commit 9de73b8f5c7867ca16972e4d8377b2afc9b229b1 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:33:34 2019 -0400 Package init diff --git a/CVE-2019-12439.patch b/CVE-2019-12439.patch new file mode 100644 index 0000000..439bc28 --- /dev/null +++ b/CVE-2019-12439.patch @@ -0,0 +1,44 @@ +diff -Nurp bubblewrap-0.3.1/bubblewrap.c bubblewrap-0.3.1-old/bubblewrap.c +--- bubblewrap-0.3.1/bubblewrap.c 2018-09-26 08:55:17.000000000 -0400 ++++ bubblewrap-0.3.1-old/bubblewrap.c 2019-06-13 03:26:14.489000000 -0400 +@@ -1977,7 +1977,7 @@ main (int argc, + char **argv) + { + mode_t old_umask; +- cleanup_free char *base_path = NULL; ++ const char *base_path = NULL; + int clone_flags; + char *old_cwd = NULL; + pid_t pid; +@@ -2117,15 +2117,12 @@ main (int argc, + die_with_error ("Can't open /proc"); + + /* We need *some* mountpoint where we can mount the root tmpfs. +- We first try in /run, and if that fails, try in /tmp. */ +- base_path = xasprintf ("/run/user/%d/.bubblewrap", real_uid); +- if (ensure_dir (base_path, 0755)) +- { +- free (base_path); +- base_path = xasprintf ("/tmp/.bubblewrap-%d", real_uid); +- if (ensure_dir (base_path, 0755)) +- die_with_error ("Creating root mountpoint failed"); +- } ++ * Because we use pivot_root, it won't appear to be mounted from ++ * * the perspective of the sandboxed process, so we can use anywhere ++ * * that is sure to exist, that is sure to not be a symlink controlled ++ * * by someone malicious, and that we won't immediately need to ++ * * access ourselves. */ ++ base_path = "/tmp"; + + __debug__ (("creating new namespace\n")); + +@@ -2315,7 +2312,8 @@ main (int argc, + /* We create a subdir "$base_path/newroot" for the new root, that + * way we can pivot_root to base_path, and put the old root at + * "$base_path/oldroot". This avoids problems accessing the oldroot +- * dir if the user requested to bind mount something over / */ ++ * dir if the user requested to bind mount something over / (or ++ * over /tmp, now that we use that for base_path). */ + + if (mkdir ("newroot", 0755)) + die_with_error ("Creating newroot failed"); diff --git a/bubblewrap-0.3.1.tar.xz b/bubblewrap-0.3.1.tar.xz new file mode 100644 index 0000000..4bb8d6f Binary files /dev/null and b/bubblewrap-0.3.1.tar.xz differ diff --git a/bubblewrap.spec b/bubblewrap.spec new file mode 100644 index 0000000..097237e --- /dev/null +++ b/bubblewrap.spec @@ -0,0 +1,117 @@ +Name: bubblewrap +Version: 0.3.1 +Release: 1.h1%{?dist} +Summary: Core execution tool for unprivileged containers + +License: LGPLv2+ +#VCS: git:https://github.com/projectatomic/bubblewrap +URL: https://github.com/projectatomic/bubblewrap +Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz +Patch6000:CVE-2019-12439.patch + +BuildRequires: autoconf automake libtool +BuildRequires: gcc +BuildRequires: libcap-devel +BuildRequires: pkgconfig(libselinux) +BuildRequires: libxslt +BuildRequires: docbook-style-xsl + +%description +Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged +containers that works as a setuid binary on kernels without +user namespaces. + +%prep +%autosetup + +%build +if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi +%configure --disable-silent-rules --with-priv-mode=none +%make_build + +%install +%make_install INSTALL="install -p -c" +find %{buildroot} -name '*.la' -delete -print + +%files +%license COPYING +%dir %{_datadir}/bash-completion +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/bwrap +%if (0%{?rhel} != 0 && 0%{?rhel} <= 7) +%attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap +%else +%{_bindir}/bwrap +%endif +%{_mandir}/man1/* + +%changelog +* Thu Jun 13 2019 yuejiayan - 0.3.1-1.h1 +- Type:cves +- ID:CVE-2019-12439 +- SUG:NA +- DESC:fix CVE-2019-12439 +* Mon Oct 01 2018 Kalev Lember - 0.3.1-1 +- Update to 0.3.1 + +* Thu Jul 12 2018 Fedora Release Engineering - 0.3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 11 2018 Colin Walters - 0.3.0-1 +- https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.0 + +* Wed May 16 2018 Kalev Lember - 0.2.1-1 +- Update to 0.2.1 + +* Wed Feb 07 2018 Fedora Release Engineering - 0.2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Oct 09 2017 Colin Walters - 0.2.0-2 +- New upstream version +- https://github.com/projectatomic/bubblewrap/releases/tag/v0.2.0 + +* Wed Aug 02 2017 Fedora Release Engineering - 0.1.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.1.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Mar 28 2017 Colin Walters - 0.1.8-1 +- New upstream version + https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.8 + +* Fri Feb 10 2017 Fedora Release Engineering - 0.1.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Jan 18 2017 Colin Walters - 0.1.7-1 +- New upstream version; + https://github.com/projectatomic/bubblewrap/releases/tag/v0.1.7 +- Resolves: #1411814 + +* Tue Jan 10 2017 Colin Walters - 0.1.6-1 +- New upstream version with security fix +- Resolves: #1411814 + +* Mon Dec 19 2016 Kalev Lember - 0.1.5-1 +- Update to 0.1.5 + +* Tue Dec 06 2016 walters@redhat.com - 0.1.4-4 +- Backport fix for regression in previous commit for rpm-ostree + +* Thu Dec 01 2016 walters@redhat.com - 0.1.4-3 +- Backport patch to fix running via nspawn, which should fix rpm-ostree-in-bodhi + +* Tue Nov 29 2016 Kalev Lember - 0.1.4-1 +- Update to 0.1.4 + +* Fri Oct 14 2016 Colin Walters - 0.1.3-2 +- New upstream version + +* Mon Sep 12 2016 Kalev Lember - 0.1.2-1 +- Update to 0.1.2 + +* Tue Jul 12 2016 Igor Gnatenko - 0.1.1-2 +- Trivial fixes in packaging + +* Fri Jul 08 2016 Colin Walters - 0.1.1 +- Initial package