!250 improve security compile option of isula-build binary

From: @meilier Reviewed-by: @jingxiaolu Signed-off-by: @jingxiaolu
2022-09-20 02:27:34 +00:00 · 2022-09-20 02:27:34 +00:00 · b5fec76b35
commit b5fec76b35
parent 61e7efba4c 1ba6007281
6 changed files with 38 additions and 6 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-0.9.6-11
+0.9.6-12
--- a/4
+++ b/4
@ -9,7 +9,7 @@ set -ex
 pkg=isula-build
 cwd=${PWD}
 src=${cwd}/${pkg}
-tar_file=v"$(awk -F"-" '{print $1}' < VERSION-openeuler)".tar.gz
+tar_file=v"$(awk -F"-" '{print $1}' <VERSION-openeuler)".tar.gz

 mkdir ${src} && tar -zxvf "${tar_file}" -C ${src} --strip-components 1
 if [ ! -d patch ]; then
@ -25,7 +25,7 @@ git commit -m 'init build'
 cd "${cwd}"

 series=${cwd}/series.conf
-while IPF= read -r line; do
+while IPF= read -r line || [ -n "$line" ]; do
    if [[ "${line}" =~ ^patch* ]]; then
        echo "git apply ${cwd}/${line}"
        cd "${src}" && git apply "${cwd}/${line}"
--- a/2
+++ b/2
@ -1 +1 @@
-e88af88d105b4a5f68bd3a816ced949c3958353c
+716dbdd867b5ee948f741de9958525531b59a31e
--- a/isula-build.spec
+++ b/isula-build.spec
@ -2,7 +2,7 @@

 Name: isula-build
 Version: 0.9.6
-Release: 11
+Release: 12
 Summary: A tool to build container images
 License: Mulan PSL V2
 URL: https://gitee.com/openeuler/isula-build
@ -85,6 +85,12 @@ fi
 /usr/share/bash-completion/completions/isula-build

 %changelog
+* Wed Sep 14 2022 xingweizheng <xingweizheng@huawei.com> - 0.9.6-12
+- Type:bugfix
+- CVE:NA
+- SUG:restart
+- DESC:improve security compile option of isula-build binary
+
 * Fri Aug 19 2022 daisicheng <daisicheng@huawei.com> - 0.9.6-11
 - Type:bugfix
 - CVE:NA
--- a/patch/0126-improve-security-compile-option-of-isula-build-binar.patch
+++ b/patch/0126-improve-security-compile-option-of-isula-build-binar.patch
@ -0,0 +1,25 @@
+From bdbd4b3136d57ef5e8d30f8537d03693cc11c481 Mon Sep 17 00:00:00 2001
+From: xingweizheng <xingweizheng@huawei.com>
+Date: Tue, 13 Sep 2022 23:07:28 +0800
+Subject: [PATCH] improve security compile option of isula-build binary
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 4bdb064..0d6bd01 100644
+--- a/Makefile
+++ b/Makefile
+@@ -23,7 +23,7 @@ BUILDFLAGS := -tags "$(BUILDTAGS)"
+ TMPDIR := /tmp/isula_build_tmpdir
+ BEFLAG := -tmpdir=${TMPDIR}
+ SAFEBUILDFLAGS := -buildid=IdByIsula -buildmode=pie -extldflags=-ftrapv -extldflags=-zrelro -extldflags=-znow $(BEFLAG) $(LDFLAGS)
+-STATIC_LDFLAGS := -linkmode=external -extldflags=-static
+STATIC_LDFLAGS := -linkmode=external -extldflags "-static-pie -Wl,-z,now"
+ 
+ IMAGE_BUILDARGS := $(if $(http_proxy), --build-arg http_proxy=$(http_proxy))
+ IMAGE_BUILDARGS += $(if $(https_proxy), --build-arg https_proxy=$(https_proxy))
+-- 
+2.27.0
+
--- a/series.conf
+++ b/series.conf
@ -33,4 +33,5 @@ patch/0121-print-first-and-second-error-when-dockerfile-not-fou.patch
 patch/0122-registries.toml-could-not-be-empty-hosts-resolv.conf.patch
 patch/0123-modify-the-Makefile-and-README-document.patch
 patch/0124-add-the-constraints-and-limitations-of-the-doc.patch
-patch/0125-fix-the-possible-file-leakage-problem-in-util-cipher.patch
+patch/0125-fix-the-possible-file-leakage-problem-in-util-cipher.patch
+patch/0126-improve-security-compile-option-of-isula-build-binar.patch
 @ -1 +1 @@
 .9.6-11
 .9.6-12