packages/podman
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:88c76704c8411a58de5db606541d62a627b95434
Branches Tags
packages:main
...
compare: packages:4ecb889167bb840bf1b38000fed7d9574d9d93df
Branches Tags
packages:main

10 Commits
88c76704c8 ... 4ecb889167

Author SHA1 Message Date
openeuler-ci-bot
4ecb889167
!139 fix-CVE-2024-28176 
From: @duyiwei7w 
Reviewed-by: @jianli-97 
Signed-off-by: @jianli-97
 2025-01-15 09:37:27 +00:00
duyiwei
d7d212fef8 fix-CVE-2024-28176 2025-01-15 16:50:27 +08:00
openeuler-ci-bot
535eda0c6f
!138 [sync] PR-135: Fix CVE-2024-6104 
From: @openeuler-sync-bot 
Reviewed-by: @jianli-97 
Signed-off-by: @jianli-97
 2025-01-14 08:41:30 +00:00
duyiwei
98a6532947 fix cve 2024-6104 
(cherry picked from commit 30c6cbb8cfa8adabf90fd2f1b529d63394ddc41a)
 2025-01-14 15:13:21 +08:00
openeuler-ci-bot
6d4c932b38
!130 Fix CVE-2024-37298 
From: @duyiwei7w 
Reviewed-by: @jianli-97 
Signed-off-by: @jianli-97
 2025-01-13 08:30:31 +00:00
duyiwei
0d3439e237 fix CVE-2024-37298 2025-01-13 15:44:40 +08:00
openeuler-ci-bot
b8751461a7
!125 fix CVE-2024-9676,CVE-2024-9675, CVE-2024-9407, and CVE-2024-9341 
From: @duyiwei7w 
Reviewed-by: @jianli-97 
Signed-off-by: @jianli-97
 2025-01-10 09:57:33 +00:00
duyiwei
484c247e80 fix CVE-2024-9676,CVE-2024-9675, CVE-2024-9407, and CVE-2024-9341 2025-01-10 17:10:13 +08:00
openeuler-ci-bot
b8fcf2ff21
!117 【24.03-LTS】Optimize spec files and fix CVE in batches through rebuild 
From: @duyiwei7w 
Reviewed-by: @jianli-97 
Signed-off-by: @jianli-97
 2025-01-10 02:37:06 +00:00
duyiwei
0605c3eeba Optimize spec files and fix CVE in batches through rebuild 2025-01-10 10:01:32 +08:00
7 changed files with 2018 additions and 9 deletions
Show Stats Expand all files Collapse all files

0
0001-fix-CVE-2024-28180.patch → 0005-fix-CVE-2024-28180.patch
View File

565
0006-fix-CVE-2024-9676-CVE-2024-9675-CVE-2024-9407-CVE-2024-9341.patch Normal file
View File

@ -0,0 +1,565 @@
From 41b0d431e1d5df30149add3713ac54d1f43f7f6d Mon Sep 17 00:00:00 2001
From: duyiwei <duyiwei@kylinos.cn>
Date: Fri, 10 Jan 2025 17:06:36 +0800
Subject: [PATCH] test
Signed-off-by: duyiwei <duyiwei@kylinos.cn>
---
go.mod | 8 +-
go.sum | 16 ++--
.../github.com/containers/buildah/.cirrus.yml | 8 +-
.../containers/buildah/define/types.go | 2 +-
.../buildah/internal/volumes/volumes.go | 31 ++++++-
.../common/pkg/subscriptions/subscriptions.go | 6 +-
.../containers/common/version/version.go | 2 +-
.../image/v5/docker/docker_image.go | 22 ++++-
.../containers/image/v5/version/version.go | 2 +-
.../github.com/containers/storage/.cirrus.yml | 2 +-
vendor/github.com/containers/storage/VERSION | 2 +-
.../storage/drivers/overlay/overlay.go | 41 +++++++--
.../github.com/containers/storage/userns.go | 92 +++++++++++++------
.../containers/storage/userns_unsupported.go | 14 +++
vendor/modules.txt | 8 +-
15 files changed, 186 insertions(+), 70 deletions(-)
create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go
diff --git a/go.mod b/go.mod
index b1e2758..1ef9ab7 100644
--- a/go.mod
+++ b/go.mod
@@ -11,15 +11,15 @@ require (
github.com/checkpoint-restore/go-criu/v7 v7.0.0
github.com/containernetworking/cni v1.1.2
github.com/containernetworking/plugins v1.3.0
- github.com/containers/buildah v1.33.7
- github.com/containers/common v0.57.4
+ github.com/containers/buildah v1.33.11
+ github.com/containers/common v0.57.7
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/gvisor-tap-vsock v0.7.2
- github.com/containers/image/v5 v5.29.2
+ github.com/containers/image/v5 v5.29.4
github.com/containers/libhvee v0.5.0
github.com/containers/ocicrypt v1.1.9
github.com/containers/psgo v1.8.0
- github.com/containers/storage v1.51.0
+ github.com/containers/storage v1.51.2
github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
github.com/coreos/stream-metadata-go v0.4.4
github.com/crc-org/vfkit v0.1.2-0.20231030102423-f3c783d34420
diff --git a/go.sum b/go.sum
index 42178b0..92b443a 100644
--- a/go.sum
+++ b/go.sum
@@ -258,16 +258,16 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV
github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q6mVDp5H1HnjM=
github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
-github.com/containers/buildah v1.33.7 h1:Y2kNea+hNNyZ74ppYFWmD0cLc/DwZ5A4NEUPQWPj5Zw=
-github.com/containers/buildah v1.33.7/go.mod h1:pphfdjrwtTWkuIy1aDyZMEVyMfmm0DsbvxLGxxEU1cM=
-github.com/containers/common v0.57.4 h1:kmfBad92kUjP5X44BPpOwMe+eZQqaKETfS+ASeL0g+g=
-github.com/containers/common v0.57.4/go.mod h1:o3L3CyOI9yr+JC8l4dZgvqTxcjs3qdKmkek00uchgvw=
+github.com/containers/buildah v1.33.11 h1:WhEw4xD251utfeb3Huijb/yiTY62tqh8IzchcbnQ2rA=
+github.com/containers/buildah v1.33.11/go.mod h1:MtL+0XpZL5csljQDshjeQfvjzyTV0hgZsSoExmO3eu8=
+github.com/containers/common v0.57.7 h1:xA6/dXNbScnaytcFNQKTFGn6VDxwvDlCngJtfdGAf7g=
+github.com/containers/common v0.57.7/go.mod h1:GRtgIWNPc8zmo/vcA7VoZfLWpgQRH01/kzQbeNZH8WQ=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/gvisor-tap-vsock v0.7.2 h1:6CyU5D85C0/DciRRd7W0bPljK4FAS+DPrrHEQMHfZKY=
github.com/containers/gvisor-tap-vsock v0.7.2/go.mod h1:6NiTxh2GCVxZQLPzfuEB78/Osp2Usd9uf6nLdd6PiUY=
-github.com/containers/image/v5 v5.29.2 h1:b8U0XYWhaQbKucK73IbmSm8WQyKAhKDbAHQc45XlsOw=
-github.com/containers/image/v5 v5.29.2/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E=
+github.com/containers/image/v5 v5.29.4 h1:EbYrwOscTvzeCXt4149OtU74T/ZuohEottcs/hz47O4=
+github.com/containers/image/v5 v5.29.4/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E=
github.com/containers/libhvee v0.5.0 h1:rDhfG2NI8Q+VgeXht2dXezanxEdpj9pHqYX3vWfOGUw=
github.com/containers/libhvee v0.5.0/go.mod h1:yvU3Em2u1ZLl2VLd2glMIBWriBwfhWsDaRJsvixUIB0=
github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
@@ -282,8 +282,8 @@ github.com/containers/ocicrypt v1.1.9/go.mod h1:dTKx1918d8TDkxXvarscpNVY+lyPakPN
github.com/containers/psgo v1.8.0 h1:2loGekmGAxM9ir5OsXWEfGwFxorMPYnc6gEDsGFQvhY=
github.com/containers/psgo v1.8.0/go.mod h1:T8ZxnX3Ur4RvnhxFJ7t8xJ1F48RhiZB4rSrOaR/qGHc=
github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s=
-github.com/containers/storage v1.51.0 h1:AowbcpiWXzAjHosKz7MKvPEqpyX+ryZA/ZurytRrFNA=
-github.com/containers/storage v1.51.0/go.mod h1:ybl8a3j1PPtpyaEi/5A6TOFs+5TrEyObeKJzVtkUlfc=
+github.com/containers/storage v1.51.2 h1:Xw8p1AG1A+Nh6dCsb1UOB3YKF5uzlCkI3uAP4fsFup4=
+github.com/containers/storage v1.51.2/go.mod h1:ybl8a3j1PPtpyaEi/5A6TOFs+5TrEyObeKJzVtkUlfc=
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
diff --git a/vendor/github.com/containers/buildah/.cirrus.yml b/vendor/github.com/containers/buildah/.cirrus.yml
index ac12d66..5d99964 100644
--- a/vendor/github.com/containers/buildah/.cirrus.yml
+++ b/vendor/github.com/containers/buildah/.cirrus.yml
@@ -138,14 +138,10 @@ cross_build_task:
only_if: >-
$CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
- osx_instance:
- image: ghcr.io/cirruslabs/macos-ventura-base:latest
+ env:
+ HOME: /root
script:
- - brew update
- - brew install go
- - brew install go-md2man
- - brew install gpgme
- go version
- make cross CGO_ENABLED=0
diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go
index 50adce0..0e1e963 100644
--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
@@ -29,7 +29,7 @@ const (
// identify working containers.
Package = "buildah"
// Version for the Package. Also used by .packit.sh for Packit builds.
- Version = "1.33.7"
+ Version = "1.33.11"
// DefaultRuntime if containers.conf fails.
