Accepting request 883793 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/883793
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/umoci?expand=0&rev=17

0001-makefile-fix-bad-build-flags.patch

@@ -0,0 +1,30 @@
+From ed20cebfec648920c59e0988aceeef7dfd646558 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Thu, 8 Apr 2021 18:55:40 +1000
+Subject: [PATCH] makefile: fix bad build flags
+
+Fix mistake in the Makefile which prevents the version field (as well as
+some other build flags) from being passed to "go build".
+
+Fixes: 6fbd32e48b66 ("Make Makefile more portable")
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index d760e9289033..1fdcf650f4f9 100644
+--- a/Makefile
++++ b/Makefile
+@@ -71,7 +71,7 @@ BASE_LDFLAGS := -s -w -X ${PROJECT}.gitCommit=${COMMIT} -X ${PROJECT}.version=${
+ 
+ # Specific build flags for build type.
+ ifeq ($(GOOS), linux)
+-	TEST_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS} -X ${PROJECT}/pkg/testutils.binaryType=test"		   DYN_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS}"
++	DYN_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS}"
+ 	TEST_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS} -X ${PROJECT}/pkg/testutils.binaryType=test"
+ else
+ 	DYN_BUILD_FLAGS := ${BASE_FLAGS} -ldflags "${BASE_LDFLAGS}"
+-- 
+2.30.2
+

umoci-0.4.6.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d0b495ee61781c23ad9f0e1f431646cfd74fa10ca35f0547004c7b6cb9eb071b
-size 1546000

umoci-0.4.6.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl7ynQoACgkQnhiqJn3b
-jbRvhA/8Cy+8BejZaClgcn8gedWP70wAGDirhuJUbpxTIoBOPUxl5LK1q/K7AvqL
-VKDJLXQpAuVDTivER10IC/daL04J/3aNGKE+IwaLPG0spwyR4l8xuJAmMCB04dev
-tha0lrxyK6XygRYm5QHxJfSVEBfMfxY3LPeSVFDg4cIFNlr1jl3inGDPEMYftXy5
-pjNspsWgsIciUMadc+EzTiDwoY+EQjDLJP5V5kiDJQc/GoJclCIdLPYPzLsMwonv
-VEWZ8M5uplZ/5GyfEjcuiH2uyYojooHltWR6fa0aNE+2+oMHhH6l+MVFxvOSjVTi
-Z+8Y0SH9duJ6cTpXgFJvknGRjoB6kaMPkroLQtKjxNNuziuuRwUwobp6B6971yjE
-/TUVokPMQuoWcVk2TIg59P3IYTHoeU3etp/d1WIvVPy5jBtbU+msrgwuUBZzDyls
-ehuLGL+PbG3MrgwC1vJeUVQjmr49sXkneg6KtvQcIK6fGXHYH5GVlciWr9M3OaTd
-cI9riQQLHm/j3CwCAd1nluf77PH6aYmkFUPJ6rymH1Hxv2yJaMi1JweNcgismPVA
-PIncI+ozOllUYyB/WsTThwYIvt8k0dl1uhtVMUdUQtymgtI/tSEwANJ0T7b4j87c
-0qzHQlwU0mrF3HtOZj3U+wNA0k5jRRWjKN03rcmXDx4zDXubn7s=
-=q4px
------END PGP SIGNATURE-----

