Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package firecracker for openSUSE:Factory checked in at 2026-01-22 15:16:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/firecracker (Old) and /work/SRC/openSUSE:Factory/.firecracker.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "firecracker" Thu Jan 22 15:16:10 2026 rev:19 rq:1328604 version:1.14.1 Changes: -------- --- /work/SRC/openSUSE:Factory/firecracker/firecracker.changes 2025-12-23 13:45:27.312278361 +0100 +++ /work/SRC/openSUSE:Factory/.firecracker.new.1928/firecracker.changes 2026-01-22 15:18:11.376256124 +0100 @@ -1,0 +2,7 @@ +Tue Jan 20 15:35:00 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.14.1: + * Changed + - #5631: Update binary copy process inside Jailer to disallow symlinks and hardlinks at the destination path and change ownership of the copied binary to the specified uid/gid. + +------------------------------------------------------------------- @@ -5,7 +12,12 @@ - * Added support for virtio-pmem devices. See documentation for more info - * Added support for memory hot-plugging through the virtio-mem device - * Added support for virtio-balloon free page reporting and hinting - * Balloon stats now supports guest kernel >= 6.12, adding metrics on guest OOM - kills, memory allocation stalls, and memory scan/reclaim info. - * Removed the rx_partial_writes, tx_partial_reads, sync_response_fails, - sync_vmm_send_timeout_count, deprecated_cmd_line_api_calls, log_fails and + * Added support for virtio-pmem devices. See documentation for + more info + * Added support for memory hot-plugging through the virtio-mem + device + * Added support for virtio-balloon free page reporting and + hinting + * Balloon stats now supports guest kernel >= 6.12, adding metrics + on guest OOM kills, memory allocation stalls, and memory + scan/reclaim info. + * Removed the rx_partial_writes, tx_partial_reads, + sync_response_fails, sync_vmm_send_timeout_count, + deprecated_cmd_line_api_calls, log_fails and @@ -14,4 +26,5 @@ - * imds_comat. This caused auto-generated clients to create bad requests. - * Fixed Intel AMX enabling for kernels that support dynamic XSTATE features for - userspace applications but not for KVM guests (e.g. kernel versions >= 5.16 - and < 5.17). + * imds_comat. This caused auto-generated clients to create bad + requests. + * Fixed Intel AMX enabling for kernels that support dynamic + XSTATE features for userspace applications but not for KVM + guests (e.g. kernel versions >= 5.16 and < 5.17). @@ -20,2 +33,2 @@ - * Fixed a watchdog soft lockup bug on microVMs restored from snapshots by - calling KVM_KVMCLOCK_CTRL ioctl before resuming + * Fixed a watchdog soft lockup bug on microVMs restored from + snapshots by calling KVM_KVMCLOCK_CTRL ioctl before resuming Old: ---- firecracker-1.14.0.obscpio New: ---- firecracker-1.14.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ firecracker.spec ++++++ --- /var/tmp/diff_new_pack.fENAd2/_old 2026-01-22 15:18:12.976322847 +0100 +++ /var/tmp/diff_new_pack.fENAd2/_new 2026-01-22 15:18:12.976322847 +0100 @@ -1,7 +1,7 @@ # # spec file for package firecracker # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: firecracker -Version: 1.14.0 +Version: 1.14.1 Release: 0 Summary: Virtual Machine Monitor for creating microVMs License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.fENAd2/_old 2026-01-22 15:18:13.008324182 +0100 +++ /var/tmp/diff_new_pack.fENAd2/_new 2026-01-22 15:18:13.012324349 +0100 @@ -2,7 +2,7 @@ <service name="obs_scm" mode="manual"> <param name="url">https://github.com/firecracker-microvm/firecracker.git</param> <param name="scm">git</param> - <param name="revision">v1.14.0</param> + <param name="revision">v1.14.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.fENAd2/_old 2026-01-22 15:18:13.032325183 +0100 +++ /var/tmp/diff_new_pack.fENAd2/_new 2026-01-22 15:18:13.040325516 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/firecracker-microvm/firecracker.git</param> - <param name="changesrevision">7137308817dc65e2ae85a39269bd09f3884f662d</param></service></servicedata> + <param name="changesrevision">37593df439aeb19fc70b292e618770108e563e7e</param></service></servicedata> (No newline at EOF) ++++++ firecracker-1.14.0.obscpio -> firecracker-1.14.