DefaultRuntime = "runc"
diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
index fd1ff7f..f20b254 100644
--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
@@ -23,6 +23,7 @@ import (
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/lockfile"
"github.com/containers/storage/pkg/unshare"
+ digest "github.com/opencontainers/go-digest"
specs "github.com/opencontainers/runtime-spec/specs-go"
selinux "github.com/opencontainers/selinux/go-selinux"
)
@@ -101,6 +102,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
if len(kv) == 1 {
return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
}
+ switch kv[1] {
+ default:
+ return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
+ case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+ // this should be the relevant parts of the same list of options we accepted above
+ }
newMount.Options = append(newMount.Options, kv[1])
case "src", "source":
if len(kv) == 1 {
@@ -276,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
if len(kv) == 1 {
return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg)
}
+ switch kv[1] {
+ default:
+ return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption)
+ case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+ // this should be the relevant parts of the same list of options we accepted above
+ }
newMount.Options = append(newMount.Options, kv[1])
case "id":
if len(kv) == 1 {
@@ -361,7 +374,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
}
// path should be /contextDir/specified path
- newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
+ evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
+ if err != nil {
+ return newMount, nil, err
+ }
+ newMount.Source = evaluated
} else {
// we need to create cache on host if no image is being used
@@ -378,11 +395,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
}
if id != "" {
- newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
+ // Don't let the user control where we place the directory.
+ dirID := digest.FromString(id).Encoded()[:16]
+ newMount.Source = filepath.Join(cacheParent, dirID)
+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
} else {
- newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
+ // Don't let the user control where we place the directory.
+ dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+ newMount.Source = filepath.Join(cacheParent, dirID)
+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
}
idPair := idtools.IDPair{
UID: uid,
diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
index 6ba2154..d976329 100644
--- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
+++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
@@ -10,6 +10,7 @@ import (
"github.com/containers/common/pkg/umask"
"github.com/containers/storage/pkg/idtools"
+ securejoin "github.com/cyphar/filepath-securejoin"
rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/sirupsen/logrus"
@@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
destDir := "/etc/crypto-policies/back-ends"
- srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+ srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
+ if err != nil {
+ return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
+ }
if _, err := os.Stat(srcOnHost); err != nil {
if errors.Is(err, os.ErrNotExist) {
return nil
diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
index 19ba92c..131d5bb 100644
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@@ -1,4 +1,4 @@
package version
// Version is the version of the build.
-const Version = "0.57.4"
+const Version = "0.57.7"
diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go
index 9316048..74f559d 100644
--- a/vendor/github.com/containers/image/v5/docker/docker_image.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image.go
@@ -14,6 +14,7 @@ import (
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/types"
"github.com/opencontainers/go-digest"
+ "github.com/sirupsen/logrus"
)
// Image is a Docker-specific implementation of types.ImageCloser with a few extra methods
@@ -88,7 +89,26 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil {
return nil, err
}
- tags = append(tags, tagsHolder.Tags...)
+ for _, tag := range tagsHolder.Tags {
+ if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values
+ // Per https://github.com/containers/skopeo/issues/2409 , Sonatype Nexus 3.58, contrary
+ // to the spec, may include JSON null values in the list; and Go silently parses them as "".
+ if tag == "" {
+ logrus.Debugf("Ignoring invalid empty tag")
+ continue
+ }
+ // Per https://github.com/containers/skopeo/issues/2346 , unknown versions of JFrog Artifactory,
+ // contrary to the tag format specified in
+ // https://github.com/opencontainers/distribution-spec/blob/8a871c8234977df058f1a14e299fe0a673853da2/spec.md?plain=1#L160 ,
+ // include digests in the list.
+ if _, err := digest.Parse(tag); err == nil {
+ logrus.Debugf("Ignoring invalid tag %q matching a digest format", tag)
+ continue
+ }
+ return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err)
+ }
+ tags = append(tags, tag)
+ }
link := res.Header.Get("Link")
if link == "" {
diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go
index b24ee88..441e467 100644
--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
@@ -8,7 +8,7 @@ const (
// VersionMinor is for functionality in a backwards-compatible manner
VersionMinor = 29
// VersionPatch is for backwards-compatible bug fixes
- VersionPatch = 2
+ VersionPatch = 4
// VersionDev indicates development branch. Releases will be empty string.
VersionDev = ""
diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml
index c41dd5d..9e61509 100644
--- a/vendor/github.com/containers/storage/.cirrus.yml
+++ b/vendor/github.com/containers/storage/.cirrus.yml
@@ -119,7 +119,7 @@ lint_task:
env:
CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage"
container:
- image: golang
+ image: golang:1.19
modules_cache:
fingerprint_script: cat go.sum
folder: $GOPATH/pkg/mod
diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION
index ba0a719..aa618f0 100644
--- a/vendor/github.com/containers/storage/VERSION
+++ b/vendor/github.com/containers/storage/VERSION
@@ -1 +1 @@
-1.51.0
+1.51.2
diff --git a/vendor/github.com/containers/storage/drivers/overlay/overlay.go b/vendor/github.com/containers/storage/drivers/overlay/overlay.go
index 04ecf87..d618d14 100644
--- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go
+++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go
@@ -1670,13 +1670,21 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
}
if err := idtools.MkdirAllAs(diffDir, perms, rootUID, rootGID); err != nil {
- return "", err
+ if !inAdditionalStore {
+ return "", err
+ }
+ // if it is in an additional store, do not fail if the directory already exists
+ if _, err2 := os.Stat(diffDir); err2 != nil {
+ return "", err
+ }
}
mergedDir := path.Join(workDirBase, "merged")
- // Create the driver merged dir
- if err := idtools.MkdirAs(mergedDir, 0o700, rootUID, rootGID); err != nil && !os.IsExist(err) {
- return "", err
+ // Attempt to create the merged dir only if it doesn't exist.
+ if _, err := os.Stat(mergedDir); err != nil && os.IsNotExist(err) {
+ if err := idtools.MkdirAs(mergedDir, 0o700, rootUID, rootGID); err != nil && !os.IsExist(err) {
+ return "", err
+ }
}
if count := d.ctr.Increment(mergedDir); count > 1 {
return mergedDir, nil
@@ -1841,7 +1849,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO
// Put unmounts the mount path created for the give id.
func (d *Driver) Put(id string) error {
- dir := d.dir(id)
+ dir, _, inAdditionalStore := d.dir2(id)
if _, err := os.Stat(dir); err != nil {
return err
}
@@ -1902,11 +1910,26 @@ func (d *Driver) Put(id string) error {
}
}
- if err := unix.Rmdir(mountpoint); err != nil && !os.IsNotExist(err) {
- logrus.Debugf("Failed to remove mountpoint %s overlay: %s - %v", id, mountpoint, err)
- return fmt.Errorf("removing mount point %q: %w", mountpoint, err)
+ if !inAdditionalStore {
+ uid, gid := int(0), int(0)
+ fi, err := os.Stat(mountpoint)
+ if err != nil {
+ return err
+ }
+ if stat, ok := fi.Sys().(*syscall.Stat_t); ok {
+ uid, gid = int(stat.Uid), int(stat.Gid)
+ }
+ tmpMountpoint := path.Join(dir, "merged.1")
+ if err := idtools.MkdirAs(tmpMountpoint, 0o700, uid, gid); err != nil && !errors.Is(err, os.ErrExist) {
+ return err
+ }
+ // rename(2) can be used on an empty directory, as it is the mountpoint after umount, and it retains
+ // its atomic semantic. In this way the "merged" directory is never removed.
+ if err := unix.Rename(tmpMountpoint, mountpoint); err != nil {
+ logrus.Debugf("Failed to replace mountpoint %s overlay: %s - %v", id, mountpoint, err)
+ return fmt.Errorf("replacing mount point %q: %w", mountpoint, err)
+ }
}
-
return nil
}
diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go
index 32ae830..2c855da 100644
--- a/vendor/github.com/containers/storage/userns.go
+++ b/vendor/github.com/containers/storage/userns.go
@@ -1,18 +1,21 @@
+//go:build linux
+
package storage
import (
"fmt"
"os"
"os/user"
- "path/filepath"
"strconv"
drivers "github.com/containers/storage/drivers"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/unshare"
"github.com/containers/storage/types"
+ securejoin "github.com/cyphar/filepath-securejoin"
libcontainerUser "github.com/opencontainers/runc/libcontainer/user"
"github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
// getAdditionalSubIDs looks up the additional IDs configured for
@@ -85,40 +88,59 @@ const nobodyUser = 65534
// parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
// /etc/group files.
func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
+ var (
+ passwd *os.File
+ group *os.File
+ size int
+ err error
+ )
if passwdFile == "" {
- passwdFile = filepath.Join(containerMount, "etc/passwd")
- }
- if groupFile == "" {
- groupFile = filepath.Join(groupFile, "etc/group")
+ passwd, err = secureOpen(containerMount, "/etc/passwd")
+ } else {
+ // User-specified override from a volume. Will not be in
+ // container root.
+ passwd, err = os.Open(passwdFile)
}
-
- size := 0
-
- users, err := libcontainerUser.ParsePasswdFile(passwdFile)
if err == nil {
- for _, u := range users {
- // Skip the "nobody" user otherwise we end up with 65536
- // ids with most images
- if u.Name == "nobody" {
- continue
- }
- if u.Uid > size && u.Uid != nobodyUser {
- size = u.Uid
- }
- if u.Gid > size && u.Gid != nobodyUser {
- size = u.Gid
+ defer passwd.Close()
+
+ users, err := libcontainerUser.ParsePasswd(passwd)
+ if err == nil {
+ for _, u := range users {
+ // Skip the "nobody" user otherwise we end up with 65536
+ // ids with most images
+ if u.Name == "nobody" || u.Name == "nogroup" {
+ continue
+ }
+ if u.Uid > size && u.Uid != nobodyUser {
+ size = u.Uid + 1
+ }
+ if u.Gid > size && u.Gid != nobodyUser {
+ size = u.Gid + 1
+ }
}
}
}
- groups, err := libcontainerUser.ParseGroupFile(groupFile)
+ if groupFile == "" {
+ group, err = secureOpen(containerMount, "/etc/group")
+ } else {
+ // User-specified override from a volume. Will not be in
+ // container root.
