!27 [sync] PR-22: openEuler-22.03-LTS-Next Packages upgrade

From: @openeuler-sync-bot Reviewed-by: @yangzhao_kl, @small_leek Signed-off-by: @yangzhao_kl, @small_leek
2022-04-24 01:10:37 +00:00 · 2022-04-24 01:10:37 +00:00 · fe97ba98e9
commit fe97ba98e9
parent 492d065b7c 578245d51a
4 changed files with 8 additions and 41 deletions
--- a/CVE-2021-29136.patch
+++ b/CVE-2021-29136.patch
@ -1,35 +0,0 @@
-From d9efc31daf2206f7d3fdb839863cf7a576a2eb57 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <cyphar@cyphar.com>
-Date: Wed, 24 Mar 2021 00:17:06 +1100
-Subject: [PATCH] layer: don't permit / type to be changed on extraction
-
-If users can change the type of / to a symlink, they can cause umoci to
-overwrite host files. This is obviously bad, and is not caught by the
-rest of our directory escape detection code because the root itself has
-been changed to a different directory.
-
-Fixes: CVE-2021-29136
-Reported-by: Robin Peraglie <robin@cure53.de>
-Tested-by: Daniel Dao <dqminh89@gmail.com>
-Reviewed-by: Tycho Andersen <tycho@tycho.pizza>
-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
- oci/layer/tar_extract.go | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
-index 1b8c3d67..d7414105 100644
--- a/oci/layer/tar_extract.go
-+++ b/oci/layer/tar_extract.go
-@@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) (
- 	if filepath.Join("/", hdr.Name) == "/" {
- 		// If we got an entry for the root, then unsafeDir is the full path.
- 		unsafeDir, file = hdr.Name, "."
-+		// If we're being asked to change the root type, bail because they may
-+		// change it to a symlink which we could inadvertently follow.
-+		if hdr.Typeflag != tar.TypeDir {
-+			return errors.New("malicious tar entry -- refusing to change type of root directory")
-+		}
- 	}
- 	dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval)
- 	if err != nil {
--- a/umoci.spec
+++ b/umoci.spec
@ -3,14 +3,13 @@
 %define tempdir github.com/openSUSE/umoci

 Name:           umoci
-Version:        0.4.5
-Release:        5
+Version:        0.4.7
+Release:        1
 Summary:        Open Container Image manipulation tool
-License:        Apache-2.0
+License:        ISC and MIT and Apache-2.0
 URL:            https://github.com/opencontainers/umoci
-Source0:        https://github.com/opencontainers/umoci/archive/v0.4.5.tar.gz
+Source0:        https://github.com/opencontainers/umoci/archive/v0.4.7.tar.gz
 Source1:        https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
-Patch0:         CVE-2021-29136.patch
 BuildRequires:  fdupes go >= 1.6

 %description
@ -35,7 +34,7 @@ mkdir -pv $HOME/go/src/%{tempdir}
 rm -rf $HOME/go/src/%{tempdir}/*
 cp -ar * $HOME/go/src/%{tempdir}
 make umoci
-make local-doc
+make docs

 %install
 install -D -m 0755 %{name} %{buildroot}/%{_bindir}/%{name}
@ -55,6 +54,9 @@ done
 %{_mandir}/man1/umoci*

 %changelog
+* Tue Jan 18 2022 SimpleUpdate Robot <tc@openeuler.org> - 0.4.7-1
+- Upgrade to version 0.4.7
+
 * Fri Apr 16 2021 wangyue <wangyue92@huawei.com> - 0.4.5-5
 - Fix CVE-2021-29136

--- a/v0.4.5.tar.gz
+++ b/v0.4.5.tar.gz
--- a/v0.4.7.tar.gz
+++ b/v0.4.7.tar.gz