Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package conmon for openSUSE:Factory checked in at 2022-06-30 13:18:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/conmon (Old) and /work/SRC/openSUSE:Factory/.conmon.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "conmon" Thu Jun 30 13:18:06 2022 rev:24 rq:985759 version:2.1.2 Changes: -------- --- /work/SRC/openSUSE:Factory/conmon/conmon.changes 2022-05-14 22:54:23.683158320 +0200 +++ /work/SRC/openSUSE:Factory/.conmon.new.1548/conmon.changes 2022-06-30 13:18:08.453523421 +0200 @@ -1,0 +2,8 @@ +Wed Jun 29 06:05:57 UTC 2022 - Enrico Belleri <ide...@protonmail.com> + +- Update to version 2.1.2: + * add log-global-size-max option to limit the total output conmon processes (CVE-2022-1708 boo#1200285) + * journald: print tag and name if both are specified + * drop some logs to debug level + +------------------------------------------------------------------- Old: ---- conmon-2.1.0.tar.xz New: ---- conmon-2.1.2.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ conmon.spec ++++++ --- /var/tmp/diff_new_pack.DUzhhM/_old 2022-06-30 13:18:08.945523789 +0200 +++ /var/tmp/diff_new_pack.DUzhhM/_new 2022-06-30 13:18:08.949523793 +0200 @@ -17,16 +17,16 @@ Name: conmon -Version: 2.1.0 +Version: 2.1.2 Release: 0 Summary: An OCI container runtime monitor License: Apache-2.0 Group: System/Management URL: https://github.com/containers/conmon Source0: %{name}-%{version}.tar.xz -BuildRequires: glib2-devel -BuildRequires: pkgconfig BuildRequires: golang(API) >= 1.16 +BuildRequires: pkgconfig +BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(libseccomp) BuildRequires: pkgconfig(libsystemd) ++++++ _service ++++++ --- /var/tmp/diff_new_pack.DUzhhM/_old 2022-06-30 13:18:08.977523814 +0200 +++ /var/tmp/diff_new_pack.DUzhhM/_new 2022-06-30 13:18:08.981523817 +0200 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">[v]?([^\+]+)(.*)</param> -<param name="revision">v2.1.0</param> +<param name="revision">v2.1.2</param> <param name="changesgenerate">disable</param> </service> <service name="recompress" mode="disabled"> ++++++ conmon-2.1.0.tar.xz -> conmon-2.1.2.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.1.0/VERSION new/conmon-2.1.2/VERSION --- old/conmon-2.1.0/VERSION 2022-01-24 21:00:50.000000000 +0100 +++ new/conmon-2.1.2/VERSION 2022-06-16 14:51:54.000000000 +0200 @@ -1 +1 @@ -2.1.0 +2.1.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.1.0/meson.build new/conmon-2.1.2/meson.build --- old/conmon-2.1.0/meson.build 2022-01-24 21:00:50.000000000 +0100 +++ new/conmon-2.1.2/meson.build 2022-06-16 14:51:54.000000000 +0200 @@ -43,6 +43,14 @@ libdl = cc.find_library('dl') endif +sd_journal = dependency('libsystemd-journal', required : false) +if not sd_journal.found() + sd_journal = dependency('libsystemd', required : false) +endif +if sd_journal.found() + add_project_arguments('-DUSE_JOURNALD=1', language : 'c') +endif + executable('conmon', ['src/conmon.c', 'src/config.h', @@ -78,7 +86,7 @@ 'src/utils.h', 'src/seccomp_notify.c', 'src/seccomp_notify.h'], - dependencies : [glib, libdl], + dependencies : [glib, libdl, sd_journal], install : true, install_dir : join_paths(get_option('libexecdir'), 'podman'), ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.1.0/src/cli.c new/conmon-2.1.2/src/cli.c --- old/conmon-2.1.0/src/cli.c 2022-01-24 21:00:50.000000000 +0100 +++ new/conmon-2.1.2/src/cli.c 