diff --git a/0001-bin-vagrant-silence-warning-about-installer.patch b/0001-bin-vagrant-silence-warning-about-installer.patch index cbcce52..83705cd 100644 --- a/0001-bin-vagrant-silence-warning-about-installer.patch +++ b/0001-bin-vagrant-silence-warning-about-installer.patch @@ -1,7 +1,7 @@ From e1a0054ceecffce9b3ef389d5b4b9bf85f309351 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Sat, 11 Oct 2014 16:54:58 -0300 -Subject: [PATCH 01/14] bin/vagrant: silence warning about installer +Subject: [PATCH 01/15] bin/vagrant: silence warning about installer Signed-off-by: Johannes Kastl --- @@ -36,5 +36,5 @@ index 0e6abdcef..9b9233397 100755 # # Unset - Disables experimental features -- -2.23.0 +2.24.0 diff --git a/0002-Use-a-private-temporary-dir.patch b/0002-Use-a-private-temporary-dir.patch index 053fa64..5daaa45 100644 --- a/0002-Use-a-private-temporary-dir.patch +++ b/0002-Use-a-private-temporary-dir.patch @@ -1,7 +1,7 @@ From 2e3ac8696235e4239977c10e78474de1b1cbccd8 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Wed, 22 Oct 2014 09:40:14 -0200 -Subject: [PATCH 02/14] Use a private temporary dir +Subject: [PATCH 02/15] Use a private temporary dir Without this vagrant will clutter $TMPDIR with dozens of even hundreds of temporary files (~4 per vagrant invocation). @@ -94,5 +94,5 @@ index 000000000..0cbbb53ac + FileUtils.rm_rf(Vagrant::Util::Tempfile.private_tmpdir) +end -- -2.23.0 +2.24.0 diff --git a/0003-linux-cap-halt-don-t-wait-for-shutdown-h-now-to-fini.patch b/0003-linux-cap-halt-don-t-wait-for-shutdown-h-now-to-fini.patch index 0abb6aa..3624647 100644 --- a/0003-linux-cap-halt-don-t-wait-for-shutdown-h-now-to-fini.patch +++ b/0003-linux-cap-halt-don-t-wait-for-shutdown-h-now-to-fini.patch @@ -1,7 +1,7 @@ From 5323b2746d765bee3fd9aa739bf3d0e120eb1874 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Tue, 3 Feb 2015 10:35:17 -0200 -Subject: [PATCH 03/14] linux/cap/halt: don't wait for `shutdown -h now` to +Subject: [PATCH 03/15] linux/cap/halt: don't wait for `shutdown -h now` to finish When running a Debian 8 lxc guest (with the vagrant-lxc plugin), which @@ -27,5 +27,5 @@ index 60dc5dde4..657636eaf 100644 # Do nothing, because it probably means the machine shut down # and SSH connection was lost. -- -2.23.0 +2.24.0 diff --git a/0004-plugins-don-t-abuse-require_relative.patch.patch b/0004-plugins-don-t-abuse-require_relative.patch.patch index c2d41db..b5e6fc6 100644 --- a/0004-plugins-don-t-abuse-require_relative.patch.patch +++ b/0004-plugins-don-t-abuse-require_relative.patch.patch @@ -1,7 +1,7 @@ From 399ed85dc12e70156c6fa40a49e35110ad6fcff4 Mon Sep 17 00:00:00 2001 From: Johannes Kastl Date: Wed, 17 May 2017 09:09:57 +0200 -Subject: [PATCH 04/14] plugins-don-t-abuse-require_relative.patch +Subject: [PATCH 04/15] plugins-don-t-abuse-require_relative.patch Signed-off-by: Johannes Kastl --- @@ -154,5 +154,5 @@ index 2dd140230..e6dd96f08 100644 module VagrantPlugins module GuestSUSE -- -2.23.0 +2.24.0 diff --git a/0005-fix-vbox-package-boo-1044087-added-by-robert.muntean.patch b/0005-fix-vbox-package-boo-1044087-added-by-robert.muntean.patch index d53906f..0612655 100644 --- a/0005-fix-vbox-package-boo-1044087-added-by-robert.muntean.patch +++ b/0005-fix-vbox-package-boo-1044087-added-by-robert.muntean.patch @@ -1,7 +1,7 @@ From ccaab429a383ff048400a866f3aa77409ae4976d Mon Sep 17 00:00:00 2001 From: Johannes Kastl Date: Fri, 16 Nov 2018 21:12:43 +0100 -Subject: [PATCH 05/14] fix vbox package boo#1044087, added by +Subject: [PATCH 05/15] fix vbox package boo#1044087, added by robert.munteanu@gmail.com on Sun Aug 13 19:07:06 UTC 2017 Signed-off-by: Johannes Kastl @@ -33,5 +33,5 @@ index a0baf516f..867fe2bf8 100644 module VagrantPlugins module ProviderVirtualBox -- -2.23.0 +2.24.0 diff --git a/0006-do-not-depend-on-wdm.patch