
+
+  * umoci now compiles on FreeBSD and appears to work, with the notable
+    limitation that it currently refuses to extract non-Linux images on any
+    platform (this will be fixed in a future release).
+
+  * Initial fuzzer implementations for oss-fuzz.
+
+  * umoci will now read all trailing data from image layers, to combat the
+    existence of some image generators that appear to append NUL bytes to the
+    end of the gzip stream (which would previously cause checksum failures
+    because we didn't read nor checksum the trailing junk bytes). However,
+    umoci will still not read past the descriptor length.
+
+  * umoci now ignores all overlayfs xattrs during unpack and repack
+    operations, to avoid causing issues when packing a raw overlayfs
+    directory.
+
+  * For details, see CHANGELOG.md in the package.
+
 -------------------------------------------------------------------
 Thu Apr  1 05:36:50 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 

umoci.spec

@@ -20,7 +20,7 @@
 %define project github.com/opencontainers/umoci
 
 Name:           umoci
-Version:        0.4.6
+Version:        0.4.7
 Release:        0
 Summary:        Open Container Image manipulation tool
 License:        Apache-2.0