Accepting request 748232 from home:dancermak:branches:Virtualization:vagrant

Add rubyzip to as Requires: and bump its version to 1.3 OBS-URL: https://build.opensuse.org/request/show/748232 OBS-URL: https://build.opensuse.org/package/show/Virtualization:vagrant/vagrant?expand=0&rev=37
2019-11-13 12:42:33 +00:00 · 2019-11-13 12:42:33 +00:00 · f99712cb7f
commit f99712cb7f
parent f6b4f08f59
17 changed files with 96 additions and 34 deletions
--- a/0001-bin-vagrant-silence-warning-about-installer.patch
+++ b/0001-bin-vagrant-silence-warning-about-installer.patch
@ -1,7 +1,7 @@
 From e1a0054ceecffce9b3ef389d5b4b9bf85f309351 Mon Sep 17 00:00:00 2001
 From: Antonio Terceiro <terceiro@debian.org>
 Date: Sat, 11 Oct 2014 16:54:58 -0300
-Subject: [PATCH 01/14] bin/vagrant: silence warning about installer
+Subject: [PATCH 01/15] bin/vagrant: silence warning about installer

 Signed-off-by: Johannes Kastl <kastl@b1-systems.de>
 ---
@ -36,5 +36,5 @@ index 0e6abdcef..9b9233397 100755
   #
   # Unset  - Disables experimental features
 -- 
-2.23.0
+2.24.0

--- a/0002-Use-a-private-temporary-dir.patch
+++ b/0002-Use-a-private-temporary-dir.patch
@ -1,7 +1,7 @@
 From 2e3ac8696235e4239977c10e78474de1b1cbccd8 Mon Sep 17 00:00:00 2001
 From: Antonio Terceiro <terceiro@debian.org>
 Date: Wed, 22 Oct 2014 09:40:14 -0200
-Subject: [PATCH 02/14] Use a private temporary dir
+Subject: [PATCH 02/15] Use a private temporary dir

 Without this vagrant will clutter $TMPDIR with dozens of even hundreds
 of temporary files (~4 per vagrant invocation).
@ -94,5 +94,5 @@ index 000000000..0cbbb53ac
 +  FileUtils.rm_rf(Vagrant::Util::Tempfile.private_tmpdir)
 +end
 -- 
-2.23.0
+2.24.0

--- a/0003-linux-cap-halt-don-t-wait-for-shutdown-h-now-to-fini.patch
+++ b/0003-linux-cap-halt-don-t-wait-for-shutdown-h-now-to-fini.patch
@ -1,7 +1,7 @@
 From 5323b2746d765bee3fd9aa739bf3d0e120eb1874 Mon Sep 17 00:00:00 2001
 From: Antonio Terceiro <terceiro@softwarelivre.org>
 Date: Tue, 3 Feb 2015 10:35:17 -0200
-Subject: [PATCH 03/14] linux/cap/halt: don't wait for `shutdown -h now` to
+Subject: [PATCH 03/15] linux/cap/halt: don't wait for `shutdown -h now` to
 finish

 When running a Debian 8 lxc guest (with the vagrant-lxc plugin), which
@ -27,5 +27,5 @@ index 60dc5dde4..657636eaf 100644
             # Do nothing, because it probably means the machine shut down
             # and SSH connection was lost.
 -- 
-2.23.0
+2.24.0

--- a/0004-plugins-don-t-abuse-require_relative.patch.patch
+++ b/0004-plugins-don-t-abuse-require_relative.patch.patch
@ -1,7 +1,7 @@
 From 399ed85dc12e70156c6fa40a49e35110ad6fcff4 Mon Sep 17 00:00:00 2001
 From: Johannes Kastl <kastl@b1-systems.de>
 Date: Wed, 17 May 2017 09:09:57 +0200
-Subject: [PATCH 04/14] plugins-don-t-abuse-require_relative.patch
+Subject: [PATCH 04/15] plugins-don-t-abuse-require_relative.patch

 Signed-off-by: Johannes Kastl <kastl@b1-systems.de>
 ---
@ -154,5 +154,5 @@ index 2dd140230..e6dd96f08 100644
 module VagrantPlugins
   module GuestSUSE
 -- 
-2.23.0
+2.24.0

