Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package containerd.16723 for openSUSE:Leap:15.2:Update checked in at 2021-07-23 20:06:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/containerd.16723 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.containerd.16723.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "containerd.16723" Fri Jul 23 20:06:06 2021 rev:1 rq:907343 version:1.4.4 Changes: -------- New Changes file: --- /dev/null 2021-07-22 10:06:18.349420535 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.containerd.16723.new.1899/containerd.changes 2021-07-23 20:06:06.446002134 +0200 @@ -0,0 +1,489 @@ +------------------------------------------------------------------- +Wed Jul 14 10:23:38 UTC 2021 - Aleksa Sarai <[email protected]> + +- Add patch for CVE-2021-32760. bsc#1188282 + + bsc1188282-use-chmod-path-for-checking-symlink.patch + +------------------------------------------------------------------- +Fri Apr 16 05:25:40 UTC 2021 - Aleksa Sarai <[email protected]> + +- Drop long-since upstreamed patch, originally needed to fix i386 builds on + SLES: + - 0001-makefile-remove-emoji.patch + +------------------------------------------------------------------- +Sat Mar 6 07:17:00 UTC 2021 - Aleksa Sarai <[email protected]> + +- Update to containerd v1.4.4, to fix CVE-2021-21334. + +------------------------------------------------------------------- +Tue Feb 2 05:33:02 UTC 2021 - Aleksa Sarai <[email protected]> + +- Update to handle the docker-runc removal, and drop the -kubic flavour. + bsc#1181677 bsc#1181749 + +------------------------------------------------------------------- +Fri Jan 29 23:24:30 UTC 2021 - Aleksa Sarai <[email protected]> + +- Update to containerd v1.4.3, which is needed for Docker v20.10.2-ce. + bsc#1181594 +- Install the containerd-shim* binaries and stop creating + docker-containerd-shim because that isn't used by Docker anymore. + bsc#1183024 + +------------------------------------------------------------------- +Mon Dec 21 06:53:15 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and + fixes CVE-2020-15257. bsc#1178969 bsc#1180243 + +------------------------------------------------------------------- +Fri Sep 18 08:16:20 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. + boo#1176708 bsc#1177598 CVE-2020-15157 +- Refresh patches: + * 0001-makefile-remove-emoji.patch + +------------------------------------------------------------------- +Thu Jun 25 22:32:08 UTC 2020 - Aleksa Sarai <[email protected]> + +- Use Go 1.13 for build. + +------------------------------------------------------------------- +Tue Jun 2 08:57:36 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to containerd v1.2.13, which is required for Docker 19.03.11-ce. + bsc#1172377 + +------------------------------------------------------------------- +Tue Oct 8 23:35:36 UTC 2019 - Aleksa Sarai <[email protected]> + +- Update to containerd v1.2.10, which is required for Docker 19.03.3-ce. + bsc#1153367 bsc#1157330 + +------------------------------------------------------------------- +Fri Jun 28 01:45:50 UTC 2019 - Aleksa Sarai <[email protected]> + +- Update to containerd v1.2.6, which is required for Docker v18.09.7-ce. + bsc#1139649 +- Remove containerd-test (it's not useful for actual testing). + +------------------------------------------------------------------- +Fri May 3 13:32:05 UTC 2019 - Aleksa Sarai <[email protected]> + +- Update to containerd v1.2.5, which is required for v18.09.5-ce. + bsc#1128376 boo#1134068 + https://github.com/containerd/containerd/releases/tag/v1.2.5 + +------------------------------------------------------------------- +Thu Mar 21 14:30:03 UTC 2019 - Sascha Grunert <[email protected]> + +- Update containerd to v1.2.4 + * cri: Set /etc/hostname + * cri: Fix env performance issue + * runc updated to 6635b4f0c6af3810594d2770f662f34ddc15b40d to solve + bsc#1121967 CVE-2019-5736 + * cri updated to da0c016c830b2ea97fd1d737c49a568a816bf964 + * Windows: NewDirectIOFromFIFOSet + * Changelogs from previous versions also included in this update: + https://github.com/containerd/containerd/releases/tag/v1.2.3 + +------------------------------------------------------------------- +Tue Feb 5 11:16:46 UTC 2019 - Aleksa Sarai <[email protected]> + +- Update to containerd v1.2.2, which is required for Docker v18.09.1-ce. + bsc#1124308 + * Fix rare deadlock on FIFO creation with timeout + * Fix a bug that a container can't be stopped or inspected when its + corresponding image is deleted + * Fix a bug that the cri plugin handles containerd events outside of + k8s.io namespace + more changes at: + https://github.com/containerd/containerd/releases/tag/v1.2.2 + Changelogs from previous versions also included in this update: + https://github.com/containerd/containerd/releases/tag/v1.2.1 + https://github.com/containerd/containerd/releases/tag/v1.2.0 + https://github.com/containerd/containerd/releases/tag/v1.1.4 + https://github.com/containerd/containerd/releases/tag/v1.1.3 +- Remove required_dockerrunc commit pinning, as it just lead to issues. +- Remove upstreamed patches. + - 0001-docs-man-rename-config.toml-5-to-be-more-descriptive.patch + +------------------------------------------------------------------- +Fri Jan 11 09:57:32 UTC 2019 - Sascha Grunert <[email protected]> + +- Disable leap based builds for kubic flavor. bsc#1121412 + +------------------------------------------------------------------- +Thu Dec 20 18:05:24 UTC 2018 - [email protected] + +- Update go requirements to >= go1.10 to fix + * bsc#1118897 CVE-2018-16873 + go#29230 cmd/go: remote command execution during "go get -u" + * bsc#1118898 CVE-2018-16874 + go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths + * bsc#1118899 CVE-2018-16875 + go#29233 crypto/x509: CPU denial of service + +------------------------------------------------------------------- +Mon Nov 5 10:28:13 UTC 2018 - Aleksa Sarai <[email protected]> + +- Add backport of https://github.com/containerd/containerd/pull/2764, which is + required for us to build containerd on i586 SLE-12 (where /bin/sh doesn't + like emoji in shell scripts). bsc#1102522 bsc#1113313 + + 0001-makefile-remove-emoji.patch + +------------------------------------------------------------------- +Wed Aug 22 10:10:09 UTC 2018 - [email protected] + +- Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce. + bsc#1102522 + +------------------------------------------------------------------- +Thu Aug 16 02:00:31 UTC 2018 - [email protected] + +- Merge -kubic packages back into the main Virtualization:containers packages. + This is done using _multibuild to add a "kubic" flavour, which is then used + to conditionally compile patches and other kubic-specific features. + bsc#1105000 + +------------------------------------------------------------------- +Wed Aug 1 09:40:59 UTC 2018 - [email protected] + +- Enable seccomp support on SLE12, since libseccomp is now a new enough vintage + to work with Docker and containerd. fate#325877 + +------------------------------------------------------------------- +Wed Jul 25 08:54:33 UTC 2018 - [email protected] + +- Update to containerd v1.1.1, which is the required version for the Docker + v18.06.0-ce upgrade. bsc#1102522 +- Add backport of https://github.com/containerd/containerd/pull/2534 to make + the man page no longer pollute the global namespace. + + 0001-docs-man-rename-config.toml-5-to-be-more-descriptive.patch +- Remove the following patch since it has already been merged upstream. + - bsc1065109-0001-makefile-add-support-for-build_flags.patch +- Remove systemd-related files and add docker-containerd-* symlinks; this + aligns with the upstream defaults where dockerd will execute + docker-containerd. Version upgrades of docker are expected to work more + smoothly as much of the upgrade logic is implemented in dockerd. +- Add containerd-rpmlintrc (or containerd-kubic-rpmlintrc) to deal with + /usr/src/containerd/* rpmlint errors (which don't affect normal users of this + package). + +------------------------------------------------------------------- +Wed Jun 13 10:15:51 UTC 2018 - [email protected] + +- Make use of %license macro + +------------------------------------------------------------------- +Tue Jun 5 06:38:40 UTC 2018 - [email protected] + +- Remove 