Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package umoci for openSUSE:Factory checked in at 2021-04-10 15:26:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/umoci (Old) and /work/SRC/openSUSE:Factory/.umoci.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "umoci" Sat Apr 10 15:26:11 2021 rev:17 rq:883793 version:0.4.7 Changes: -------- --- /work/SRC/openSUSE:Factory/umoci/umoci.changes 2020-06-26 21:45:28.573837374 +0200 +++ /work/SRC/openSUSE:Factory/.umoci.new.2401/umoci.changes 2021-04-10 15:26:28.558314838 +0200 @@ -1,0 +2,38 @@ +Tue Apr 6 11:13:10 UTC 2021 - Aleksa Sarai <asa...@suse.com> + +- Update to umoci v0.4.7. CVE-2021-29136 bsc#1184147 + + A security flaw was found in umoci, and has been fixed in this release. If + umoci was used to unpack a malicious image (using either umoci unpack or + umoci raw unpack) that contained a symlink entry for /., umoci would apply + subsequent layers to the target of the symlink (resolved on the host + filesystem). This means that if you ran umoci as root, a malicious image + could overwrite any file on the system (assuming you didn't have any other + access control restrictions). Thanks to Robin Peraglie from Cure53 for + discovering this bug. CVE-2021-29136 + + Other changes in this release: + + * umoci now compiles on FreeBSD and appears to work, with the notable + limitation that it currently refuses to extract non-Linux images on any + platform (this will be fixed in a future release). + * Initial fuzzer implementations for oss-fuzz. + * umoci will now read all trailing data from image layers, to combat the + existence of some image generators that appear to append NUL bytes to the + end of the gzip stream (which would previously cause checksum failures + because we didn't read nor checksum the trailing junk bytes). However, + umoci will still not read past the descriptor length. + * umoci now ignores all overlayfs xattrs during unpack and repack + operations, to avoid causing issues when packing a raw overlayfs + directory. + * For details, see CHANGELOG.md in the package. +- Backport patch to fix KIWI which depends on umoci having sane output from + "umoci --version". <https://github.com/opencontainers/umoci/pull/369> + + 0001-makefile-fix-bad-build-flags.patch + +------------------------------------------------------------------- +Thu Apr 1 05:36:50 UTC 2021 - Aleksa Sarai <asa...@suse.com> + +- Re-disable s390 builds. + +------------------------------------------------------------------- Old: ---- umoci-0.4.6.tar.xz umoci-0.4.6.tar.xz.asc New: ---- 0001-makefile-fix-bad-build-flags.patch umoci-0.4.7.tar.xz umoci-0.4.7.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ umoci.spec ++++++ --- /var/tmp/diff_new_pack.ThytqV/_old 2021-04-10 15:26:28.978315332 +0200 +++ /var/tmp/diff_new_pack.ThytqV/_new 2021-04-10 15:26:28.982315337 +0200 @@ -1,7 +1,7 @@ # # spec file for package umoci # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %define project github.com/opencontainers/umoci Name: umoci -Version: 0.4.6 +Version: 0.4.7 Release: 0 Summary: Open Container Image manipulation tool License: Apache-2.0 @@ -29,11 +29,14 @@ Source0: https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz#/%{name}-%{version}.tar.xz Source1: https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz.asc#/%{name}-%{version}.tar.xz.asc Source2: https://umo.ci/%{name}.keyring +# OPENSUSE-FIX-UPSTREAM: Backport of <https://github.com/opencontainers/umoci/pull/369>. +Patch1: 0001-makefile-fix-bad-build-flags.patch BuildRequires: fdupes +BuildRequires: go-go-md2man # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires # for 'golang(API) >= 1.13' here, so just require 1.13 exactly. bsc#1172608 -BuildRequires: go-go-md2man BuildRequires: go1.14 +ExcludeArch: s390 %description umoci modifies Open Container images. umoci is a manipulation tool for OCI @@ -42,6 +45,8 @@ %prep %setup -q +# <https://github.com/opencontainers/umoci/pull/369> +%patch1 -p1 %build export VERSION="$(cat ./VERSION)" ++++++ 0001-makefile-fix-bad-build-flags.patch ++++++ >From ed20cebfec648920c59e0988aceeef7dfd646558 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyp...@cyphar.com> Date: Thu, 8 Apr 2021 18:55:40 +1000 Subject: [PATCH] makefile: fix bad build flags Fix mistake in the Makefile which prevents the version field (as well as some other build flags) from being passed to "go build". Fixes: 6fbd32e48b66 ("Make Makefile more portable") Signed-off-by: Aleksa Sarai <cyp...@cyphar.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index d760e9289033..1fdcf650f4f9 100644 --- a/Makefile +++ b/Makefile @@ -71,7 +71,7 @@ BASE_LDFLAGS := -s -w -X ${PROJECT}.gitCommit=${COMMIT} -X ${PROJECT}.version=${ # Specific build flags for build type. ifeq ($(GOOS), linux) - TEST_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS} -X ${PROJECT}/pkg/testutils.binaryType=test" DYN_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS}" + DYN_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS}" TEST_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS} -X ${PROJECT}/pkg/testutils.binaryType=test" else DYN_BUILD_FLAGS := ${BASE_FLAGS} -ldflags "${BASE_LDFLAGS}" -- 2.30.2 ++++++ umoci-0.4.6.tar.xz -> umoci-0.4.7.tar.xz ++++++ ++++ 47329 lines of diff (skipped)