--- a/0005-fix-vbox-package-boo-1044087-added-by-robert.muntean.patch
+++ b/0005-fix-vbox-package-boo-1044087-added-by-robert.muntean.patch
@ -1,7 +1,7 @@
 From ccaab429a383ff048400a866f3aa77409ae4976d Mon Sep 17 00:00:00 2001
 From: Johannes Kastl <kastl@b1-systems.de>
 Date: Fri, 16 Nov 2018 21:12:43 +0100
-Subject: [PATCH 05/14] fix vbox package boo#1044087, added by
+Subject: [PATCH 05/15] fix vbox package boo#1044087, added by
 robert.munteanu@gmail.com on Sun Aug 13 19:07:06 UTC 2017

 Signed-off-by: Johannes Kastl <kastl@b1-systems.de>
@ -33,5 +33,5 @@ index a0baf516f..867fe2bf8 100644
 module VagrantPlugins
   module ProviderVirtualBox
 -- 
-2.23.0
+2.24.0

--- a/0006-do-not-depend-on-wdm.patch
+++ b/0006-do-not-depend-on-wdm.patch
@ -1,7 +1,7 @@
 From 98c990b8b57849464a4e1773689635a2328da89e Mon Sep 17 00:00:00 2001
 From: Johannes Kastl <kastl@b1-systems.de>
 Date: Mon, 4 Jun 2018 09:18:23 +0200
-Subject: [PATCH 06/14] do not depend on wdm
+Subject: [PATCH 06/15] do not depend on wdm

 Signed-off-by: Johannes Kastl <kastl@b1-systems.de>
 ---
@ -21,5 +21,5 @@ index 2ca4a6972..c7a2d436c 100644
   s.add_dependency "winrm-fs", "~> 1.0"
   s.add_dependency "winrm-elevated", "~> 1.1"
 -- 
-2.23.0
+2.24.0

--- a/0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch
+++ b/0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch
@ -1,7 +1,7 @@
 From 63325a25be5349141e628f4d8738cd66cf2eff69 Mon Sep 17 00:00:00 2001
 From: Johannes Kastl <kastl@b1-systems.de>
 Date: Fri, 16 Nov 2018 21:14:46 +0100
-Subject: [PATCH 07/14] do not abuse relative paths in docker plugin to make
+Subject: [PATCH 07/15] do not abuse relative paths in docker plugin to make
 docker work, added by tmkn@tmkn.uk on Thu Oct 26 19:42:46 UTC 2017

 Signed-off-by: Johannes Kastl <kastl@b1-systems.de>
@ -22,5 +22,5 @@ index 07c4e5333..e8142df8b 100644
 module VagrantPlugins
   module DockerProvider
 -- 
-2.23.0
+2.24.0

--- a/0008-Don-t-abuse-relative-paths-in-plugins.patch
+++ b/0008-Don-t-abuse-relative-paths-in-plugins.patch
@ -1,7 +1,7 @@
 From 6cabd408fd06b60b0b0c74c93da9fea05e8b0339 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Fri, 11 Jan 2019 12:32:28 +0100
-Subject: [PATCH 08/14] Don't abuse relative paths in plugins
+Subject: [PATCH 08/15] Don't abuse relative paths in plugins
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -64,5 +64,5 @@ index 7bc8ceca0..e938305e7 100644
 require_relative "../installer"
 
 -- 
-2.23.0
+2.24.0

--- a/0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch
+++ b/0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch
@ -1,7 +1,7 @@
 From e1eaa4583e58d802f0c2339c959b5becb6a2c49f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Thu, 14 Mar 2019 00:25:05 +0100
-Subject: [PATCH 09/14] Fix unit tests for GuestLinux::Cap::Halt
+Subject: [PATCH 09/15] Fix unit tests for GuestLinux::Cap::Halt

 This test fails since we patch `shutdown -h now` to be `shutdown -h now &`
 instead.
@ -37,5 +37,5 @@ index 81f682aa1..70d2603b9 100644
         cap.halt(machine)
       }.to_not raise_error
 -- 
-2.23.0
+2.24.0

--- a/0010-Skip-failing-tests.patch
+++ b/0010-Skip-failing-tests.patch
@ -1,7 +1,7 @@
 From 85808a200ea1a95f00edc2af816ae3f124dc1962 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Mon, 1 Apr 2019 17:28:31 +0200
-Subject: [PATCH 10/14] Skip failing tests
+Subject: [PATCH 10/15] Skip failing tests

 ---
 test/unit/bin/vagrant_test.rb | 4 ++--
@ -30,5 +30,5 @@ index 08edcb20e..a6bef731d 100644
       end
     end
 -- 
-2.23.0
+2.24.0