'go test' from %check section, as it has only ever caused us problems + and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke + testing has been far more useful. boo#1095817 + +------------------------------------------------------------------- +Wed May 16 10:10:10 UTC 2018 - [email protected] + +- Review obsoletes tag to fix bsc#1080978 + +------------------------------------------------------------------- +Thu Apr 12 12:48:16 UTC 2018 - [email protected] + +- Put containerd under the podruntime slice. This the recommended + deployment to allow fine resource control on Kubernetes. + bsc#1086185 ++++ 292 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.containerd.16723.new.1899/containerd.changes New: ---- _service bsc1188282-use-chmod-path-for-checking-symlink.patch containerd-1.4.4_05f951a3781f.tar.xz containerd-rpmlintrc containerd.changes containerd.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ containerd.spec ++++++ # # spec file for package containerd # # Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # # nodebuginfo #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir /var/adm/fillup-templates %endif # MANUAL: Update the git_version. %define git_version 05f951a3781f4f2c1911b05e61c160e9c30eaa8e %define git_short 05f951a3781f Name: containerd Version: 1.4.4 Release: 0 Summary: Standalone OCI Container Daemon License: Apache-2.0 Group: System/Management URL: https://containerd.tools Source: %{name}-%{version}_%{git_short}.tar.xz Source1: %{name}-rpmlintrc # FIX-UPSTREAM: Fix for GHSA-c72p-9xmj-rx3w. bsc#1188282 Patch1: bsc1188282-use-chmod-path-for-checking-symlink.patch BuildRequires: fdupes BuildRequires: glibc-devel-static BuildRequires: go-go-md2man BuildRequires: libbtrfs-devel >= 3.8 BuildRequires: libseccomp-devel >= 2.2 BuildRequires: pkg-config # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires # for 'golang(API) >= 1.13' here, so just require 1.13 exactly. bsc#1172608 BuildRequires: go1.13 # We provide a git revision so that Docker can require it properly. Provides: %{name}-git = %{git_version} # Currently runc is the only supported runtime for containerd. We pin the same # flavour as us, to avoid mixing (the version pinning is done by docker.spec). Requires: runc Requires(post): %fillup_prereq # KUBIC-SPECIFIC: There used to be a kubic-specific containerd package, but now # it's been merged into the one package. bsc#1181677 Obsoletes: %{name}-kubic < %{version} Provides: %{name}-kubic = %{version} Obsoletes: %{name} = 0.2.5+gitr569_2a5e70c Obsoletes: %{name}_2a5e70c ExcludeArch: s390 %description Containerd is a daemon with an API and a command line client, to manage containers on one machine. It uses runC to run containers according to the OCI specification. Containerd has advanced features such as seccomp and user namespace support as well as checkpoint and restore for cloning and live migration of containers. %package ctr Summary: Client for %{name} Group: System/Management Requires: %{name} = %{version} # KUBIC-SPECIFIC: There used to be a kubic-specific containerd package, but now # it's been merged into the one package. Obsoletes: %{name}-ctr = 0.2.5+gitr569_2a5e70c Obsoletes: %{name}-ctr-kubic <= %{version} Obsoletes: %{name}-ctr_2a5e70c %description ctr Standalone client for containerd, which allows management of containerd containers separately from Docker. %prep %setup -q -n %{name}-%{version}_%{git_short} # GHSA-c72p-9xmj-rx3w bsc#1188282 %patch1 -p1 %build # NOTE: containerd will switch to go.mod in 1.5.x so this can be removed after # we update to that version. # Do not use symlinks. If you want to run the unit tests for this package at # some point during the build and you need to directly use go list directly it # will get confused by symlinks. export GOPATH=$HOME/go export PROJECT=$HOME/go/src/github.com/containerd/containerd mkdir -p $PROJECT rm -rf $PROJECT/* cp -ar * $PROJECT BUILDTAGS="apparmor selinux seccomp" make -C "$PROJECT"\ BUILDTAGS="$BUILDTAGS" \ VERSION="v%{version}" \ REVISION="%{git_version}" # TODO: Fix man-page generation. #make man cp -r "$PROJECT/bin" bin %install # Install binaries. pushd bin/ for bin in containerd{,-shim*} do install -D -m755 "$bin" "%{buildroot}/%{_sbindir}/$bin" done # "ctr" is a bit too generic. install -D -m755 ctr %{buildroot}/%{_sbindir}/%{name}-ctr popd # Set up dummy configuration. install -d -m755 %{buildroot}/%{_sysconfdir}/%{name} echo "# See containerd-config.toml(5) for documentation." >%{buildroot}/%{_sysconfdir}/%{name}/config.toml # Man pages. # TODO: Fix man page generation. #for file in man/* #do # section="${file##*.