+ group, err = os.Open(groupFile)
+ }
if err == nil {
- for _, g := range groups {
- if g.Name == "nobody" {
- continue
- }
- if g.Gid > size && g.Gid != nobodyUser {
- size = g.Gid
+ defer group.Close()
+
+ groups, err := libcontainerUser.ParseGroup(group)
+ if err == nil {
+ for _, g := range groups {
+ if g.Name == "nobody" || g.Name == "nogroup" {
+ continue
+ }
+ if g.Gid > size && g.Gid != nobodyUser {
+ size = g.Gid + 1
+ }
}
}
}
@@ -309,3 +331,19 @@ func getAutoUserNSIDMappings(
gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
return uidMap, gidMap, nil
}
+
+// Securely open (read-only) a file in a container mount.
+func secureOpen(containerMount, file string) (*os.File, error) {
+ filePath, err := securejoin.SecureJoin(containerMount, file)
+ if err != nil {
+ return nil, err
+ }
+
+ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY
+ fileHandle, err := os.OpenFile(filePath, flags, 0)
+ if err != nil {
+ return nil, err
+ }
+
+ return fileHandle, nil
+}
diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go
new file mode 100644
index 0000000..e37c18f
--- /dev/null
+++ b/vendor/github.com/containers/storage/userns_unsupported.go
@@ -0,0 +1,14 @@
+//go:build !linux
+
+package storage
+
+import (
+ "errors"
+
+ "github.com/containers/storage/pkg/idtools"
+ "github.com/containers/storage/types"
+)
+
+func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
+ return nil, nil, errors.New("user namespaces are not supported on this platform")
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index c261d97..f7fe104 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -147,7 +147,7 @@ github.com/containernetworking/cni/pkg/version
# github.com/containernetworking/plugins v1.3.0
## explicit; go 1.20
github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.33.7
+# github.com/containers/buildah v1.33.11
## explicit; go 1.20
github.com/containers/buildah
github.com/containers/buildah/bind
@@ -176,7 +176,7 @@ github.com/containers/buildah/pkg/sshagent
github.com/containers/buildah/pkg/util
github.com/containers/buildah/pkg/volumes
github.com/containers/buildah/util
-# github.com/containers/common v0.57.4
+# github.com/containers/common v0.57.7
## explicit; go 1.18
github.com/containers/common/internal/attributedstring
github.com/containers/common/libimage
@@ -243,7 +243,7 @@ github.com/containers/conmon/runner/config
# github.com/containers/gvisor-tap-vsock v0.7.2
## explicit; go 1.20
github.com/containers/gvisor-tap-vsock/pkg/types
-# github.com/containers/image/v5 v5.29.2
+# github.com/containers/image/v5 v5.29.4
## explicit; go 1.19
github.com/containers/image/v5/copy
github.com/containers/image/v5/directory
@@ -353,7 +353,7 @@ github.com/containers/psgo/internal/dev
github.com/containers/psgo/internal/host
github.com/containers/psgo/internal/proc
github.com/containers/psgo/internal/process
-# github.com/containers/storage v1.51.0
+# github.com/containers/storage v1.51.2
## explicit; go 1.19
github.com/containers/storage
github.com/containers/storage/drivers
--
2.33.0

571
0007-fix-CVE-2024-37298.patch Normal file
View File

@ -0,0 +1,571 @@
From 3821d30cf1647fe886aa5e2fe06ac992df460a30 Mon Sep 17 00:00:00 2001
From: Matt Heon <mheon@redhat.com>
Date: Wed, 3 Jul 2024 13:31:50 -0400
Subject: [PATCH] Update gorilla/schema to v1.4.1 to fix CVE-2024-37298
Ref: RH Jira RHEL-45916
Signed-off-by: Matt Heon <mheon@redhat.com>
---
go.mod | 2 +-
go.sum | 4 +-
.../github.com/gorilla/schema/.editorconfig | 20 ++++
vendor/github.com/gorilla/schema/.gitignore | 1 +
vendor/github.com/gorilla/schema/LICENSE | 2 +-
vendor/github.com/gorilla/schema/Makefile | 34 ++++++
vendor/github.com/gorilla/schema/README.md | 39 ++++++-
vendor/github.com/gorilla/schema/cache.go | 28 +++--
vendor/github.com/gorilla/schema/converter.go | 77 +++++++++++++
vendor/github.com/gorilla/schema/decoder.go | 103 +++++++++++++++++-
vendor/github.com/gorilla/schema/encoder.go | 17 ++-
vendor/modules.txt | 4 +-
12 files changed, 307 insertions(+), 24 deletions(-)
create mode 100644 vendor/github.com/gorilla/schema/.editorconfig
create mode 100644 vendor/github.com/gorilla/schema/.gitignore
create mode 100644 vendor/github.com/gorilla/schema/Makefile
diff --git a/go.mod b/go.mod
index a84fbbb1b4..253caecf3b 100644
--- a/go.mod
+++ b/go.mod
@@ -36,7 +36,7 @@ require (
github.com/google/uuid v1.4.0
github.com/gorilla/handlers v1.5.2
github.com/gorilla/mux v1.8.1
- github.com/gorilla/schema v1.2.0
+ github.com/gorilla/schema v1.4.1
github.com/hashicorp/go-multierror v1.1.1
github.com/hugelgupf/p9 v0.3.1-0.20230822151754-54f5c5530921
github.com/json-iterator/go v1.1.12
diff --git a/go.sum b/go.sum
index 495035a32b..b1cd4f77dc 100644
--- a/go.sum
+++ b/go.sum
@@ -622,8 +622,8 @@ github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z
github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/schema v1.2.0 h1:YufUaxZYCKGFuAq3c96BOhjgd5nmXiOY9NGzF247Tsc=
-github.com/gorilla/schema v1.2.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU=
+github.com/gorilla/schema v1.4.1 h1:jUg5hUjCSDZpNGLuXQOgIWGdlgrIdYvgQ0wZtdK1M3E=
+github.com/gorilla/schema v1.4.1/go.mod h1:Dg5SSm5PV60mhF2NFaTV1xuYYj8tV8NOPRo4FggUMnM=
github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
diff --git a/vendor/github.com/gorilla/schema/.editorconfig b/vendor/github.com/gorilla/schema/.editorconfig
new file mode 100644
index 0000000000..c6b74c3e0d
--- /dev/null
+++ b/vendor/github.com/gorilla/schema/.editorconfig
@@ -0,0 +1,20 @@
+; https://editorconfig.org/
+
+root = true
+
+[*]
+insert_final_newline = true
+charset = utf-8
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 2
+
+[{Makefile,go.mod,go.sum,*.go,.gitmodules}]
+indent_style = tab
+indent_size = 4
+
+[*.md]
+indent_size = 4
+trim_trailing_whitespace = false
+
+eclint_indent_style = unset
\ No newline at end of file
diff --git a/vendor/github.com/gorilla/schema/.gitignore b/vendor/github.com/gorilla/schema/.gitignore
new file mode 100644
index 0000000000..84039fec68
--- /dev/null
+++ b/vendor/github.com/gorilla/schema/.gitignore
@@ -0,0 +1 @@
+coverage.coverprofile
diff --git a/vendor/github.com/gorilla/schema/LICENSE b/vendor/github.com/gorilla/schema/LICENSE
index 0e5fb87280..bb9d80bc9b 100644
--- a/vendor/github.com/gorilla/schema/LICENSE
+++ b/vendor/github.com/gorilla/schema/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2012 Rodrigo Moraes. All rights reserved.
+Copyright (c) 2023 The Gorilla Authors. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
diff --git a/vendor/github.com/gorilla/schema/Makefile b/vendor/github.com/gorilla/schema/Makefile
new file mode 100644
index 0000000000..98f5ab75f9
--- /dev/null
+++ b/vendor/github.com/gorilla/schema/Makefile
@@ -0,0 +1,34 @@
+GO_LINT=$(shell which golangci-lint 2> /dev/null || echo '')
+GO_LINT_URI=github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+
+GO_SEC=$(shell which gosec 2> /dev/null || echo '')
+GO_SEC_URI=github.com/securego/gosec/v2/cmd/gosec@latest
+
+GO_VULNCHECK=$(shell which govulncheck 2> /dev/null || echo '')
+GO_VULNCHECK_URI=golang.org/x/vuln/cmd/govulncheck@latest
+
+.PHONY: golangci-lint
+golangci-lint:
+ $(if $(GO_LINT), ,go install $(GO_LINT_URI))
+ @echo "##### Running golangci-lint"
+ golangci-lint run -v
+
+.PHONY: gosec
+gosec:
+ $(if $(GO_SEC), ,go install $(GO_SEC_URI))
+ @echo "##### Running gosec"
+ gosec ./...
+
+.PHONY: govulncheck
+govulncheck:
+ $(if $(GO_VULNCHECK), ,go install $(GO_VULNCHECK_URI))
+ @echo "##### Running govulncheck"
+ govulncheck ./...
+
+.PHONY: verify
+verify: golangci-lint gosec govulncheck
+
+.PHONY: test
+test:
+ @echo "##### Running tests"
+ go test -race -cover -coverprofile=coverage.coverprofile -covermode=atomic -v ./...
\ No newline at end of file
diff --git a/vendor/github.com/gorilla/schema/README.md b/vendor/github.com/gorilla/schema/README.md
index aefdd66996..58786ba502 100644
--- a/vendor/github.com/gorilla/schema/README.md
+++ b/vendor/github.com/gorilla/schema/README.md
@@ -1,8 +1,12 @@
-schema
-======
-[![GoDoc](https://godoc.org/github.com/gorilla/schema?status.svg)](https://godoc.org/github.com/gorilla/schema) [![Build Status](https://travis-ci.org/gorilla/schema.png?branch=master)](https://travis-ci.org/gorilla/schema)
-[![Sourcegraph](https://sourcegraph.com/github.com/gorilla/schema/-/badge.svg)](https://sourcegraph.com/github.com/gorilla/schema?badge)
+# gorilla/schema
+![testing](https://github.com/gorilla/schema/actions/workflows/test.yml/badge.svg)
+[![codecov](https://codecov.io/github/gorilla/schema/branch/main/graph/badge.svg)](https://codecov.io/github/gorilla/schema)
+[![godoc](https://godoc.org/github.com/gorilla/schema?status.svg)](https://godoc.org/github.com/gorilla/schema)
+[![sourcegraph](https://sourcegraph.com/github.com/gorilla/schema/-/badge.svg)](https://sourcegraph.com/github.com/gorilla/schema?badge)
+
+
+![Gorilla Logo](https://github.com/gorilla/.github/assets/53367916/d92caabf-98e0-473e-bfbf-ab554ba435e5)
Package gorilla/schema converts structs to and from form values.