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/.cargo/audit.toml new/firecracker-1.14.1/.cargo/audit.toml --- old/firecracker-1.14.0/.cargo/audit.toml 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/.cargo/audit.toml 2026-01-19 13:55:20.000000000 +0100 @@ -1,7 +1,12 @@ [advisories] -# The `paste` dependency is transitively included via `gdbstub`. -# While the crate is archived/unmaintained, the author considers it feature-complete -# and functionally stable. gdbstub will be update once they migrate -# to an alternative solution. -# See https://github.com/daniel5151/gdbstub/issues/168 -ignore = ["RUSTSEC-2024-0436"] +ignore = [ + # The `paste` dependency is transitively included via `gdbstub`. + # While the crate is archived/unmaintained, the author considers it feature-complete + # and functionally stable. gdbstub will be update once they migrate + # to an alternative solution. + # See https://github.com/daniel5151/gdbstub/issues/168 + "RUSTSEC-2024-0436", + # Temporary exclusion of the bincode crate advisory + # while we are working on migration to a substitution. + "RUSTSEC-2025-0141", +] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/CHANGELOG.md new/firecracker-1.14.1/CHANGELOG.md --- old/firecracker-1.14.0/CHANGELOG.md 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/CHANGELOG.md 2026-01-19 13:55:20.000000000 +0100 @@ -6,7 +6,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [1.14.0] +## [1.14.1] + +### Changed + +- [#5631](https://github.com/firecracker-microvm/firecracker/pull/5631): Update + binary copy process inside Jailer to disallow symlinks and hardlinks at the + destination path and change ownership of the copied binary to the specified + uid/gid. + +## [v1.14.0] ### Added diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/Cargo.lock new/firecracker-1.14.1/Cargo.lock --- old/firecracker-1.14.0/Cargo.lock 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/Cargo.lock 2026-01-19 13:55:20.000000000 +0100 @@ -391,7 +391,7 @@ [[package]] name = "cpu-template-helper" -version = "1.14.0" +version = "1.14.1" dependencies = [ "clap", "displaydoc", @@ -554,7 +554,7 @@ [[package]] name = "firecracker" -version = "1.14.0" +version = "1.14.1" dependencies = [ "cargo_toml", "displaydoc", @@ -703,7 +703,7 @@ [[package]] name = "jailer" -version = "1.14.0" +version = "1.14.1" dependencies = [ "libc", "log-instrument", @@ -1078,7 +1078,7 @@ [[package]] name = "rebase-snap" -version = "1.14.0" +version = "1.14.1" dependencies = [ "displaydoc", "libc", @@ -1178,7 +1178,7 @@ [[package]] name = "seccompiler" -version = "1.14.0" +version = "1.14.1" dependencies = [ "bincode", "clap", @@ -1275,7 +1275,7 @@ [[package]] name = "snapshot-editor" -version = "1.14.0" +version = "1.14.1" dependencies = [ "clap", "clap-num", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/src/cpu-template-helper/Cargo.toml new/firecracker-1.14.1/src/cpu-template-helper/Cargo.toml --- old/firecracker-1.14.0/src/cpu-template-helper/Cargo.toml 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/src/cpu-template-helper/Cargo.toml 2026-01-19 13:55:20.000000000 +0100 @@ -1,6 +1,6 @@ [package] name = "cpu-template-helper" -version = "1.14.0" +version = "1.14.1" authors = ["Amazon Firecracker team <[email protected]>"] edition = "2024" license = "Apache-2.0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/src/firecracker/Cargo.toml new/firecracker-1.14.1/src/firecracker/Cargo.toml --- old/firecracker-1.14.0/src/firecracker/Cargo.toml 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/src/firecracker/Cargo.toml 2026-01-19 13:55:20.000000000 +0100 @@ -1,6 +1,6 @@ [package] name = "firecracker" -version = "1.14.0" +version = "1.14.1" authors = ["Amazon Firecracker team <[email protected]>"] edition = "2024" build = "build.rs" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/src/firecracker/swagger/firecracker.yaml new/firecracker-1.14.1/src/firecracker/swagger/firecracker.yaml --- old/firecracker-1.14.0/src/firecracker/swagger/firecracker.yaml 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/src/firecracker/swagger/firecracker.yaml 2026-01-19 13:55:20.000000000 +0100 @@ -5,7 +5,7 @@ The API is accessible through HTTP calls on specific URLs carrying JSON modeled data. The transport medium is a Unix Domain Socket. - version: 1.14.0 + version: 1.14.1 termsOfService: "" contact: email: "[email protected]" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/src/jailer/Cargo.toml new/firecracker-1.14.1/src/jailer/Cargo.toml --- old/firecracker-1.14.0/src/jailer/Cargo.toml 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/src/jailer/Cargo.toml 2026-01-19 13:55:20.000000000 +0100 @@ -1,6 +1,6 @@ [package] name = "jailer" -version = "1.14.0" +version = "1.14.1" authors = ["Amazon Firecracker team <[email protected]>"] edition = "2024" description = "Process for starting Firecracker in production scenarios; applies a cgroup/namespace isolation barrier and then drops privileges." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/src/jailer/src/env.rs new/firecracker-1.14.1/src/jailer/src/env.rs --- old/firecracker-1.14.0/src/jailer/src/env.rs 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/src/jailer/src/env.rs 2026-01-19 13:55:20.000000000 +0100 @@ -5,7 +5,7 @@ use std::fs::{self, File, OpenOptions, Permissions, canonicalize, read_to_string}; use std::io; use std::io::Write; -use std::os::unix::fs::PermissionsExt; +use std::os::unix::fs::{MetadataExt, OpenOptionsExt, PermissionsExt, fchown}; use std::os::unix::io::AsRawFd; use std::os::unix::process::CommandExt; use std::path::{Component, Path, PathBuf}; @@ -478,7 +478,35 @@ // Firecracker binary (like the executable .text section), this latter part is not // desirable in Firecracker's threat model. Copying prevents 2 Firecracker processes from // sharing memory. - fs::copy(&self.exec_file_path, &jailer_exec_file_path).map_err(|err| { + let mut src_file = OpenOptions::new() + .read(true) + .open(&self.exec_file_path) + .map_err(|err| JailerError::Open(self.exec_file_path.clone(), err))?; + let src_file_metadata = src_file + .metadata() + .map_err(|err| JailerError::Metadata(self.exec_file_path.clone(), err))?; + let src_file_mode = src_file_metadata.mode(); + let mut dst_file = OpenOptions::new() + .write(true) + .create(true) + // Don't allow symlinks + .custom_flags(libc::O_NOFOLLOW) + .mode(src_file_mode) + .open(&jailer_exec_file_path) + .map_err(|err| JailerError::Open(jailer_exec_file_path.clone(), err))?; + let dst_file_metadata = dst_file + .metadata() + .map_err(|err| JailerError::Metadata(jailer_exec_file_path.clone(), err))?; + if 1 < dst_file_metadata.nlink() { + return Err(JailerError::HardLink(jailer_exec_file_path.clone())); + } + + // Mark destination file as owned by the specified uid/gid + fchown(&dst_file, Some(self.uid()), Some(self.gid())) + .map_err(|err| JailerError::ChangeFileOwner(jailer_exec_file_path.clone(), err))?; + + // Ignore the output since it is not interesting in this case + _ = std::io::copy(&mut src_file, &mut dst_file).map_err(|err| { JailerError::Copy( self.exec_file_path.clone(), jailer_exec_file_path.clone(), @@ -629,7 +657,10 @@ // If daemonization was requested, open /dev/null before chrooting. let dev_null = if self.daemonize { - Some(File::open("/dev/null").map_err(JailerError::OpenDevNull)?) + Some( + File::open("/dev/null") + .map_err(|err| JailerError::Open("/dev/null".into(), err))?, + ) } else { None }; @@ -1212,7 +1243,6 @@ env.copy_exec_to_chroot().unwrap(), exec_file_name.to_os_string() ); - let dest_path = env.chroot_dir.join(exec_file_name); // Check that `fs::copy()` copied src content and permission bits to destination. let metadata_src = fs::metadata(&env.exec_file_path).unwrap(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/src/jailer/src/main.rs new/firecracker-1.14.1/src/jailer/src/main.rs --- old/firecracker-1.14.0/src/jailer/src/main.rs 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/src/jailer/src/main.rs 2026-01-19 13:55:20.000000000 +0100 @@ -90,8 +90,12 @@ GetSid(io::Error), #[error("Invalid gid: {0}")] Gid(String), + #[error("Detected hard link at: {0}")] + HardLink(PathBuf), #[error("Invalid instance ID: {0}")] InvalidInstanceId(validators::ValidatorError), + #[error("Cannot get metadata for a file: {0}: {1}")] + Metadata(PathBuf, io::Error), #[error("{}", format!("File {:?} doesn't have a parent", .0).replace('\"', ""))] MissingParent(PathBuf), #[error("Failed to create the jail root directory before pivoting root: {0}")] @@ -106,8 +110,8 @@ NotAFile(PathBuf), #[error("{}", format!("{:?} is not a directory", .0).replace('\"', ""))] NotADirectory(PathBuf), - #[error("Failed to open /dev/null: {0}")] - OpenDevNull(io::Error), + #[error("Failed to open {0}: {1}")] + Open(PathBuf, io::Error), #[error("{}", format!