b/0006-do-not-depend-on-wdm.patch index 90b3283..da5973e 100644 --- a/0006-do-not-depend-on-wdm.patch +++ b/0006-do-not-depend-on-wdm.patch @@ -1,7 +1,7 @@ From 98c990b8b57849464a4e1773689635a2328da89e Mon Sep 17 00:00:00 2001 From: Johannes Kastl Date: Mon, 4 Jun 2018 09:18:23 +0200 -Subject: [PATCH 06/14] do not depend on wdm +Subject: [PATCH 06/15] do not depend on wdm Signed-off-by: Johannes Kastl --- @@ -21,5 +21,5 @@ index 2ca4a6972..c7a2d436c 100644 s.add_dependency "winrm-fs", "~> 1.0" s.add_dependency "winrm-elevated", "~> 1.1" -- -2.23.0 +2.24.0 diff --git a/0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch b/0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch index 2e8da3c..86014b9 100644 --- a/0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch +++ b/0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch @@ -1,7 +1,7 @@ From 63325a25be5349141e628f4d8738cd66cf2eff69 Mon Sep 17 00:00:00 2001 From: Johannes Kastl Date: Fri, 16 Nov 2018 21:14:46 +0100 -Subject: [PATCH 07/14] do not abuse relative paths in docker plugin to make +Subject: [PATCH 07/15] do not abuse relative paths in docker plugin to make docker work, added by tmkn@tmkn.uk on Thu Oct 26 19:42:46 UTC 2017 Signed-off-by: Johannes Kastl @@ -22,5 +22,5 @@ index 07c4e5333..e8142df8b 100644 module VagrantPlugins module DockerProvider -- -2.23.0 +2.24.0 diff --git a/0008-Don-t-abuse-relative-paths-in-plugins.patch b/0008-Don-t-abuse-relative-paths-in-plugins.patch index 6699f02..31de856 100644 --- a/0008-Don-t-abuse-relative-paths-in-plugins.patch +++ b/0008-Don-t-abuse-relative-paths-in-plugins.patch @@ -1,7 +1,7 @@ From 6cabd408fd06b60b0b0c74c93da9fea05e8b0339 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Fri, 11 Jan 2019 12:32:28 +0100 -Subject: [PATCH 08/14] Don't abuse relative paths in plugins +Subject: [PATCH 08/15] Don't abuse relative paths in plugins MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -64,5 +64,5 @@ index 7bc8ceca0..e938305e7 100644 require_relative "../installer" -- -2.23.0 +2.24.0 diff --git a/0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch b/0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch index d738968..eb78e0e 100644 --- a/0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch +++ b/0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch @@ -1,7 +1,7 @@ From e1eaa4583e58d802f0c2339c959b5becb6a2c49f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Thu, 14 Mar 2019 00:25:05 +0100 -Subject: [PATCH 09/14] Fix unit tests for GuestLinux::Cap::Halt +Subject: [PATCH 09/15] Fix unit tests for GuestLinux::Cap::Halt This test fails since we patch `shutdown -h now` to be `shutdown -h now &` instead. @@ -37,5 +37,5 @@ index 81f682aa1..70d2603b9 100644 cap.halt(machine) }.to_not raise_error -- -2.23.0 +2.24.0 diff --git a/0010-Skip-failing-tests.patch b/0010-Skip-failing-tests.patch index cf697cf..e88a28c 100644 --- a/0010-Skip-failing-tests.patch +++ b/0010-Skip-failing-tests.patch @@ -1,7 +1,7 @@ From 85808a200ea1a95f00edc2af816ae3f124dc1962 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Mon, 1 Apr 2019 17:28:31 +0200 -Subject: [PATCH 10/14] Skip failing tests +Subject: [PATCH 10/15] Skip failing tests --- test/unit/bin/vagrant_test.rb | 4 ++-- @@ -30,5 +30,5 @@ index 08edcb20e..a6bef731d 100644 end end -- -2.23.0 +2.24.0 diff --git a/0011-Bump-rspec-its-dependency.patch b/0011-Bump-rspec-its-dependency.patch index 78fc7ea..7f7159a 100644 --- a/0011-Bump-rspec-its-dependency.patch +++ b/0011-Bump-rspec-its-dependency.patch @@ -1,7 +1,7 @@ From 79bdf20d3c293293730548f20e329f3c726f5091 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Wed, 17 Jul 2019 10:59:07 +0200 -Subject: [PATCH 11/14] Bump rspec-its dependency +Subject: [PATCH 11/15] Bump rspec-its dependency --- vagrant.gemspec | 2 +- @@ -21,5 +21,5 @@ index c7a2d436c..04561f9c9 100644 s.add_development_dependency "fake_ftp", "~> 0.1.1" -- -2.23.0 +2.24.0 diff --git a/0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch b/0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch index 57406b7..4e54f48 100644 --- a/0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch +++ b/0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch @@ -1,7 +1,7 @@ From 7784ec13f12752f5b73ddec371cb73b6dd97615a Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Mon, 1 Jul 2019 17:44:54 +0200 -Subject: [PATCH 12/14] Do not list / load dependencies if `vagrant` spec is +Subject: [PATCH 12/15] Do not list / load dependencies if `vagrant` spec is not loaded in `vagrant_internal_specs` as this fails, due to `find` returning `nil`. @@ -26,5 +26,5 @@ index 7ba48435f..c0fabdcea 100644 list = {} directories = [Gem::Specification.default_specifications_dir] -- -2.23.0 +2.24.0 diff --git a/0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch b/0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch index a82d3bc..4e393be 100644 --- a/0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch +++ b/0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch @@ -1,7 +1,7 @@ From bc275fb74fbb6948246427549f04f0a4323a1747 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Thu, 24 Oct 2019 12:29:43 +0200 -Subject: [PATCH 13/14] Catch NetworkNoInterfaces error in docker +Subject: [PATCH 13/15] Catch NetworkNoInterfaces error in docker prepare_networks_test The test "generates a network name and configuration" calls at the end @@ -43,5 +43,5 @@ index 524db9533..3461c3e05 100644 end -- -2.23.0 +2.24.0 diff --git a/0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch b/0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch new file mode 100644 index 0000000..00a7a96 --- /dev/null +++ b/0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch @@ -0,0 +1,25 @@ +From e8c23f99c5097199b7d955268e1c97314d25480b Mon Sep 17 00:00:00 2001 +From: Stefan Sundin +Date: Wed, 6 Nov 2019 20:37:56 -0800 +Subject: [PATCH 14/15] Bump rubyzip version to fix CVE-2019-16892. + +--- + vagrant.gemspec | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/vagrant.gemspec b/vagrant.gemspec +index 04561f9c9..58b4cb7ad 100644 +--- a/vagrant.gemspec ++++ b/vagrant.gemspec +@@ -29,7 +29,7 @@ Gem::Specification.new do |s| + s.add_dependency "net-scp", "~> 1.2.0" + s.add_dependency "rb-kqueue", "~> 0.2.0" + s.add_dependency "rest-client", ">= 1.6.0", "< 3.0" +- s.add_dependency "rubyzip", "~> 1.2.2" ++ s.add_dependency "rubyzip", "~> 1.3" + s.add_dependency "winrm", "~> 2.1" + s.add_dependency "winrm-fs", "~> 1.0" + s.add_dependency "winrm-elevated", "~> 1.1" +-- +2.24.0 + diff --git a/0014-ARM-only-Disable-Subprocess-unit-test.patch b/0015-ARM-only-Disable-Subprocess-unit-test.patch similarity index 90% rename from 0014-ARM-only-Disable-Subprocess-unit-test.patch rename to 0015-ARM-only-Disable-Subprocess-unit-test.patch index fdfc347..2f50df8 100644 --- a/0014-ARM-only-Disable-Subprocess-unit-test.patch +++ b/0015-ARM-only-Disable-Subprocess-unit-test.patch @@ -1,7 +1,7 @@ -From 751a501fa2952f78d60085272dafc96a97d95cc0 Mon Sep 17 00:00:00 2001 +From 75b7fca0c98396ee755c329f002c8e2afa18dae0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Wed, 28 Aug 2019 13:39:58 +0200 -Subject: [PATCH 14/14] [ARM only] Disable Subprocess unit test +Subject: [PATCH 15/15] [ARM only] Disable Subprocess unit test This unit test is *very* flaky on OBS' ARM workers and causes random build failures. These are probably caused by worker being under high load and then @@ -33,5 +33,5 @@ index 81da0e635..a2a2270a0 100644 sleep(0.1) expect(sp.stop).to be(true) -- -2.23.0 +2.24.0 diff --git a/vagrant.changes b/vagrant.changes index 33fa0cd..b09e969 100644 --- a/vagrant.changes +++ b/vagrant.