@@ -83,7 +87,32 @@ The supported field types in the struct are:
Unsupported types are simply ignored, however custom types can be registered to be converted.
-More examples are available on the Gorilla website: https://www.gorillatoolkit.org/pkg/schema
+## Setting Defaults
+
+It is possible to set default values when encoding/decoding by using the `default` tag option. The value of `default` is applied when a field has a zero value, a pointer has a nil value, or a slice is empty.
+
+```go
+type Person struct {
+ Phone string `schema:"phone,default:+123456"` // custom name
+ Age int `schema:"age,default:21"`
+ Admin bool `schema:"admin,default:false"`
+ Balance float64 `schema:"balance,default:10.0"`
+ Friends []string `schema:friends,default:john|bob`
+}
+```
+
+The `default` tag option is supported for the following types:
+
+* bool
+* float variants (float32, float64)
+* int variants (int, int8, int16, int32, int64)
+* uint variants (uint, uint8, uint16, uint32, uint64)
+* string
+* a slice of the above types. As shown in the example above, `|` should be used to separate between slice items.
+* a pointer to one of the above types (pointer to slice and slice of pointers are not supported).
+
+> [!NOTE]
+> Because primitive types like int, float, bool, unint and their variants have their default (or zero) values set by Golang, it is not possible to distinguish them from a provided value when decoding/encoding form values. In this case, the value provided by the `default` option tag will be always applied. For example, let's assume that the value submitted in the form for `balance` is `0.0` then the default of `10.0` will be applied, even if `0.0` is part of the form data for the `balance` field. In such cases, it is highly recommended to use pointers to allow schema to distinguish between when a form field has no provided value and when a form has a value equal to the corresponding default set by Golang for a particular type. If the type of the `Balance` field above is changed to `*float64`, then the zero value would be `nil`. In this case, if the form data value for `balance` is `0.0`, then the default will not be applied.
## License
diff --git a/vendor/github.com/gorilla/schema/cache.go b/vendor/github.com/gorilla/schema/cache.go
index 0746c1202c..065b8d6ee6 100644
--- a/vendor/github.com/gorilla/schema/cache.go
+++ b/vendor/github.com/gorilla/schema/cache.go
@@ -12,7 +12,7 @@ import (
"sync"
)
-var invalidPath = errors.New("schema: invalid path")
+var errInvalidPath = errors.New("schema: invalid path")
// newCache returns a new cache.
func newCache() *cache {
@@ -53,13 +53,13 @@ func (c *cache) parsePath(p string, t reflect.Type) ([]pathPart, error) {
keys := strings.Split(p, ".")
for i := 0; i < len(keys); i++ {
if t.Kind() != reflect.Struct {
- return nil, invalidPath
+ return nil, errInvalidPath
}
if struc = c.get(t); struc == nil {
- return nil, invalidPath
+ return nil, errInvalidPath
}
if field = struc.get(keys[i]); field == nil {
- return nil, invalidPath
+ return nil, errInvalidPath
}
// Valid field. Append index.
path = append(path, field.name)
@@ -72,10 +72,10 @@ func (c *cache) parsePath(p string, t reflect.Type) ([]pathPart, error) {
// So checking i+2 is not necessary anymore.
i++
if i+1 > len(keys) {
- return nil, invalidPath
+ return nil, errInvalidPath
}
if index64, err = strconv.ParseInt(keys[i], 10, 0); err != nil {
- return nil, invalidPath
+ return nil, errInvalidPath
}
parts = append(parts, pathPart{
path: path,
@@ -197,6 +197,7 @@ func (c *cache) createField(field reflect.StructField, parentAlias string) *fiel
isSliceOfStructs: isSlice && isStruct,
isAnonymous: field.Anonymous,
isRequired: options.Contains("required"),
+ defaultValue: options.getDefaultOptionValue(),
}
}
@@ -246,8 +247,9 @@ type fieldInfo struct {
// isSliceOfStructs indicates if the field type is a slice of structs.
isSliceOfStructs bool
// isAnonymous indicates whether the field is embedded in the struct.
- isAnonymous bool
- isRequired bool
+ isAnonymous bool
+ isRequired bool
+ defaultValue string
}
func (f *fieldInfo) paths(prefix string) []string {
@@ -303,3 +305,13 @@ func (o tagOptions) Contains(option string) bool {
}
return false
}
+
+func (o tagOptions) getDefaultOptionValue() string {
+ for _, s := range o {
+ if strings.HasPrefix(s, "default:") {
+ return strings.Split(s, ":")[1]
+ }
+ }
+
+ return ""
+}
diff --git a/vendor/github.com/gorilla/schema/converter.go b/vendor/github.com/gorilla/schema/converter.go
index 4f2116a15e..4bae6df962 100644
--- a/vendor/github.com/gorilla/schema/converter.go
+++ b/vendor/github.com/gorilla/schema/converter.go
@@ -143,3 +143,80 @@ func convertUint64(value string) reflect.Value {
}
return invalidValue
}
+
+func convertPointer(k reflect.Kind, value string) reflect.Value {
+ switch k {
+ case boolType:
+ if v := convertBool(value); v.IsValid() {
+ converted := v.Bool()
+ return reflect.ValueOf(&converted)
+ }
+ case float32Type:
+ if v := convertFloat32(value); v.IsValid() {
+ converted := float32(v.Float())
+ return reflect.ValueOf(&converted)
+ }
+ case float64Type:
+ if v := convertFloat64(value); v.IsValid() {
+ converted := float64(v.Float())
+ return reflect.ValueOf(&converted)
+ }
+ case intType:
+ if v := convertInt(value); v.IsValid() {
+ converted := int(v.Int())
+ return reflect.ValueOf(&converted)
+ }
+ case int8Type:
+ if v := convertInt8(value); v.IsValid() {
+ converted := int8(v.Int())
+ return reflect.ValueOf(&converted)
+ }
+ case int16Type:
+ if v := convertInt16(value); v.IsValid() {
+ converted := int16(v.Int())
+ return reflect.ValueOf(&converted)
+ }
+ case int32Type:
+ if v := convertInt32(value); v.IsValid() {
+ converted := int32(v.Int())
+ return reflect.ValueOf(&converted)
+ }
+ case int64Type:
+ if v := convertInt64(value); v.IsValid() {
+ converted := int64(v.Int())
+ return reflect.ValueOf(&converted)
+ }
+ case stringType:
+ if v := convertString(value); v.IsValid() {
+ converted := v.String()
+ return reflect.ValueOf(&converted)
+ }
+ case uintType:
+ if v := convertUint(value); v.IsValid() {
+ converted := uint(v.Uint())
+ return reflect.ValueOf(&converted)
+ }
+ case uint8Type:
+ if v := convertUint8(value); v.IsValid() {
+ converted := uint8(v.Uint())
+ return reflect.ValueOf(&converted)
+ }
+ case uint16Type:
+ if v := convertUint16(value); v.IsValid() {
+ converted := uint16(v.Uint())
+ return reflect.ValueOf(&converted)
+ }
+ case uint32Type:
+ if v := convertUint32(value); v.IsValid() {
+ converted := uint32(v.Uint())
+ return reflect.ValueOf(&converted)
+ }
+ case uint64Type:
+ if v := convertUint64(value); v.IsValid() {
+ converted := uint64(v.Uint())
+ return reflect.ValueOf(&converted)
+ }
+ }
+
+ return invalidValue
+}
diff --git a/vendor/github.com/gorilla/schema/decoder.go b/vendor/github.com/gorilla/schema/decoder.go
index 025e438b56..54c88ecb34 100644
--- a/vendor/github.com/gorilla/schema/decoder.go
+++ b/vendor/github.com/gorilla/schema/decoder.go
@@ -12,9 +12,13 @@ import (
"strings"
)
+const (
+ defaultMaxSize = 16000
+)
+
// NewDecoder returns a new Decoder.
func NewDecoder() *Decoder {
- return &Decoder{cache: newCache()}
+ return &Decoder{cache: newCache(), maxSize: defaultMaxSize}
}
// Decoder decodes values from a map[string][]string to a struct.
@@ -22,6 +26,7 @@ type Decoder struct {
cache *cache
zeroEmpty bool
ignoreUnknownKeys bool
+ maxSize int
}
// SetAliasTag changes the tag used to locate custom field aliases.
@@ -54,6 +59,13 @@ func (d *Decoder) IgnoreUnknownKeys(i bool) {
d.ignoreUnknownKeys = i
}
+// MaxSize limits the size of slices for URL nested arrays or object arrays.
+// Choose MaxSize carefully; large values may create many zero-value slice elements.
+// Example: "items.100000=apple" would create a slice with 100,000 empty strings.