--- a/0011-Bump-rspec-its-dependency.patch
+++ b/0011-Bump-rspec-its-dependency.patch
@ -1,7 +1,7 @@
 From 79bdf20d3c293293730548f20e329f3c726f5091 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Wed, 17 Jul 2019 10:59:07 +0200
-Subject: [PATCH 11/14] Bump rspec-its dependency
+Subject: [PATCH 11/15] Bump rspec-its dependency

 ---
 vagrant.gemspec | 2 +-
@ -21,5 +21,5 @@ index c7a2d436c..04561f9c9 100644
   s.add_development_dependency "fake_ftp", "~> 0.1.1"
 
 -- 
-2.23.0
+2.24.0

--- a/0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch
+++ b/0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch
@ -1,7 +1,7 @@
 From 7784ec13f12752f5b73ddec371cb73b6dd97615a Mon Sep 17 00:00:00 2001
 From: Pavel Valena <pvalena@redhat.com>
 Date: Mon, 1 Jul 2019 17:44:54 +0200
-Subject: [PATCH 12/14] Do not list / load dependencies if `vagrant` spec is
+Subject: [PATCH 12/15] Do not list / load dependencies if `vagrant` spec is
 not loaded

 in `vagrant_internal_specs` as this fails, due to `find` returning `nil`.
@ -26,5 +26,5 @@ index 7ba48435f..c0fabdcea 100644
       list = {}
       directories = [Gem::Specification.default_specifications_dir]
 -- 
-2.23.0
+2.24.0

--- a/0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch
+++ b/0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch
@ -1,7 +1,7 @@
 From bc275fb74fbb6948246427549f04f0a4323a1747 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Thu, 24 Oct 2019 12:29:43 +0200
-Subject: [PATCH 13/14] Catch NetworkNoInterfaces error in docker
+Subject: [PATCH 13/15] Catch NetworkNoInterfaces error in docker
 prepare_networks_test

 The test "generates a network name and configuration" calls at the end
@ -43,5 +43,5 @@ index 524db9533..3461c3e05 100644
   end
 
 -- 
-2.23.0
+2.24.0

--- a/0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch
+++ b/0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch
@ -0,0 +1,25 @@
+From e8c23f99c5097199b7d955268e1c97314d25480b Mon Sep 17 00:00:00 2001
+From: Stefan Sundin <git@stefansundin.com>
+Date: Wed, 6 Nov 2019 20:37:56 -0800
+Subject: [PATCH 14/15] Bump rubyzip version to fix CVE-2019-16892.
+
+---
+ vagrant.gemspec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vagrant.gemspec b/vagrant.gemspec
+index 04561f9c9..58b4cb7ad 100644
+--- a/vagrant.gemspec
+++ b/vagrant.gemspec
+@@ -29,7 +29,7 @@ Gem::Specification.new do |s|
+   s.add_dependency "net-scp", "~> 1.2.0"
+   s.add_dependency "rb-kqueue", "~> 0.2.0"
+   s.add_dependency "rest-client", ">= 1.6.0", "< 3.0"
+-  s.add_dependency "rubyzip", "~> 1.2.2"
+  s.add_dependency "rubyzip", "~> 1.3"
+   s.add_dependency "winrm", "~> 2.1"
+   s.add_dependency "winrm-fs", "~> 1.0"
+   s.add_dependency "winrm-elevated", "~> 1.1"
+-- 
+2.24.0
+
--- a/0015-ARM-only-Disable-Subprocess-unit-test.patch
+++ b/0015-ARM-only-Disable-Subprocess-unit-test.patch
@ -1,7 +1,7 @@
-From 751a501fa2952f78d60085272dafc96a97d95cc0 Mon Sep 17 00:00:00 2001
+From 75b7fca0c98396ee755c329f002c8e2afa18dae0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Wed, 28 Aug 2019 13:39:58 +0200
-Subject: [PATCH 14/14] [ARM only] Disable Subprocess unit test
+Subject: [PATCH 15/15] [ARM only] Disable Subprocess unit test

 This unit test is *very* flaky on OBS' ARM workers and causes random build
 failures. These are probably caused by worker being under high load and then
@ -33,5 +33,5 @@ index 81da0e635..a2a2270a0 100644
         sleep(0.1)
         expect(sp.stop).to be(true)
 -- 
-2.23.0
+2.24.0