umoci-0.4.7.tar.xz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmBq/PMPHGFzYXJhaUBz
+dXNlLmRlAAoJEJ4YqiZ92420uLUQAMgUBXRyvVePDAb/g4WVwwKbFrT8xPy0gQfT
+h+zj/4MTtd2iu5ypGVhca1yhtqt6AutJXOgxhIU9bY+wo7oqCV9TJRoiZZDiyhRU
+FUPmYszKqpBN2TIyyK4J9kqvfi7zlrYJOi4esRkay7ZgYz4el348aBIWNkak0Ip0
+NKhoWEGf41HabB0Ep/Rhy7JHe15ZtPLG6uH3TkjilWu4GB2rEkQusAztSnvrRP3Z
+9k/plJCwa04WJQW1r6kr1i5bqhTq82kP5yrzO52GbKdQWyLdESwxN8yFfWMl8Igb
+LOOBYKjnk/MtKLUOFK09mbfbQpaSqG0NLzMg42kEeqF8TpyBF5+/YTdLbSalGQhx
++BDTSOd4GB6lgV8zyBOBGcmNZmV977gW4AjHOZT8i3FPD4iaH3Bnwg2R5aqbIJK5
+AI40+NQMaAk+kME0FoAJnwov6w2kdDdOpyovfQ1l878HGlg8iZ5uf9bo6XuQGpr/
+lZHy8k9xC3mGr7OWmHrhL08TQlGK7wMQW7hgXKbAC8p8SSNU2aAqwEDdNohRSiu5
+g6Xg87zpc6Z4JsfYtI513ByWHdpE0jbcpv3BvSuEHnKGVfCjRBRBSOxAq7UZ1Koa
+6rbic/liobiul27LdMi022nhVA8KqClbYDoe8bOiZU2ZhcvevrK+nb89ucbSkUs4
+nlm2tviX
+=Q3Fv
+-----END PGP SIGNATURE-----

umoci.changes

@@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Tue Apr  6 11:13:10 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to umoci v0.4.7. CVE-2021-29136 bsc#1184147
+
+  A security flaw was found in umoci, and has been fixed in this release. If
+  umoci was used to unpack a malicious image (using either umoci unpack or
+  umoci raw unpack) that contained a symlink entry for /., umoci would apply
+  subsequent layers to the target of the symlink (resolved on the host
+  filesystem). This means that if you ran umoci as root, a malicious image
+  could overwrite any file on the system (assuming you didn't have any other
+  access control restrictions). Thanks to Robin Peraglie from Cure53 for
+  discovering this bug. CVE-2021-29136
+
+  Other changes in this release:
+
+  * umoci now compiles on FreeBSD and appears to work, with the notable
+    limitation that it currently refuses to extract non-Linux images on any
+    platform (this will be fixed in a future release).
+  * Initial fuzzer implementations for oss-fuzz.
+  * umoci will now read all trailing data from image layers, to combat the
+    existence of some image generators that appear to append NUL bytes to the
+    end of the gzip stream (which would previously cause checksum failures
+    because we didn't read nor checksum the trailing junk bytes). However,
+    umoci will still not read past the descriptor length.
+  * umoci now ignores all overlayfs xattrs during unpack and repack
+    operations, to avoid causing issues when packing a raw overlayfs
+    directory.
+  * For details, see CHANGELOG.md in the package.
+- Backport patch to fix KIWI which depends on umoci having sane output from
+  "umoci --version". <https://github.com/opencontainers/umoci/pull/369>
+  + 0001-makefile-fix-bad-build-flags.patch
+
+-------------------------------------------------------------------
+Thu Apr  1 05:36:50 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Re-disable s390 builds.
+
 -------------------------------------------------------------------
 Wed Jun 24 00:27:44 UTC 2020 - Aleksa Sarai <asarai@suse.com>
 

umoci.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package umoci
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %define project github.com/opencontainers/umoci
 
 Name:           umoci
-Version:        0.4.6
+Version:        0.4.7
 Release:        0
 Summary:        Open Container Image manipulation tool
 License:        Apache-2.0
@@ -29,11 +29,14 @@ URL:            https://umo.ci
 Source0:        https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz#/%{name}-%{version}.tar.xz
 Source1:        https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz.asc#/%{name}-%{version}.tar.xz.asc
 Source2:        https://umo.ci/%{name}.keyring
+# OPENSUSE-FIX-UPSTREAM: Backport of <https://github.com/opencontainers/umoci/pull/369>.
+Patch1:         0001-makefile-fix-bad-build-flags.patch
 BuildRequires:  fdupes
+BuildRequires:  go-go-md2man
 # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
 # for 'golang(API) >= 1.13' here, so just require 1.13 exactly. bsc#1172608
-BuildRequires:  go-go-md2man
 BuildRequires:  go1.14
+ExcludeArch:    s390
 
 %description
 umoci modifies Open Container images. umoci is a manipulation tool for OCI
@@ -42,6 +45,8 @@ provided by the OCI.
 
 %prep
 %setup -q
+# <https://github.com/opencontainers/umoci/pull/369>
+%patch1 -p1
 
 %build
 export VERSION="$(cat ./VERSION)"