+func (d *Decoder) MaxSize(size int) {
+ d.maxSize = size
+}
+
// RegisterConverter registers a converter function for a custom type.
func (d *Decoder) RegisterConverter(value interface{}, converterFunc Converter) {
d.cache.registerConverter(value, converterFunc)
@@ -84,6 +96,7 @@ func (d *Decoder) Decode(dst interface{}, src map[string][]string) error {
errors[path] = UnknownKeyError{Key: path}
}
}
+ errors.merge(d.setDefaults(t, v))
errors.merge(d.checkRequired(t, src))
if len(errors) > 0 {
return errors
@@ -91,6 +104,88 @@ func (d *Decoder) Decode(dst interface{}, src map[string][]string) error {
return nil
}
+// setDefaults sets the default values when the `default` tag is specified,
+// default is supported on basic/primitive types and their pointers,
+// nested structs can also have default tags
+func (d *Decoder) setDefaults(t reflect.Type, v reflect.Value) MultiError {
+ struc := d.cache.get(t)
+ if struc == nil {
+ // unexpect, cache.get never return nil
+ return MultiError{"default-" + t.Name(): errors.New("cache fail")}
+ }
+
+ errs := MultiError{}
+
+ if v.Type().Kind() == reflect.Struct {
+ for i := 0; i < v.NumField(); i++ {
+ field := v.Field(i)
+ if field.Type().Kind() == reflect.Ptr && field.IsNil() && v.Type().Field(i).Anonymous {
+ field.Set(reflect.New(field.Type().Elem()))
+ }
+ }
+ }
+
+ for _, f := range struc.fields {
+ vCurrent := v.FieldByName(f.name)
+
+ if vCurrent.Type().Kind() == reflect.Struct && f.defaultValue == "" {
+ errs.merge(d.setDefaults(vCurrent.Type(), vCurrent))
+ } else if isPointerToStruct(vCurrent) && f.defaultValue == "" {
+ errs.merge(d.setDefaults(vCurrent.Elem().Type(), vCurrent.Elem()))
+ }
+
+ if f.defaultValue != "" && f.isRequired {
+ errs.merge(MultiError{"default-" + f.name: errors.New("required fields cannot have a default value")})
+ } else if f.defaultValue != "" && vCurrent.IsZero() && !f.isRequired {
+ if f.typ.Kind() == reflect.Struct {
+ errs.merge(MultiError{"default-" + f.name: errors.New("default option is supported only on: bool, float variants, string, unit variants types or their corresponding pointers or slices")})
+ } else if f.typ.Kind() == reflect.Slice {
+ vals := strings.Split(f.defaultValue, "|")
+
+ // check if slice has one of the supported types for defaults
+ if _, ok := builtinConverters[f.typ.Elem().Kind()]; !ok {
+ errs.merge(MultiError{"default-" + f.name: errors.New("default option is supported only on: bool, float variants, string, unit variants types or their corresponding pointers or slices")})
+ continue
+ }
+
+ defaultSlice := reflect.MakeSlice(f.typ, 0, cap(vals))
+ for _, val := range vals {
+ // this check is to handle if the wrong value is provided
+ convertedVal := builtinConverters[f.typ.Elem().Kind()](val)
+ if !convertedVal.IsValid() {
+ errs.merge(MultiError{"default-" + f.name: fmt.Errorf("failed setting default: %s is not compatible with field %s type", val, f.name)})
+ break
+ }
+ defaultSlice = reflect.Append(defaultSlice, convertedVal)
+ }
+ vCurrent.Set(defaultSlice)
+ } else if f.typ.Kind() == reflect.Ptr {
+ t1 := f.typ.Elem()
+
+ if t1.Kind() == reflect.Struct || t1.Kind() == reflect.Slice {
+ errs.merge(MultiError{"default-" + f.name: errors.New("default option is supported only on: bool, float variants, string, unit variants types or their corresponding pointers or slices")})
+ }
+
+ // this check is to handle if the wrong value is provided
+ if convertedVal := convertPointer(t1.Kind(), f.defaultValue); convertedVal.IsValid() {
+ vCurrent.Set(convertedVal)
+ }
+ } else {
+ // this check is to handle if the wrong value is provided
+ if convertedVal := builtinConverters[f.typ.Kind()](f.defaultValue); convertedVal.IsValid() {
+ vCurrent.Set(builtinConverters[f.typ.Kind()](f.defaultValue))
+ }
+ }
+ }
+ }
+
+ return errs
+}
+
+func isPointerToStruct(v reflect.Value) bool {
+ return !v.IsZero() && v.Type().Kind() == reflect.Ptr && v.Elem().Type().Kind() == reflect.Struct
+}
+
// checkRequired checks whether required fields are empty
//
// check type t recursively if t has struct fields.
@@ -193,7 +288,7 @@ func (d *Decoder) decode(v reflect.Value, path string, parts []pathPart, values
if v.Type().Kind() == reflect.Struct {
for i := 0; i < v.NumField(); i++ {
field := v.Field(i)
- if field.Type().Kind() == reflect.Ptr && field.IsNil() && v.Type().Field(i).Anonymous == true {
+ if field.Type().Kind() == reflect.Ptr && field.IsNil() && v.Type().Field(i).Anonymous {
field.Set(reflect.New(field.Type().Elem()))
}
}
@@ -219,6 +314,10 @@ func (d *Decoder) decode(v reflect.Value, path string, parts []pathPart, values
// Slice of structs. Let's go recursive.
if len(parts) > 1 {
idx := parts[0].index
+ // a defensive check to avoid creating a large slice based on user input index
+ if idx > d.maxSize {
+ return fmt.Errorf("%v index %d is larger than the configured maxSize %d", v.Kind(), idx, d.maxSize)
+ }
if v.IsNil() || v.Len() < idx+1 {
value := reflect.MakeSlice(t, idx+1, idx+1)
if v.Len() < idx+1 {
diff --git a/vendor/github.com/gorilla/schema/encoder.go b/vendor/github.com/gorilla/schema/encoder.go
index f0ed631210..52f2c108e4 100644
--- a/vendor/github.com/gorilla/schema/encoder.go
+++ b/vendor/github.com/gorilla/schema/encoder.go
@@ -93,8 +93,11 @@ func (e *Encoder) encode(v reflect.Value, dst map[string][]string) error {
}
// Encode struct pointer types if the field is a valid pointer and a struct.
- if isValidStructPointer(v.Field(i)) {
- e.encode(v.Field(i).Elem(), dst)
+ if isValidStructPointer(v.Field(i)) && !e.hasCustomEncoder(v.Field(i).Type()) {
+ err := e.encode(v.Field(i).Elem(), dst)
+ if err != nil {
+ errors[v.Field(i).Elem().Type().String()] = err
+ }
continue
}
@@ -112,7 +115,10 @@ func (e *Encoder) encode(v reflect.Value, dst map[string][]string) error {
}
if v.Field(i).Type().Kind() == reflect.Struct {
- e.encode(v.Field(i), dst)
+ err := e.encode(v.Field(i), dst)
+ if err != nil {
+ errors[v.Field(i).Type().String()] = err
+ }
continue
}
@@ -142,6 +148,11 @@ func (e *Encoder) encode(v reflect.Value, dst map[string][]string) error {
return nil
}
+func (e *Encoder) hasCustomEncoder(t reflect.Type) bool {
+ _, exists := e.regenc[t]
+ return exists
+}
+
func typeEncoder(t reflect.Type, reg map[reflect.Type]encoderFunc) encoderFunc {
if f, ok := reg[t]; ok {
return f
diff --git a/vendor/modules.txt b/vendor/modules.txt
index d99eb4f521..6e2aa65371 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -673,8 +673,8 @@ github.com/gorilla/handlers
# github.com/gorilla/mux v1.8.1
## explicit; go 1.20
github.com/gorilla/mux
-# github.com/gorilla/schema v1.2.0
-## explicit
+# github.com/gorilla/schema v1.4.1
+## explicit; go 1.20
github.com/gorilla/schema
# github.com/hashicorp/errwrap v1.1.0
## explicit

488
0008-fix-CVE-2024-6104.patch Normal file
View File

@ -0,0 +1,488 @@
From d81937a13f93fc9863af1fb1466753509e78c385 Mon Sep 17 00:00:00 2001
From: duyiwei <duyiwei@kylinos.cn>
Date: Tue, 14 Jan 2025 14:22:39 +0800
Subject: [PATCH] fix CVE-2024-6104
Signed-off-by: duyiwei <duyiwei@kylinos.cn>
---
go.mod | 2 +-
go.sum | 4 +-
.../hashicorp/go-retryablehttp/CHANGELOG.md | 28 +++-
.../hashicorp/go-retryablehttp/CODEOWNERS | 2 +-
.../hashicorp/go-retryablehttp/Makefile | 2 +-
.../hashicorp/go-retryablehttp/README.md | 2 +-
.../go-retryablehttp/cert_error_go119.go | 14 ++
.../go-retryablehttp/cert_error_go120.go | 14 ++
.../hashicorp/go-retryablehttp/client.go | 132 ++++++++++++++----
vendor/modules.txt | 4 +-
10 files changed, 161 insertions(+), 43 deletions(-)
create mode 100644 vendor/github.com/hashicorp/go-retryablehttp/cert_error_go119.go
create mode 100644 vendor/github.com/hashicorp/go-retryablehttp/cert_error_go120.go
diff --git a/go.mod b/go.mod
index 3e320ed..4030f24 100644
--- a/go.mod
+++ b/go.mod
@@ -142,7 +142,7 @@ require (
github.com/google/pprof v0.0.0-20230323073829-e72429f035bd // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
- github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+ github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jinzhu/copier v0.4.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
diff --git a/go.sum b/go.sum
index 63af59b..68a83cf 100644
--- a/go.sum
+++ b/go.sum
@@ -646,8 +646,8 @@ github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:
github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
-github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/CHANGELOG.md b/vendor/github.com/hashicorp/go-retryablehttp/CHANGELOG.md
index 7a17b9f..33f901d 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/CHANGELOG.md
+++ b/vendor/github.com/hashicorp/go-retryablehttp/CHANGELOG.md
@@ -1,15 +1,33 @@
+## 0.7.7 (May 30, 2024)
+
+BUG FIXES:
+
+- client: avoid potentially leaking URL-embedded basic authentication credentials in logs (#158)
+
+## 0.7.6 (May 9, 2024)
+
+ENHANCEMENTS:
+
+- client: support a `RetryPrepare` function for modifying the request before retrying (#216)
+- client: support HTTP-date values for `Retry-After` header value (#138)
+- client: avoid reading entire body when the body is a `*bytes.Reader` (#197)
+
+BUG FIXES:
+
+- client: fix a broken check for invalid server certificate in go 1.20+ (#210)
+
## 0.7.5 (Nov 8, 2023)
-BUG FIXES
+BUG FIXES:
-- client: fixes an issue where the request body is not preserved on temporary redirects or re-established HTTP/2 connections [GH-207]
+- client: fixes an issue where the request body is not preserved on temporary redirects or re-established HTTP/2 connections (#207)
## 0.7.4 (Jun 6, 2023)
-BUG FIXES
+BUG FIXES:
-- client: fixing an issue where the Content-Type header wouldn't be sent with an empty payload when using HTTP/2 [GH-194]
+- client: fixing an issue where the Content-Type header wouldn't be sent with an empty payload when using HTTP/2 (#194)
## 0.7.3 (May 15, 2023)
-Initial release
+Initial release
\ No newline at end of file
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS b/vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS
index f8389c9..34b9cc8 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS
+++ b/vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS
@@ -1 +1 @@
-* @hashicorp/release-engineering
\ No newline at end of file
+* @hashicorp/go-retryablehttp-maintainers
\ No newline at end of file
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/Makefile b/vendor/github.com/hashicorp/go-retryablehttp/Makefile
index da17640..5255241 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/Makefile
+++ b/vendor/github.com/hashicorp/go-retryablehttp/Makefile
@@ -2,7 +2,7 @@ default: test
test:
go vet ./...