--- a/vagrant.changes
+++ b/vagrant.changes
@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Wed Nov 13 10:18:47 UTC 2019 - Dan Čermák <dcermak@suse.com>
+
+- Add rubyzip to as Requires: and bump its version to 1.3
+
+  This is required to address CVE-2019-16892
+
+  Rebased patches:
+
+  - 0001-bin-vagrant-silence-warning-about-installer.patch
+  - 0002-Use-a-private-temporary-dir.patch
+  - 0003-linux-cap-halt-don-t-wait-for-shutdown-h-now-to-fini.patch
+  - 0004-plugins-don-t-abuse-require_relative.patch.patch
+  - 0005-fix-vbox-package-boo-1044087-added-by-robert.muntean.patch
+  - 0006-do-not-depend-on-wdm.patch
+  - 0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch
+  - 0008-Don-t-abuse-relative-paths-in-plugins.patch
+  - 0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch
+  - 0010-Skip-failing-tests.patch
+  - 0011-Bump-rspec-its-dependency.patch
+  - 0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch
+  - 0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch
+
+  Removed:
+  - 0014-ARM-only-Disable-Subprocess-unit-test.patch
+
+  Added:
+  - 0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch
+  - 0015-ARM-only-Disable-Subprocess-unit-test.patch
+
 -------------------------------------------------------------------
 Tue Oct 22 08:30:24 UTC 2019 - Dan Čermák <dcermak@suse.com>

--- a/vagrant.spec
+++ b/vagrant.spec
@ -58,12 +58,16 @@ Patch7:         0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch
 Patch8:         0008-Don-t-abuse-relative-paths-in-plugins.patch
 Patch9:         0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch
 Patch10:        0010-Skip-failing-tests.patch
+# FIXME: merged, drop at next release after v2.2.6
 # https://github.com/hashicorp/vagrant/pull/10991
 Patch11:        0011-Bump-rspec-its-dependency.patch
+# FIXME: merged, drop at next release after v2.2.6
 # https://github.com/hashicorp/vagrant/pull/10945
 Patch12:        0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch
 Patch13:        0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch
-Patch14:        0014-ARM-only-Disable-Subprocess-unit-test.patch
+# FIXME: upstream fix, drop at next release after v2.2.6
+Patch14:        0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch
+Patch15:        0015-ARM-only-Disable-Subprocess-unit-test.patch

 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

@ -118,8 +122,8 @@ BuildRequires:  %{rubygem rb-kqueue:0.2 }
 #  s.add_dependency "rest-client", ">= 1.6.0", "< 3.0"
 BuildRequires:  %{rubygem rest-client >= 1.6}
 BuildConflicts:  %{rubygem rest-client >= 3.0}
-#  s.add_dependency "rubyzip", "~> 1.2.2"
-BuildRequires:  %{rubygem rubyzip:1.2 >= 1.2.2}
+#  s.add_dependency "rubyzip", "~> 1.3"
+BuildRequires:  %{rubygem rubyzip:1 >= 1.3}
 # Intentionally removed, wdm only works on Windows
 # BuildRequires:  %%{rubygem wdm }
 #  s.add_dependency "winrm", "~> 2.1"
@ -136,7 +140,7 @@ BuildRequires:  %{rubygem vagrant_cloud:2.0 >= 2.0.3 }
 BuildRequires:  %{rubygem rake:12.0 }
 #  s.add_development_dependency "rspec", "~> 3.5.0"
 BuildRequires:  %{rubygem rspec:3.5 }
-# PATCHED
+# FIXME: PATCHED
 #  s.add_development_dependency "rspec-its", "~> 1.3.0"
 BuildRequires:  %{rubygem rspec-its:1.3 }
 #  s.add_dependency "ruby_dep", "<= 1.3.1"
@ -202,6 +206,8 @@ Requires:       %{rubygem rb-kqueue:0.2}
 #  s.add_dependency "rest-client", ">= 1.6.0", "< 3.0"
 Requires:       %{rubygem rest-client >= 1.6}
 Requires:       %{rubygem rest-client < 3.0}
+#  s.add_dependency "rubyzip", "~> 1.3"
+Requires:       %{rubygem rubyzip:1 >= 1.3}
 #   s.add_dependency "wdm", "~> 0.1.0"
 # skip wdm, Windows only
 #  s.add_dependency "winrm", "~> 2.1"
@ -287,9 +293,10 @@ Optional dependency offering bash completion for vagrant
 %patch11 -p 1
 %patch12 -p 1
 %patch13 -p 1
+%patch14 -p 1
 # disable the subprocess test only on ARM
 %ifarch %{arm} aarch64
-%patch14 -p 1
+%patch15 -p 1
 %endif

 cp %{SOURCE98} .