("Failed to parse path {:?} into an OsString", .0).replace('\"', ""))] OsStringParsing(PathBuf, OsString), #[error("Failed to pivot root: {0}")] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/src/rebase-snap/Cargo.toml new/firecracker-1.14.1/src/rebase-snap/Cargo.toml --- old/firecracker-1.14.0/src/rebase-snap/Cargo.toml 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/src/rebase-snap/Cargo.toml 2026-01-19 13:55:20.000000000 +0100 @@ -1,6 +1,6 @@ [package] name = "rebase-snap" -version = "1.14.0" +version = "1.14.1" authors = ["Amazon Firecracker team <[email protected]>"] edition = "2024" license = "Apache-2.0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/src/seccompiler/Cargo.toml new/firecracker-1.14.1/src/seccompiler/Cargo.toml --- old/firecracker-1.14.0/src/seccompiler/Cargo.toml 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/src/seccompiler/Cargo.toml 2026-01-19 13:55:20.000000000 +0100 @@ -1,6 +1,6 @@ [package] name = "seccompiler" -version = "1.14.0" +version = "1.14.1" authors = ["Amazon Firecracker team <[email protected]>"] edition = "2024" description = "Program that compiles multi-threaded seccomp-bpf filters expressed as JSON into raw BPF programs, serializing them and outputting them to a file." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/src/snapshot-editor/Cargo.toml new/firecracker-1.14.1/src/snapshot-editor/Cargo.toml --- old/firecracker-1.14.0/src/snapshot-editor/Cargo.toml 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/src/snapshot-editor/Cargo.toml 2026-01-19 13:55:20.000000000 +0100 @@ -1,6 +1,6 @@ [package] name = "snapshot-editor" -version = "1.14.0" +version = "1.14.1" authors = ["Amazon Firecracker team <[email protected]>"] edition = "2024" license = "Apache-2.0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/firecracker-1.14.0/tests/integration_tests/security/test_jail.py new/firecracker-1.14.1/tests/integration_tests/security/test_jail.py --- old/firecracker-1.14.0/tests/integration_tests/security/test_jail.py 2025-12-17 15:53:31.000000000 +0100 +++ new/firecracker-1.14.1/tests/integration_tests/security/test_jail.py 2026-01-19 13:55:20.000000000 +0100 @@ -107,6 +107,44 @@ test_microvm.spawn() +def test_exec_destination_path_is_symlink(uvm_plain): + """ + Test the jailer correctly refuses to copy binary into symlink + """ + test_microvm = uvm_plain + + firecracker_root_dir = Path(test_microvm.chroot()) + firecracker_bin_path = firecracker_root_dir / "firecracker" + dummy_path = Path("/srv/dummy") + dummy_path.unlink(missing_ok=True) + dummy_path.touch() + firecracker_bin_path.symlink_to(dummy_path) + with pytest.raises( + Exception, + match=f"Failed to open {firecracker_bin_path}", + ): + test_microvm.spawn() + + +def test_exec_destination_path_is_hardlink(uvm_plain): + """ + Test the jailer correctly refuses to copy binary into hardlink + """ + test_microvm = uvm_plain + + firecracker_root_dir = Path(test_microvm.chroot()) + firecracker_bin_path = firecracker_root_dir / "firecracker" + dummy_path = Path("/srv/dummy") + dummy_path.unlink(missing_ok=True) + dummy_path.touch() + firecracker_bin_path.hardlink_to(dummy_path) + with pytest.raises( + Exception, + match=f"Detected hard link at: {firecracker_bin_path}", + ): + test_microvm.spawn() + + def test_default_chroot_hierarchy(uvm_plain): """ Test the folder hierarchy created by default by the jailer. @@ -154,7 +192,10 @@ test_microvm.jailer.gid, ) check_stats( - os.path.join(test_microvm.jailer.chroot_path(), "firecracker"), FILE_STATS, 0, 0 + os.path.join(test_microvm.jailer.chroot_path(), "firecracker"), + FILE_STATS, + test_microvm.jailer.uid, + test_microvm.jailer.gid, ) ++++++ firecracker.obsinfo ++++++ --- /var/tmp/diff_new_pack.fENAd2/_old 2026-01-22 15:18:14.544388236 +0100 +++ /var/tmp/diff_new_pack.fENAd2/_new 2026-01-22 15:18:14.544388236 +0100 @@ -1,5 +1,5 @@ name: firecracker -version: 1.14.0 -mtime: 1765983211 -commit: 7137308817dc65e2ae85a39269bd09f3884f662d +version: 1.14.1 +mtime: 1768827320 +commit: 37593df439aeb19fc70b292e618770108e563e7e ++++++ vendor.tar.xz ++++++ /work/SRC/openSUSE:Factory/firecracker/vendor.tar.xz /work/SRC/openSUSE:Factory/.firecracker.new.1928/vendor.tar.xz differ: char 15, line 1