- go test -race ./...
+ go test -v -race ./...
updatedeps:
go get -f -t -u ./...
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/README.md b/vendor/github.com/hashicorp/go-retryablehttp/README.md
index 8943bec..145a62f 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/README.md
+++ b/vendor/github.com/hashicorp/go-retryablehttp/README.md
@@ -59,4 +59,4 @@ standardClient := retryClient.StandardClient() // *http.Client
```
For more usage and examples see the
-[godoc](http://godoc.org/github.com/hashicorp/go-retryablehttp).
+[pkg.go.dev](https://pkg.go.dev/github.com/hashicorp/go-retryablehttp).
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/cert_error_go119.go b/vendor/github.com/hashicorp/go-retryablehttp/cert_error_go119.go
new file mode 100644
index 0000000..b2b27e8
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-retryablehttp/cert_error_go119.go
@@ -0,0 +1,14 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build !go1.20
+// +build !go1.20
+
+package retryablehttp
+
+import "crypto/x509"
+
+func isCertError(err error) bool {
+ _, ok := err.(x509.UnknownAuthorityError)
+ return ok
+}
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/cert_error_go120.go b/vendor/github.com/hashicorp/go-retryablehttp/cert_error_go120.go
new file mode 100644
index 0000000..a3cd315
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-retryablehttp/cert_error_go120.go
@@ -0,0 +1,14 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build go1.20
+// +build go1.20
+
+package retryablehttp
+
+import "crypto/tls"
+
+func isCertError(err error) bool {
+ _, ok := err.(*tls.CertificateVerificationError)
+ return ok
+}
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
index c9edbd0..efee53c 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
@@ -27,10 +27,8 @@ package retryablehttp
import (
"bytes"
"context"
- "crypto/x509"
"fmt"
"io"
- "io/ioutil"
"log"
"math"
"math/rand"
@@ -63,6 +61,10 @@ var (
// limit the size we consume to respReadLimit.
respReadLimit = int64(4096)
+ // timeNow sets the function that returns the current time.
+ // This defaults to time.Now. Changes to this should only be done in tests.
+ timeNow = time.Now
+
// A regular expression to match the error returned by net/http when the
// configured number of redirects is exhausted. This error isn't typed
// specifically so we resort to matching on the error string.
@@ -73,6 +75,11 @@ var (
// specifically so we resort to matching on the error string.
schemeErrorRe = regexp.MustCompile(`unsupported protocol scheme`)
+ // A regular expression to match the error returned by net/http when a
+ // request header or value is invalid. This error isn't typed
+ // specifically so we resort to matching on the error string.
+ invalidHeaderErrorRe = regexp.MustCompile(`invalid header`)
+
// A regular expression to match the error returned by net/http when the
// TLS certificate is not trusted. This error isn't typed
// specifically so we resort to matching on the error string.
@@ -248,21 +255,19 @@ func getBodyReaderAndContentLength(rawBody interface{}) (ReaderFunc, int64, erro
// deal with it seeking so want it to match here instead of the
// io.ReadSeeker case.
case *bytes.Reader:
- buf, err := ioutil.ReadAll(body)
- if err != nil {
- return nil, 0, err
- }
+ snapshot := *body
bodyReader = func() (io.Reader, error) {
- return bytes.NewReader(buf), nil
+ r := snapshot
+ return &r, nil
}
- contentLength = int64(len(buf))
+ contentLength = int64(body.Len())
// Compat case
case io.ReadSeeker:
raw := body
bodyReader = func() (io.Reader, error) {
_, err := raw.Seek(0, 0)
- return ioutil.NopCloser(raw), err
+ return io.NopCloser(raw), err
}
if lr, ok := raw.(LenReader); ok {
contentLength = int64(lr.Len())
@@ -270,7 +275,7 @@ func getBodyReaderAndContentLength(rawBody interface{}) (ReaderFunc, int64, erro
// Read all in so we can reset
case io.Reader:
- buf, err := ioutil.ReadAll(body)
+ buf, err := io.ReadAll(body)
if err != nil {
return nil, 0, err
}
@@ -393,6 +398,9 @@ type Backoff func(min, max time.Duration, attemptNum int, resp *http.Response) t
// attempted. If overriding this, be sure to close the body if needed.
type ErrorHandler func(resp *http.Response, err error, numTries int) (*http.Response, error)
+// PrepareRetry is called before retry operation. It can be used for example to re-sign the request
+type PrepareRetry func(req *http.Request) error
+
// Client is used to make HTTP requests. It adds additional functionality
// like automatic retries to tolerate minor outages.
type Client struct {
@@ -421,6 +429,9 @@ type Client struct {
// ErrorHandler specifies the custom error handler to use, if any
ErrorHandler ErrorHandler
+ // PrepareRetry can prepare the request for retry operation, for example re-sign it
+ PrepareRetry PrepareRetry
+
loggerInit sync.Once
clientInit sync.Once
}
@@ -494,11 +505,16 @@ func baseRetryPolicy(resp *http.Response, err error) (bool, error) {
return false, v
}
+ // Don't retry if the error was due to an invalid header.
+ if invalidHeaderErrorRe.MatchString(v.Error()) {
+ return false, v
+ }
+
// Don't retry if the error was due to TLS cert verification failure.
if notTrustedErrorRe.MatchString(v.Error()) {
return false, v
}
- if _, ok := v.Err.(x509.UnknownAuthorityError); ok {
+ if isCertError(v.Err) {
return false, v
}
}
@@ -535,10 +551,8 @@ func baseRetryPolicy(resp *http.Response, err error) (bool, error) {
func DefaultBackoff(min, max time.Duration, attemptNum int, resp *http.Response) time.Duration {
if resp != nil {
if resp.StatusCode == http.StatusTooManyRequests || resp.StatusCode == http.StatusServiceUnavailable {
- if s, ok := resp.Header["Retry-After"]; ok {
- if sleep, err := strconv.ParseInt(s[0], 10, 64); err == nil {
- return time.Second * time.Duration(sleep)
- }
+ if sleep, ok := parseRetryAfterHeader(resp.Header["Retry-After"]); ok {
+ return sleep
}
}
}
@@ -551,6 +565,41 @@ func DefaultBackoff(min, max time.Duration, attemptNum int, resp *http.Response)
return sleep
}
+// parseRetryAfterHeader parses the Retry-After header and returns the
+// delay duration according to the spec: https://httpwg.org/specs/rfc7231.html#header.retry-after
+// The bool returned will be true if the header was successfully parsed.
+// Otherwise, the header was either not present, or was not parseable according to the spec.
+//
+// Retry-After headers come in two flavors: Seconds or HTTP-Date
+//
+// Examples:
+// * Retry-After: Fri, 31 Dec 1999 23:59:59 GMT
+// * Retry-After: 120
+func parseRetryAfterHeader(headers []string) (time.Duration, bool) {
+ if len(headers) == 0 || headers[0] == "" {
+ return 0, false
+ }
+ header := headers[0]
+ // Retry-After: 120
+ if sleep, err := strconv.ParseInt(header, 10, 64); err == nil {
+ if sleep < 0 { // a negative sleep doesn't make sense
+ return 0, false
+ }
+ return time.Second * time.Duration(sleep), true
+ }
+
+ // Retry-After: Fri, 31 Dec 1999 23:59:59 GMT
+ retryTime, err := time.Parse(time.RFC1123, header)
+ if err != nil {
+ return 0, false
+ }
+ if until := retryTime.Sub(timeNow()); until > 0 {
+ return until, true
+ }
+ // date is in the past
+ return 0, true
+}
+
// LinearJitterBackoff provides a callback for Client.Backoff which will
// perform linear backoff based on the attempt number and with jitter to
// prevent a thundering herd.
@@ -578,13 +627,13 @@ func LinearJitterBackoff(min, max time.Duration, attemptNum int, resp *http.Resp
}
// Seed rand; doing this every time is fine
- rand := rand.New(rand.NewSource(int64(time.Now().Nanosecond())))
+ source := rand.New(rand.NewSource(int64(time.Now().Nanosecond())))
// Pick a random number that lies somewhere between the min and max and
// multiply by the attemptNum. attemptNum starts at zero so we always
// increment here. We first get a random percentage, then apply that to the
// difference between min and max, and add to min.
- jitter := rand.Float64() * float64(max-min)
+ jitter := source.Float64() * float64(max-min)
jitterMin := int64(jitter) + int64(min)
return time.Duration(jitterMin * int64(attemptNum))
}
@@ -609,19 +658,19 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if logger != nil {
switch v := logger.(type) {
case LeveledLogger:
- v.Debug("performing request", "method", req.Method, "url", req.URL)
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
case Logger:
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
}
}
var resp *http.Response
var attempt int
var shouldRetry bool
- var doErr, respErr, checkErr error
+ var doErr, respErr, checkErr, prepareErr error
for i := 0; ; i++ {
- doErr, respErr = nil, nil
+ doErr, respErr, prepareErr = nil, nil, nil
attempt++
// Always rewind the request body when non-nil.