2022-06-16 14:51:54.000000000 +0200 @@ -38,6 +38,7 @@ char *opt_exit_dir = NULL; int opt_timeout = 0; int64_t opt_log_size_max = -1; +int64_t opt_log_global_size_max = -1; char *opt_socket_path = DEFAULT_SOCKET_PATH; gboolean opt_no_new_keyring = FALSE; char *opt_exit_command = NULL; @@ -72,6 +73,7 @@ {"log-level", 0, 0, G_OPTION_ARG_STRING, &opt_log_level, "Print debug logs based on log level", NULL}, {"log-path", 'l', 0, G_OPTION_ARG_STRING_ARRAY, &opt_log_path, "Log file path", NULL}, {"log-size-max", 0, 0, G_OPTION_ARG_INT64, &opt_log_size_max, "Maximum size of log file", NULL}, + {"log-global-size-max", 0, 0, G_OPTION_ARG_INT64, &opt_log_global_size_max, "Maximum size of all log files", NULL}, {"log-tag", 0, 0, G_OPTION_ARG_STRING, &opt_log_tag, "Additional tag to use for logging", NULL}, {"name", 'n', 0, G_OPTION_ARG_STRING, &opt_name, "Container name", NULL}, {"no-new-keyring", 0, 0, G_OPTION_ARG_NONE, &opt_no_new_keyring, "Do not create a new session keyring for the container", NULL}, @@ -189,5 +191,5 @@ if (opt_container_pid_file == NULL) opt_container_pid_file = g_strdup_printf("%s/pidfile-%s", cwd, opt_cid); - configure_log_drivers(opt_log_path, opt_log_size_max, opt_cid, opt_name, opt_log_tag); + configure_log_drivers(opt_log_path, opt_log_size_max, opt_log_global_size_max, opt_cid, opt_name, opt_log_tag); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.1.0/src/conn_sock.c new/conmon-2.1.2/src/conn_sock.c --- old/conmon-2.1.0/src/conn_sock.c 2022-01-24 21:00:50.000000000 +0100 +++ new/conmon-2.1.2/src/conn_sock.c 2022-06-16 14:51:54.000000000 +0200 @@ -136,7 +136,7 @@ } addr.sun_family = AF_UNIX; - ninfof("addr{sun_family=AF_UNIX, sun_path=%s}", addr.sun_path); + ndebugf("addr{sun_family=AF_UNIX, sun_path=%s}", addr.sun_path); /* Bind to the console socket path. */ *fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); @@ -209,7 +209,7 @@ _cleanup_free_ char *sock_proc_entry = g_strdup_printf("/proc/self/fd/%d/%s", parent_dir_fd, socket_relative_name); strncpy(socket_addr.sun_path, sock_proc_entry, sizeof(socket_addr.sun_path) - 1); - ninfof("addr{sun_family=AF_UNIX, sun_path=%s}", socket_addr.sun_path); + ndebugf("addr{sun_family=AF_UNIX, sun_path=%s}", socket_addr.sun_path); /* @@ -326,7 +326,7 @@ remote_sock->fd = new_fd; g_unix_fd_add(remote_sock->fd, G_IO_IN | G_IO_HUP | G_IO_ERR, remote_sock_cb, remote_sock); g_ptr_array_add(remote_sock->dest->readers, remote_sock); - ninfof("Accepted%s connection %d", SOCK_IS_CONSOLE(srcsock->sock_type) ? " console" : "", remote_sock->fd); + ndebugf("Accepted%s connection %d", SOCK_IS_CONSOLE(srcsock->sock_type) ? " console" : "", remote_sock->fd); } return G_SOURCE_CONTINUE; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.1.0/src/ctr_logging.c new/conmon-2.1.2/src/ctr_logging.c --- old/conmon-2.1.0/src/ctr_logging.c 2022-01-24 21:00:50.000000000 +0100 +++ new/conmon-2.1.2/src/ctr_logging.c 2022-06-16 14:51:54.000000000 +0200 @@ -34,6 +34,9 @@ /* Max log size for any log file types */ static int64_t log_size_max = -1; +/* Max total log size for any log file types */ +static int64_t log_global_size_max = -1; + /* k8s log file parameters */ static int k8s_log_fd = -1; static char *k8s_log_path = NULL; @@ -95,9 +98,10 @@ * (currently just k8s log file), it will also open the log_fd for that specific * log file. */ -void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, char *cuuid_, char *name_, char *tag) +void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, int64_t log_global_size_max_, char *cuuid_, char *name_, char *tag) { log_size_max = log_size_max_; + log_global_size_max = log_global_size_max_; if (log_drivers == NULL) nexit("Log driver not provided. Use --log-path"); for (int driver = 0; log_drivers[driver]; ++driver) { @@ -132,22 +136,23 @@ /* Setup some sd_journal_sendv arguments that won't change */ container_id_full = g_strdup_printf("CONTAINER_ID_FULL=%s", cuuid); container_id = g_strdup_printf("CONTAINER_ID=%s", short_cuuid); - if (tag) { - container_tag = g_strdup_printf("CONTAINER_TAG=%s", tag); - container_tag_len = strlen(container_tag); - syslog_identifier = g_strdup_printf("SYSLOG_IDENTIFIER=%s", tag); - syslog_identifier_len = strlen(syslog_identifier); - } else if (name) { - /* save the length so we don't have to compute every sd_journal_* call */ + /* Priority order of syslog_identifier (in order of precedence) is tag, name, `conmon`. */ + syslog_identifier = g_strdup_printf("SYSLOG_IDENTIFIER=%s", short_cuuid); + syslog_identifier_len = TRUNC_ID_LEN + SYSLOG_IDENTIFIER_EQ_LEN; + if (name) { name_len = strlen(name); container_name = g_strdup_printf("CONTAINER_NAME=%s", name); syslog_identifier = g_strdup_printf("SYSLOG_IDENTIFIER=%s", name); syslog_identifier_len = name_len + SYSLOG_IDENTIFIER_EQ_LEN; - } else { - syslog_identifier = g_strdup_printf("SYSLOG_IDENTIFIER=%s", short_cuuid); - syslog_identifier_len = TRUNC_ID_LEN + SYSLOG_IDENTIFIER_EQ_LEN; + } + if (tag) { + container_tag = g_strdup_printf("CONTAINER_TAG=%s", tag); + container_tag_len = strlen(container_tag); + + syslog_identifier = g_strdup_printf("SYSLOG_IDENTIFIER=%s", tag); + syslog_identifier_len = strlen(syslog_identifier); } } } @@ -234,7 +239,7 @@ * otherwise, write with error priority. Partial lines (that don't end in a newline) are buffered * between invocations. A 0 buflen argument forces a buffered partial line to be flushed. */ -int write_journald(int pipe, char *buf, ssize_t buflen) +static int write_journald(int pipe, char *buf, ssize_t buflen) { static char stdout_partial_buf[STDIO_BUF_SIZE]; static size_t stdout_partial_buf_len = 0; @@ -344,6 +349,7 @@ writev_buffer_t bufv = {0}; static int64_t bytes_written = 0; int64_t bytes_to_be_written = 0; + static int64_t total_bytes_written = 0; /* * Use the same timestamp for every line of the log in this buffer. @@ -367,6 +373,10 @@ bytes_to_be_written += 1; } + /* If the caller specified a global max, enforce it before writing */ + if (log_global_size_max > 0 && total_bytes_written >= log_global_size_max) + break; + /* * We re-open the log file if writing out the bytes will exceed the max * log size. We also reset the state so that the new file is started with @@ -420,6 +430,7 @@ } bytes_written += bytes_to_be_written; + total_bytes_written += bytes_to_be_written; next: /* Update the head of the buffer remaining to output. */ buf += line_len; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.1.0/src/ctr_logging.h new/conmon-2.1.2/src/ctr_logging.h --- old/conmon-2.1.0/src/ctr_logging.h 2022-01-24 21:00:50.000000000 +0100 +++ new/conmon-2.1.2/src/ctr_logging.h 2022-06-16 14:51:54.000000000 +0200 @@ -7,7 +7,7 @@ void reopen_log_files(void); bool write_to_logs(stdpipe_t pipe, char *buf, ssize_t num_read); -void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, char *cuuid_, char *name_, char *tag); +void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, int64_t log_global_size_max_, char *cuuid_, char *name_, char *tag); void sync_logs(void); gboolean logging_is_passthrough(void); void close_logging_fds(void); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.1.0/src/ctrl.c new/conmon-2.1.2/src/ctrl.c --- old/conmon-2.1.0/src/ctrl.c 2022-01-24 21:00:50.000000000 +0100 +++ new/conmon-2.1.2/src/ctrl.c 2022-06-16 14:51:54.000000000 +0200 @@ -25,7 +25,7 @@ gboolean terminal_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data) { - ninfof("about to accept from console_socket_fd: %d", fd); + ndebugf("about to accept from console_socket_fd: %d", fd); int connfd = accept4(fd, NULL, NULL, SOCK_CLOEXEC); if (connfd < 0) { nwarn("Failed to accept console-socket connection"); @@ -40,10 +40,10 @@ close(fd); /* We exit if this fails. */ - ninfof("about to recvfd from connfd: %d", connfd); + ndebugf("about to recvfd from connfd: %d", connfd); struct file_t console = recvfd(connfd); - ninfof("console = {.name = '%s'; .fd = %d}", console.name, console.fd); + ndebugf("console = {.name = '%s'; .fd = %d}", console.name, console.fd); free(console.name); /* We change the terminal settings to match kube settings */ @@ -100,7 +100,7 @@ { int height, width, ret = -1; ret = sscanf(line, "%d %d\n", &height, &width); - ninfof("Height: %d, Width: %d", height, width); + ndebugf("Height: %d, Width: %d", height, width); if (ret != 2) { nwarn("Failed to sscanf message"); return FALSE; @@ -135,7 +135,7 @@ return FALSE; } - ninfof("Message type: %d", ctl_msg_type); + ndebugf("Message type: %d", ctl_msg_type); switch (ctl_msg_type) { case WIN_RESIZE_EVENT: { _cleanup_free_ char *hw_str = g_strdup_printf("%d %d\n", height, width); @@ -149,7 +149,7 @@ reopen_log_files(); break; default: - ninfof("Unknown message type: %d", ctl_msg_type); + nwarnf("Unknown message type: %d", ctl_msg_type); break; } return TRUE; @@ -174,7 +174,7 @@ } readptr[num_read] = '\0'; - ninfof("Got ctl message: %s on fd %d", ctlbuf, fd); + ndebugf("Got ctl message: %s on fd %d", ctlbuf, fd); char *beg = ctlbuf; char *newline = strchrnul(beg, '\n'); @@ -231,7 +231,7 @@ void setup_console_fifo() { setup_fifo(&winsz_fd_r, &winsz_fd_w, "winsz", "window resize control fifo"); - ninfof("winsz read side: %d, winsz write side: %d", winsz_fd_r, winsz_fd_r); + ndebugf("winsz read side: %d, winsz write side: %d", winsz_fd_r, winsz_fd_r); } int setup_terminal_control_fifo() @@ -242,7 +242,7 @@ */ int dummyfd = -1; setup_fifo(&terminal_ctrl_fd, &dummyfd, "ctl", "terminal control fifo"); - ninfof("terminal_ctrl_fd: %d", terminal_ctrl_fd); + ndebugf("terminal_ctrl_fd: %d", terminal_ctrl_fd); g_unix_fd_add(terminal_ctrl_fd, G_IO_IN, ctrl_cb, NULL); return dummyfd; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.1.0/src/seccomp_notify.c new/conmon-2.1.2/src/seccomp_notify.c --- old/conmon-2.1.0/src/seccomp_notify.c 2022-01-24 21:00:50.000000000 +0100 +++ new/conmon-2.1.2/src/seccomp_notify.c 2022-06-16 14:51:54.000000000 +0200 @@ -63,7 +63,7 @@ gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data) { - ninfof("about to accept from seccomp_socket_fd: %d", fd); + ndebugf("about to accept from seccomp_socket_fd: %d", fd); int connfd = accept4(fd, NULL, NULL, SOCK_CLOEXEC); if (connfd < 0) { nwarn("Failed to accept console-socket connection");