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Wed Nov 13 10:18:47 UTC 2019 - Dan Čermák + +- Add rubyzip to as Requires: and bump its version to 1.3 + + This is required to address CVE-2019-16892 + + Rebased patches: + + - 0001-bin-vagrant-silence-warning-about-installer.patch + - 0002-Use-a-private-temporary-dir.patch + - 0003-linux-cap-halt-don-t-wait-for-shutdown-h-now-to-fini.patch + - 0004-plugins-don-t-abuse-require_relative.patch.patch + - 0005-fix-vbox-package-boo-1044087-added-by-robert.muntean.patch + - 0006-do-not-depend-on-wdm.patch + - 0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch + - 0008-Don-t-abuse-relative-paths-in-plugins.patch + - 0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch + - 0010-Skip-failing-tests.patch + - 0011-Bump-rspec-its-dependency.patch + - 0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch + - 0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch + + Removed: + - 0014-ARM-only-Disable-Subprocess-unit-test.patch + + Added: + - 0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch + - 0015-ARM-only-Disable-Subprocess-unit-test.patch + ------------------------------------------------------------------- Tue Oct 22 08:30:24 UTC 2019 - Dan Čermák diff --git a/vagrant.spec b/vagrant.spec index 96e3d0b..ccbef27 100644 --- a/vagrant.spec +++ b/vagrant.spec @@ -58,12 +58,16 @@ Patch7: 0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch Patch8: 0008-Don-t-abuse-relative-paths-in-plugins.patch Patch9: 0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch Patch10: 0010-Skip-failing-tests.patch +# FIXME: merged, drop at next release after v2.2.6 # https://github.com/hashicorp/vagrant/pull/10991 Patch11: 0011-Bump-rspec-its-dependency.patch +# FIXME: merged, drop at next release after v2.2.6 # https://github.com/hashicorp/vagrant/pull/10945 Patch12: 0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch Patch13: 0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch -Patch14: 0014-ARM-only-Disable-Subprocess-unit-test.patch +# FIXME: upstream fix, drop at next release after v2.2.6 +Patch14: 0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch +Patch15: 0015-ARM-only-Disable-Subprocess-unit-test.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -118,8 +122,8 @@ BuildRequires: %{rubygem rb-kqueue:0.2 } # s.add_dependency "rest-client", ">= 1.6.0", "< 3.0" BuildRequires: %{rubygem rest-client >= 1.6} BuildConflicts: %{rubygem rest-client >= 3.0} -# s.add_dependency "rubyzip", "~> 1.2.2" -BuildRequires: %{rubygem rubyzip:1.2 >= 1.2.2} +# s.add_dependency "rubyzip", "~> 1.3" +BuildRequires: %{rubygem rubyzip:1 >= 1.3} # Intentionally removed, wdm only works on Windows # BuildRequires: %%{rubygem wdm } # s.add_dependency "winrm", "~> 2.1" @@ -136,7 +140,7 @@ BuildRequires: %{rubygem vagrant_cloud:2.0 >= 2.0.3 } BuildRequires: %{rubygem rake:12.0 } # s.add_development_dependency "rspec", "~> 3.5.0" BuildRequires: %{rubygem rspec:3.5 } -# PATCHED +# FIXME: PATCHED # s.add_development_dependency "rspec-its", "~> 1.3.0" BuildRequires: %{rubygem rspec-its:1.3 } # s.add_dependency "ruby_dep", "<= 1.3.1" @@ -202,6 +206,8 @@ Requires: %{rubygem rb-kqueue:0.2} # s.add_dependency "rest-client", ">= 1.6.0", "< 3.0" Requires: %{rubygem rest-client >= 1.6} Requires: %{rubygem rest-client < 3.0} +# s.add_dependency "rubyzip", "~> 1.3" +Requires: %{rubygem rubyzip:1 >= 1.3} # s.add_dependency "wdm", "~> 0.1.0" # skip wdm, Windows only # s.add_dependency "winrm", "~> 2.1" @@ -287,9 +293,10 @@ Optional dependency offering bash completion for vagrant %patch11 -p 1 %patch12 -p 1 %patch13 -p 1 +%patch14 -p 1 # disable the subprocess test only on ARM %ifarch %{arm} aarch64 -%patch14 -p 1 +%patch15 -p 1 %endif cp %{SOURCE98} .