update code

2019-11-06 19:03:44 +08:00 · 2019-11-06 19:03:44 +08:00 · 10b5826125
commit 10b5826125
parent 9de73b8f5c
4 changed files with 24 additions and 142 deletions
--- a/CVE-2019-12439.patch
+++ b/CVE-2019-12439.patch
@ -1,44 +0,0 @@
 diff -Nurp bubblewrap-0.3.1/bubblewrap.c bubblewrap-0.3.1-old/bubblewrap.c
 --- bubblewrap-0.3.1/bubblewrap.c	2018-09-26 08:55:17.000000000 -0400
 +++ bubblewrap-0.3.1-old/bubblewrap.c	2019-06-13 03:26:14.489000000 -0400
@@ -1977,7 +1977,7 @@ main (int    argc,
       char **argv)
 {
   mode_t old_umask;
 -  cleanup_free char *base_path = NULL;
 +  const char *base_path = NULL;
   int clone_flags;
   char *old_cwd = NULL;
   pid_t pid;
@@ -2117,15 +2117,12 @@ main (int    argc,
     die_with_error ("Can't open /proc");
   /* We need *some* mountpoint where we can mount the root tmpfs.
 -     We first try in /run, and if that fails, try in /tmp. */
 -  base_path = xasprintf ("/run/user/%d/.bubblewrap", real_uid);
 -  if (ensure_dir (base_path, 0755))
 -    {
 -      free (base_path);
 -      base_path = xasprintf ("/tmp/.bubblewrap-%d", real_uid);
 -      if (ensure_dir (base_path, 0755))
 -        die_with_error ("Creating root mountpoint failed");
 -    }
 +   * Because we use pivot_root, it won't appear to be mounted from
 +   *    * the perspective of the sandboxed process, so we can use anywhere
 +   *       * that is sure to exist, that is sure to not be a symlink controlled
 +   *          * by someone malicious, and that we won't immediately need to
 +   *             * access ourselves. */
 +  base_path = "/tmp";
   __debug__ (("creating new namespace\n"));
@@ -2315,7 +2312,8 @@ main (int    argc,
   /* We create a subdir "$base_path/newroot" for the new root, that
    * way we can pivot_root to base_path, and put the old root at
    * "$base_path/oldroot". This avoids problems accessing the oldroot
 -   * dir if the user requested to bind mount something over / */
 +   * dir if the user requested to bind mount something over / (or
 +   * over /tmp, now that we use that for base_path). */
   if (mkdir ("newroot", 0755))
     die_with_error ("Creating newroot failed");
--- a/bubblewrap-0.3.1.tar.xz
+++ b/bubblewrap-0.3.1.tar.xz
--- a/bubblewrap-0.3.3.tar.xz
+++ b/bubblewrap-0.3.3.tar.xz
--- a/bubblewrap.spec
+++ b/bubblewrap.spec
@ -1,28 +1,22 @@
 Name:		bubblewrap
-Version: 0.3.1
+Version:	0.3.3
-Release: 1.h1%{?dist}
+Release:	1
 Summary:	Core execution tool for unprivileged containers
 License:	LGPLv2+
 #VCS: git:https://github.com/projectatomic/bubblewrap
 URL:		https://github.com/projectatomic/bubblewrap
-Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
+Source0:	https://github.com/containers/bubblewrap/archive/bubblewrap-%{version}.tar.xz
 Patch6000:CVE-2019-12439.patch
-BuildRequires: autoconf automake libtool
+BuildRequires:	autoconf automake libtool gcc libcap-devel
-BuildRequires: gcc
+BuildRequires:  pkgconfig(libselinux) libxslt docbook-style-xsl
 BuildRequires: libcap-devel
 BuildRequires: pkgconfig(libselinux)
 BuildRequires: libxslt
 BuildRequires: docbook-style-xsl
 %description
-Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged
+There is an effort in the Linux kernel called user namespaces which 
-containers that works as a setuid binary on kernels without
+attempts to allow unprivileged users to use container features.
-user namespaces.
+
 %package_help
 %prep
-%autosetup
+%autosetup -n %{name}-%{version} -p1
 %build
 if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi
@ -30,88 +24,20 @@ if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi
 %make_build
 %install
-%make_install INSTALL="install -p -c"
+%make_install 
-find %{buildroot} -name '*.la' -delete -print
+%delete_la
 %files
 %defattr(-,root,root)
 %license COPYING
 %dir %{_datadir}/bash-completion
 %dir %{_datadir}/bash-completion/completions
 %{_datadir}/bash-completion/completions/bwrap
 %if (0%{?rhel} != 0 && 0%{?rhel} <= 7)
 %attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap
 %else
 %{_bindir}/bwrap
-%endif
+%{_datadir}/bash-completion/completions/bwrap
 %files          help
 %defattr(-,root,root)
 %doc README.md
 %{_mandir}/man1/*
 %changelog
-* Thu Jun 13 2019 yuejiayan<yuejiayan@huawei.com> - 0.3.1-1.h1
+* Mon Oct 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.3.3-1
- Type:cves
+- Package init
 - ID:CVE-2019-12439
 - SUG:NA
 - DESC:fix CVE-2019-12439
 * Mon Oct 01 2018 Kalev Lember <klember@redhat.com> - 0.3.1-1
 - Update to 0.3.1
 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Wed Jul 11 2018 Colin Walters <walters@verbum.org> - 0.3.0-1
 - https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.0
 * Wed May 16 2018 Kalev Lember <klember@redhat.com> - 0.2.1-1
 - Update to 0.2.1
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 * Mon Oct 09 2017 Colin Walters <walters@verbum.org> - 0.2.0-2
 - New upstream version
 - https://github.com/projectatomic/bubblewrap/releases/tag/v0.2.0
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.8-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.8-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Tue Mar 28 2017 Colin Walters <walters@verbum.org> - 0.1.8-1
 - New upstream version
  https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.8
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.7-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 * Wed Jan 18 2017 Colin Walters <walters@verbum.org> - 0.1.7-1
 - New upstream version;
  https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.7
 - Resolves: #1411814
 * Tue Jan 10 2017 Colin Walters <walters@verbum.org> - 0.1.6-1
 - New upstream version with security fix
 - Resolves: #1411814
 * Mon Dec 19 2016 Kalev Lember <klember@redhat.com> - 0.1.5-1
 - Update to 0.1.5
 * Tue Dec 06 2016 walters@redhat.com - 0.1.4-4
 - Backport fix for regression in previous commit for rpm-ostree
 * Thu Dec 01 2016 walters@redhat.com - 0.1.4-3
 - Backport patch to fix running via nspawn, which should fix rpm-ostree-in-bodhi
 * Tue Nov 29 2016 Kalev Lember <klember@redhat.com> - 0.1.4-1
 - Update to 0.1.4
 * Fri Oct 14 2016 Colin Walters <walters@verbum.org> - 0.1.3-2
 - New upstream version
 * Mon Sep 12 2016 Kalev Lember <klember@redhat.com> - 0.1.2-1
 - Update to 0.1.2
 * Tue Jul 12 2016 Igor Gnatenko <ignatenko@redhat.com> - 0.1.1-2
 - Trivial fixes in packaging
 * Fri Jul 08 2016 Colin Walters <walters@verbum.org> - 0.1.1
 - Initial package