@@ -634,7 +683,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if c, ok := body.(io.ReadCloser); ok {
req.Body = c
} else {
- req.Body = ioutil.NopCloser(body)
+ req.Body = io.NopCloser(body)
}
}
@@ -666,9 +715,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
if err != nil {
switch v := logger.(type) {
case LeveledLogger:
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
case Logger:
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
}
} else {
// Call this here to maintain the behavior of logging all requests,
@@ -704,7 +753,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
if logger != nil {
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
if resp != nil {
desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
}
@@ -728,17 +777,26 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
// without racing against the closeBody call in persistConn.writeLoop.
httpreq := *req.Request
req.Request = &httpreq
+
+ if c.PrepareRetry != nil {
+ if err := c.PrepareRetry(req.Request); err != nil {
+ prepareErr = err
+ break
+ }
+ }
}
// this is the closest we have to success criteria
- if doErr == nil && respErr == nil && checkErr == nil && !shouldRetry {
+ if doErr == nil && respErr == nil && checkErr == nil && prepareErr == nil && !shouldRetry {
return resp, nil
}
defer c.HTTPClient.CloseIdleConnections()
var err error
- if checkErr != nil {
+ if prepareErr != nil {
+ err = prepareErr
+ } else if checkErr != nil {
err = checkErr
} else if respErr != nil {
err = respErr
@@ -760,17 +818,17 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
// communicate why
if err == nil {
return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
- req.Method, req.URL, attempt)
+ req.Method, redactURL(req.URL), attempt)
}
return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
- req.Method, req.URL, attempt, err)
+ req.Method, redactURL(req.URL), attempt, err)
}
// Try to read the response body so we can reuse this connection.
func (c *Client) drainBody(body io.ReadCloser) {
defer body.Close()
- _, err := io.Copy(ioutil.Discard, io.LimitReader(body, respReadLimit))
+ _, err := io.Copy(io.Discard, io.LimitReader(body, respReadLimit))
if err != nil {
if c.logger() != nil {
switch v := c.logger().(type) {
@@ -845,3 +903,17 @@ func (c *Client) StandardClient() *http.Client {
Transport: &RoundTripper{Client: c},
}
}
+
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
+// We can switch to using it directly if we'll bump the minimum required go version.
+func redactURL(u *url.URL) string {
+ if u == nil {
+ return ""
+ }
+
+ ru := *u
+ if _, has := ru.User.Password(); has {
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
+ }
+ return ru.String()
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index ad7472a..79b643e 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -685,8 +685,8 @@ github.com/hashicorp/go-cleanhttp
# github.com/hashicorp/go-multierror v1.1.1
## explicit; go 1.13
github.com/hashicorp/go-multierror
-# github.com/hashicorp/go-retryablehttp v0.7.5
-## explicit; go 1.13
+# github.com/hashicorp/go-retryablehttp v0.7.7
+## explicit; go 1.19
github.com/hashicorp/go-retryablehttp
# github.com/hugelgupf/p9 v0.3.1-0.20230822151754-54f5c5530921
## explicit; go 1.20
--
2.33.0

350
0009-fix-CVE-2024-28176.patch Normal file
View File

@ -0,0 +1,350 @@
From b29db6d46b82a782641ed0016ccf53304529afb1 Mon Sep 17 00:00:00 2001
From: duyiwei <duyiwei@kylinos.cn>
Date: Wed, 15 Jan 2025 16:46:47 +0800
Subject: [PATCH] fix CVE-2024-28176
Signed-off-by: duyiwei <duyiwei@kylinos.cn>
---
go.mod | 2 +-
go.sum | 4 +-
.../gopkg.in/go-jose/go-jose.v2/CHANGELOG.md | 84 +++++++++++++
vendor/gopkg.in/go-jose/go-jose.v2/README.md | 118 ------------------
.../gopkg.in/go-jose/go-jose.v2/asymmetric.go | 3 +
vendor/gopkg.in/go-jose/go-jose.v2/crypter.go | 6 +
.../gopkg.in/go-jose/go-jose.v2/encoding.go | 2 +-
.../gopkg.in/go-jose/go-jose.v2/symmetric.go | 5 +
vendor/modules.txt | 2 +-
9 files changed, 103 insertions(+), 123 deletions(-)
create mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md
delete mode 100644 vendor/gopkg.in/go-jose/go-jose.v2/README.md
diff --git a/go.mod b/go.mod
index 4030f24..94524d8 100644
--- a/go.mod
+++ b/go.mod
@@ -212,7 +212,7 @@ require (
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 // indirect
google.golang.org/grpc v1.58.3 // indirect
- gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
+ gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
tags.cncf.io/container-device-interface/specs-go v0.6.0 // indirect
diff --git a/go.sum b/go.sum
index 68a83cf..47153a8 100644
--- a/go.sum
+++ b/go.sum
@@ -1563,8 +1563,8 @@ gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qS
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
-gopkg.in/go-jose/go-jose.v2 v2.6.1 h1:qEzJlIDmG9q5VO0M/o8tGS65QMHMS1w01TQJB1VPJ4U=
-gopkg.in/go-jose/go-jose.v2 v2.6.1/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
+gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
+gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md b/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md
new file mode 100644
index 0000000..c77b25c
--- /dev/null
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md
@@ -0,0 +1,84 @@
+# v4.0.1
+
+## Fixed
+
+ - An attacker could send a JWE containing compressed data that used large
+ amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`.
+ Those functions now return an error if the decompressed data would exceed
+ 250kB or 10x the compressed size (whichever is larger). Thanks to
+ Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
+ for reporting.
+
+# v4.0.0
+
+This release makes some breaking changes in order to more thoroughly
+address the vulnerabilities discussed in [Three New Attacks Against JSON Web
+Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
+token".
+
+## Changed
+
+ - Limit JWT encryption types (exclude password or public key types) (#78)
+ - Enforce minimum length for HMAC keys (#85)
+ - jwt: match any audience in a list, rather than requiring all audiences (#81)
+ - jwt: accept only Compact Serialization (#75)
+ - jws: Add expected algorithms for signatures (#74)
+ - Require specifying expected algorithms for ParseEncrypted,
+ ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
+ jwt.ParseSignedAndEncrypted (#69, #74)
+ - Usually there is a small, known set of appropriate algorithms for a program
+ to use and it's a mistake to allow unexpected algorithms. For instance the
+ "billion hash attack" relies in part on programs accepting the PBES2
+ encryption algorithm and doing the necessary work even if they weren't
+ specifically configured to allow PBES2.
+ - Revert "Strip padding off base64 strings" (#82)
+ - The specs require base64url encoding without padding.
+ - Minimum supported Go version is now 1.21
+
+## Added
+
+ - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
+ - These allow parsing a specific serialization, as opposed to ParseSigned and
+ ParseEncrypted, which try to automatically detect which serialization was
+ provided. It's common to require a specific serialization for a specific
+ protocol - for instance JWT requires Compact serialization.
+
+[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
+
+# v3.0.3
+
+## Fixed
+
+ - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
+
+# v3.0.2
+
+## Fixed
+
+ - DecryptMulti: handle decompression error (#19)
+
+## Changed
+
+ - jwe/CompactSerialize: improve performance (#67)
+ - Increase the default number of PBKDF2 iterations to 600k (#48)
+ - Return the proper algorithm for ECDSA keys (#45)
+
+## Added
+
+ - Add Thumbprint support for opaque signers (#38)
+
+# v3.0.1
+
+## Fixed
+
+ - Security issue: an attacker specifying a large "p2c" value can cause
+ JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
+ amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
+ disclosure and to Tom Tervoort for originally publishing the category of attack.
+ https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
+
+# v2.6.3
+
+## Fixed
+
+ - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
\ No newline at end of file
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/README.md b/vendor/gopkg.in/go-jose/go-jose.v2/README.md
deleted file mode 100644
index 46b02d6..0000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/README.md
+++ /dev/null
@@ -1,118 +0,0 @@
-# Go JOSE
-
-[![godoc](http://img.shields.io/badge/godoc-version_1-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v1)
-[![godoc](http://img.shields.io/badge/godoc-version_2-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v2)
-[![license](http://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)
-[![build](https://travis-ci.org/go-jose/go-jose.svg?branch=v2)](https://travis-ci.org/go-jose/go-jose)
-[![coverage](https://coveralls.io/repos/github/go-jose/go-jose/badge.svg?branch=v2)](https://coveralls.io/r/go-jose/go-jose)
-
-Package jose aims to provide an implementation of the Javascript Object Signing
-and Encryption set of standards. This includes support for JSON Web Encryption,
-JSON Web Signature, and JSON Web Token standards.
-
-**Disclaimer**: This library contains encryption software that is subject to
-the U.S. Export Administration Regulations. You may not export, re-export,
-transfer or download this code or any part of it in violation of any United
-States law, directive or regulation. In particular this software may not be
-exported or re-exported in any form or on any media to Iran, North Sudan,
-Syria, Cuba, or North Korea, or to denied persons or entities mentioned on any
-US maintained blocked list.
-
-## Overview
-
-The implementation follows the
-[JSON Web Encryption](http://dx.doi.org/10.17487/RFC7516) (RFC 7516),
-[JSON Web Signature](http://dx.doi.org/10.17487/RFC7515) (RFC 7515), and
-[JSON Web Token](http://dx.doi.org/10.17487/RFC7519) (RFC 7519).
-Tables of supported algorithms are shown below. The library supports both
-the compact and full serialization formats, and has optional support for
-multiple recipients. It also comes with a small command-line utility
-([`jose-util`](https://github.com/go-jose/go-jose/tree/v2/jose-util))
-for dealing with JOSE messages in a shell.
-
-**Note**: We use a forked version of the `encoding/json` package from the Go
-standard library which uses case-sensitive matching for member names (instead
-of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html)).
-This is to avoid differences in interpretation of messages between go-jose and
-libraries in other languages.
-
-### Versions
-
-We use [gopkg.in](https://gopkg.in) for versioning.
-
-[Version 2](https://gopkg.in/go-jose/go-jose.v2)
-([branch](https://github.com/go-jose/go-jose/tree/v2),
-[doc](https://godoc.org/gopkg.in/go-jose/go-jose.v2)) is the current version:
-
- import "gopkg.in/go-jose/go-jose.v2"
-
-The old `v1` branch ([go-jose.v1](https://gopkg.in/go-jose/go-jose.v1)) will
-still receive backported bug fixes and security fixes, but otherwise
-development is frozen. All new feature development takes place on the `v2`
-branch. Version 2 also contains additional sub-packages such as the
-[jwt](https://godoc.org/gopkg.in/go-jose/go-jose.v2/jwt) implementation
-contributed by [@shaxbee](https://github.com/shaxbee).