}" # install -D -m644 "$file" "%{buildroot}/%{_mandir}/man$section/$(basename "$file")" #done #ln -s ctr.1 %{buildroot}/%{_mandir}/man1/%{name}-ctr.1 %fdupes %{buildroot} %files %defattr(-,root,root) %doc README.md %license LICENSE %dir %{_sysconfdir}/%{name} %config %{_sysconfdir}/%{name}/config.toml %{_sbindir}/containerd %{_sbindir}/containerd-shim* # TODO: Fix man page generation. #%{_mandir}/man*/%{name}* #%exclude %{_mandir}/man1/*ctr.1* %files ctr %{_sbindir}/containerd-ctr # TODO: Fix man page generation. #%{_mandir}/man1/*ctr.1* %changelog ++++++ _service ++++++ <services> <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/containerd/containerd.git</param> <param name="scm">git</param> <param name="filename">containerd</param> <param name="versionformat">1.4.4_%h</param> <param name="revision">v1.4.4</param> <param name="exclude">.git</param> </service> <service name="recompress" mode="disabled"> <param name="file">*.tar</param> <param name="compression">xz</param> </service> </services> ++++++ bsc1188282-use-chmod-path-for-checking-symlink.patch ++++++ >From 45e9ebe3c91b258ad7489baaea3a1f6e0b42ceb4 Mon Sep 17 00:00:00 2001 From: Derek McGowan <[email protected]> Date: Tue, 6 Jul 2021 12:37:54 -0700 Subject: [PATCH] [release/1.4] Use chmod path for checking symlink Signed-off-by: Derek McGowan <[email protected]> --- archive/tar_test.go | 35 +++++++++++++++++++++++++++++++++++ archive/tar_unix.go | 2 +- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/archive/tar_test.go b/archive/tar_test.go index 568f5a95f..8ffd3f221 100644 --- a/archive/tar_test.go +++ b/archive/tar_test.go @@ -243,6 +243,11 @@ func TestBreakouts(t *testing.T) { return nil } errFileDiff := errors.New("files differ") + td, err := ioutil.TempDir("", "test-breakouts-") + if err != nil { + t.Fatal(err) + } + defer os.RemoveAll(td) isSymlinkFile := func(f string) func(string) error { return func(root string) error { @@ -744,6 +749,36 @@ func TestBreakouts(t *testing.T) { // resolution ends up just removing etc validator: fileNotExists("etc/passwd"), }, + { + + name: "HardlinkSymlinkChmod", + w: func() tartest.WriterToTar { + p := filepath.Join(td, "perm400") + if err := ioutil.WriteFile(p, []byte("..."), 0400); err != nil { + t.Fatal(err) + } + ep := filepath.Join(td, "also-exists-outside-root") + if err := ioutil.WriteFile(ep, []byte("..."), 0640); err != nil { + t.Fatal(err) + } + + return tartest.TarAll( + tc.Symlink(p, ep), + tc.Link(ep, "sketchylink"), + ) + }(), + validator: func(string) error { + p := filepath.Join(td, "perm400") + fi, err := os.Lstat(p) + if err != nil { + return err + } + if perm := fi.Mode() & os.ModePerm; perm != 0400 { + return errors.Errorf("%s perm changed from 0400 to %04o", p, perm) + } + return nil + }, + }, } for _, bo := range breakouts { diff --git a/archive/tar_unix.go b/archive/tar_unix.go index 6e89d2fdb..c22e79bf2 100644 --- a/archive/tar_unix.go +++ b/archive/tar_unix.go @@ -113,7 +113,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error { func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error { if hdr.Typeflag == tar.TypeLink { - if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) { + if fi, err := os.Lstat(path); err == nil && (fi.Mode()&os.ModeSymlink == 0) { if err := os.Chmod(path, hdrInfo.Mode()); err != nil && !os.IsNotExist(err) { return err } -- 2.32.0 ++++++ containerd-rpmlintrc ++++++ addFilter ("^containerd(-kubic)?.*: W: statically-linked-binary /usr/sbin/containerd-shim") addFilter ("^containerd(-kubic)?-test.noarch: [WE]: (hidden-file-or-dir|script-without-shebang|devel-file-in-non-devel-package|env-script-interpreter).* /usr/src/containerd/.*")