-
-### Supported algorithms
-
-See below for a table of supported algorithms. Algorithm identifiers match
-the names in the [JSON Web Algorithms](http://dx.doi.org/10.17487/RFC7518)
-standard where possible. The Godoc reference has a list of constants.
-
- Key encryption | Algorithm identifier(s)
- :------------------------- | :------------------------------
- RSA-PKCS#1v1.5 | RSA1_5
- RSA-OAEP | RSA-OAEP, RSA-OAEP-256
- AES key wrap | A128KW, A192KW, A256KW
- AES-GCM key wrap | A128GCMKW, A192GCMKW, A256GCMKW
- ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW
- ECDH-ES (direct) | ECDH-ES<sup>1</sup>
- Direct encryption | dir<sup>1</sup>
-
-<sup>1. Not supported in multi-recipient mode</sup>
-
- Signing / MAC | Algorithm identifier(s)
- :------------------------- | :------------------------------
- RSASSA-PKCS#1v1.5 | RS256, RS384, RS512
- RSASSA-PSS | PS256, PS384, PS512
- HMAC | HS256, HS384, HS512
- ECDSA | ES256, ES384, ES512
- Ed25519 | EdDSA<sup>2</sup>
-
-<sup>2. Only available in version 2 of the package</sup>
-
- Content encryption | Algorithm identifier(s)
- :------------------------- | :------------------------------
- AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
- AES-GCM | A128GCM, A192GCM, A256GCM
-
- Compression | Algorithm identifiers(s)
- :------------------------- | -------------------------------
- DEFLATE (RFC 1951) | DEF
-
-### Supported key types
-
-See below for a table of supported key types. These are understood by the
-library, and can be passed to corresponding functions such as `NewEncrypter` or
-`NewSigner`. Each of these keys can also be wrapped in a JWK if desired, which
-allows attaching a key id.
-
- Algorithm(s) | Corresponding types
- :------------------------- | -------------------------------
- RSA | *[rsa.PublicKey](http://golang.org/pkg/crypto/rsa/#PublicKey), *[rsa.PrivateKey](http://golang.org/pkg/crypto/rsa/#PrivateKey)
- ECDH, ECDSA | *[ecdsa.PublicKey](http://golang.org/pkg/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](http://golang.org/pkg/crypto/ecdsa/#PrivateKey)
- EdDSA<sup>1</sup> | [ed25519.PublicKey](https://godoc.org/golang.org/x/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://godoc.org/golang.org/x/crypto/ed25519#PrivateKey)
- AES, HMAC | []byte
-
-<sup>1. Only available in version 2 of the package</sup>
-
-## Examples
-
-[![godoc](http://img.shields.io/badge/godoc-version_1-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v1)
-[![godoc](http://img.shields.io/badge/godoc-version_2-blue.svg?style=flat)](https://godoc.org/gopkg.in/go-jose/go-jose.v2)
-
-Examples can be found in the Godoc
-reference for this package. The
-[`jose-util`](https://github.com/go-jose/go-jose/tree/v2/jose-util)
-subdirectory also contains a small command-line utility which might be useful
-as an example.
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go b/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go
index 3ca79cc..43f9ce2 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go
@@ -285,6 +285,9 @@ func (ctx rsaDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm
switch alg {
case RS256, RS384, RS512:
+ // TODO(https://github.com/go-jose/go-jose/issues/40): As of go1.20, the
+ // random parameter is legacy and ignored, and it can be nil.
+ // https://cs.opensource.google/go/go/+/refs/tags/go1.20:src/crypto/rsa/pkcs1v15.go;l=263;bpv=0;bpt=1
out, err = rsa.SignPKCS1v15(RandReader, ctx.privateKey, hash, hashed)
case PS256, PS384, PS512:
out, err = rsa.SignPSS(RandReader, ctx.privateKey, hash, hashed, &rsa.PSSOptions{
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go b/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go
index 73aab0f..0ae2e5e 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go
@@ -406,6 +406,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
// Decrypt and validate the object and return the plaintext. Note that this
// function does not support multi-recipient, if you desire multi-recipient
// decryption use DecryptMulti instead.
+//
+// Automatically decompresses plaintext, but returns an error if the decompressed
+// data would be >250kB or >10x the size of the compressed data, whichever is larger.
func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
headers := obj.mergedHeaders(nil)
@@ -470,6 +473,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
// with support for multiple recipients. It returns the index of the recipient
// for which the decryption was successful, the merged headers for that recipient,
// and the plaintext.
+//
+// Automatically decompresses plaintext, but returns an error if the decompressed
+// data would be >250kB or >3x the size of the compressed data, whichever is larger.
func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
globalHeaders := obj.mergedHeaders(nil)
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
index 9111733..636f6c8 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
@@ -21,11 +21,11 @@ import (
"compress/flate"
"encoding/base64"
"encoding/binary"
+ "fmt"
"io"
"math/big"
"strings"
"unicode"
- "fmt"
"gopkg.in/go-jose/go-jose.v2/json"
)
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go b/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go
index 2b8076f..52c8b62 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go
@@ -402,6 +402,11 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
if p2c <= 0 {
return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: must be a positive integer")
}
+ if p2c > 1000000 {
+ // An unauthenticated attacker can set a high P2C value. Set an upper limit to avoid
+ // DoS attacks.
+ return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: too high")
+ }
// salt is UTF8(Alg) || 0x00 || Salt Input
alg := headers.getAlgorithm()
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 79b643e..a80fb52 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1345,7 +1345,7 @@ google.golang.org/protobuf/types/gofeaturespb
google.golang.org/protobuf/types/known/anypb
google.golang.org/protobuf/types/known/durationpb
google.golang.org/protobuf/types/known/timestamppb
-# gopkg.in/go-jose/go-jose.v2 v2.6.1
+# gopkg.in/go-jose/go-jose.v2 v2.6.3
## explicit
gopkg.in/go-jose/go-jose.v2
gopkg.in/go-jose/go-jose.v2/cipher
--
2.33.0

51
podman.spec
View File

@ -2,7 +2,7 @@
Name: podman
Version: 4.9.4
Release: 9
Release: 14
Summary: A tool for managing OCI containers and pods.
Epoch: 1
License: Apache-2.0 and MIT
@ -11,12 +11,16 @@ Source0: https://github.com/containers/podman/archive/refs/tags/v%{version
Source1: https://github.com/containers/dnsname/archive/18822f9a4fb35d1349eb256f4cd2bfd372474d84/dnsname-18822f9.tar.gz
Source2: https://github.com/containers/gvisor-tap-vsock/archive/refs/tags/v0.7.1.tar.gz
Source3: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.tar.gz
Patch0: 0001-podman-4.9.4-add-support-for-loongarch64.patch
Patch0001: 0001-fix-CVE-2024-28180.patch
Patch0001: 0001-podman-4.9.4-add-support-for-loongarch64.patch
Patch0002: 0002-fix-CVE-2023-3978.patch
Patch0003: 0003-fix-CVE-2023-48795.patch
Patch0004: 0004-fix-CVE-2022-3064.patch
Patch0005: 0005-fix-CVE-2024-28180.patch
Patch0006: 0006-fix-CVE-2024-9676-CVE-2024-9675-CVE-2024-9407-CVE-2024-9341.patch
Patch0007: 0007-fix-CVE-2024-37298.patch
Patch0008: 0008-fix-CVE-2024-6104.patch
Patch0009: 0009-fix-CVE-2024-28176.patch
BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel
@ -117,16 +121,26 @@ when `%{_bindir}/%{name}sh` is set as a login shell or set as os.Args[0].
%prep
%setup -n %{name}-%{version}
sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile
%patch0001 -p1
# untar dnsname
tar zxf %{SOURCE1}
%patch0002 -p1
%patch0004 -p1
# untar %%{name}-gvproxy
tar zxf %{SOURCE2}
%patch0003 -p1
# untar go-md2man
tar zxf %{SOURCE3}
# apply patch
%patch0002 -p1
%patch0003 -p1
%patch0004 -p1
%patch0005 -p1
%patch0006 -p1
%patch0007 -p1
%patch0008 -p1
%patch0009 -p1
%ifarch loongarch64
cd dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84
export GOSUMDB="sum.golang.org"
@ -136,7 +150,7 @@ go mod tidy
go mod download
go mod vendor
cd -
%patch0 -p1
%patch0001 -p1
%endif
@ -300,6 +314,27 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
%{_bindir}/%{name}sh
%changelog
* Wed Jan 15 2025 duyiwei <duyiwei@kylinos.cn> - 1:4.9.4-14
- fix-CVE-2024-28176
* Tue Jan 14 2025 duyiwei <duyiwei@kylinos.cn> - 1:4.9.4-13
- fix-CVE-2024-6104
* Mon Jan 13 2025 duyiwei <duyiwei@kylinos.cn> - 1:4.9.4-12
- fix-CVE-2024-37298
* Fri Jan 10 2025 duyiwei <duyiwei@kylinos.cn> - 1:4.9.4-11
- Type:bugfix
- CVE:CVE-2024-9676,CVE-2024-9675, CVE-2024-9407,CVE-2024-9341
- SUG:NA
- DESC: fix CVE-2024-9676,CVE-2024-9675, CVE-2024-9407, and CVE-2024-9341
* Thu Jan 09 2025 duyiwei <duyiwei@kylinos.cn> - 1:4.9.4-10
- Type:bugfix
- CVE:CVE-2024-9355、CVE-2019-9514、CVE-2024-24791、CVE-2022-32189、CVE-2022-41715、CVE-2022-2880、CVE-2022-1962、CVE-2023-45290、CVE-2024-24783、CVE-2024-24785
- SUG:NA
- DESC: Optimize spec files and fix CVE in batches through rebuild
* Tue Aug 20 2024 Xuebing Li <lixuebing@cqsoftware.com.cn> - 1:4.9.4-9
- Add 'Buildarch: noarch' to the help subpackage

2
podman.yaml
View File

@ -1,4 +1,4 @@
version_control: github
src_repo: containers/libpod
src_repo: containers/podman
tag_prefix: ^v
seperator: .