import bubblewrap-0.4.1-8.el9_5

3 months ago · b863c62736
parent 5020c2ea59
commit b863c62736
3 changed files with 55 additions and 17 deletions
--- a/SOURCES/0001-Accept-EROFS-for-access-check-of-proc-entries.patch
+++ b/SOURCES/0001-Accept-EROFS-for-access-check-of-proc-entries.patch
@ -0,0 +1,26 @@
 From 4c35d7a5f92499d6ed646d4a5ffad9acc10cb432 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?J=C3=BCrg=20Billeter?= <j@bitron.ch>
 Date: Tue, 18 Aug 2020 17:33:49 +0200
 Subject: [PATCH] Accept EROFS for access() check of /proc entries
 This is required to work in a Docker container.
 ---
 bubblewrap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/bubblewrap.c b/bubblewrap.c
 index e1a4629..d65ffef 100644
 --- a/bubblewrap.c
 +++ b/bubblewrap.c
@@ -1148,7 +1148,7 @@ setup_newroot (bool unshare_pid,
               if (access (subdir, W_OK) < 0)
                 {
                   /* The file is already read-only or doesn't exist.  */
 -                  if (errno == EACCES || errno == ENOENT)
 +                  if (errno == EACCES || errno == ENOENT || errno == EROFS)
                     continue;
                   die_with_error ("Can't access %s", subdir);
 -- 
 2.44.0
--- a/SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
+++ b/SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
@ -1,8 +1,7 @@
-From 10e62a964d465884b972571b258042493259b00b Mon Sep 17 00:00:00 2001
+From 52d5f7c3ba5c8e10b3a992304fd28cd4d18caeeb Mon Sep 17 00:00:00 2001
 From: Alexander Larsson <alexl@redhat.com>
 Date: Tue, 18 Jun 2024 10:20:36 +0200
-Subject: [PATCH] [0.4.0] Add --bind-fd and --ro-bind-fd to let you bind a
+Subject: [PATCH] Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd.
 O_PATH fd.
 This is useful for example if you for some reason don't have the real
 path. It is also a way to make bind-mounts race-free (i.e. to have the
@ -16,17 +15,17 @@ permitted, but at least we can delay resolving the fd to a path as much as
 possible, and then validate after mount that we actually mounted the right
 thing.
 [@kolyshkin: backport commit a253257cd298892 to v0.4.0]
 Signed-off-by: Alexander Larsson <alexl@redhat.com>
-Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+(cherry picked from commit a253257cd298892da43e15201d83f9a02c9b58b5)
 [kalev: Backport to 0.4.x]
 Signed-off-by: Kalev Lember <klember@redhat.com>
 ---
 bubblewrap.c      | 50 +++++++++++++++++++++++++++++++++++++++++++++++
- tests/test-run.sh |  5 +++++
+ tests/test-run.sh |  7 ++++++-
- 2 files changed, 55 insertions(+)
+ 2 files changed, 56 insertions(+), 1 deletion(-)
 diff --git a/bubblewrap.c b/bubblewrap.c
-index 8d0c5f7..209c1a5 100644
+index b3d52bc..38b3646 100644
 --- a/bubblewrap.c
 +++ b/bubblewrap.c
@@ -250,6 +250,8 @@ usage (int ecode, FILE *out)
@ -38,7 +37,7 @@ index 8d0c5f7..209c1a5 100644
            "    --remount-ro DEST            Remount DEST as readonly; does not recursively remount\n"
            "    --exec-label LABEL           Exec label for the sandbox\n"
            "    --file-label LABEL           File label for temporary sandbox content\n"
-@@ -1106,6 +1108,30 @@ setup_newroot (bool unshare_pid,
+@@ -1111,6 +1113,30 @@ setup_newroot (bool unshare_pid,
                          (op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) |
                          (op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0),
                          source, dest);
@ -69,7 +68,7 @@ index 8d0c5f7..209c1a5 100644
           break;
         case SETUP_REMOUNT_RO_NO_RECURSIVE:
-@@ -1643,6 +1669,30 @@ parse_args_recurse (int          *argcp,
+@@ -1648,6 +1674,30 @@ parse_args_recurse (int          *argcp,
           if (strcmp(arg, "--dev-bind-try") == 0)
             op->flags = ALLOW_NOTEXIST;
@ -101,10 +100,19 @@ index 8d0c5f7..209c1a5 100644
           argc -= 2;
         }
 diff --git a/tests/test-run.sh b/tests/test-run.sh
-index a01f41c..345db46 100755
+index 702c480..ce1eaf6 100755
 --- a/tests/test-run.sh
 +++ b/tests/test-run.sh
-@@ -375,5 +375,10 @@ else
+@@ -80,7 +80,7 @@ if ! $RUN true; then
     skip Seems like bwrap is not working at all. Maybe setuid is not working
 fi
 -echo "1..49"
 +echo "1..50"
 # Test help
 ${BWRAP} --help > help.txt
@@ -382,5 +382,10 @@ else
     echo "ok - Test --pidns"
 fi
--- a/SPECS/bubblewrap.spec
+++ b/SPECS/bubblewrap.spec
@ -1,6 +1,6 @@
 Name: bubblewrap
 Version: 0.4.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 Summary: Core execution tool for unprivileged containers
 License: LGPLv2+
@ -8,7 +8,8 @@ License: LGPLv2+
 URL: https://github.com/projectatomic/bubblewrap
 Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
 Patch0: 0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch
-Patch1: 0001-0.4.0-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O.patch
+Patch1: 0001-Accept-EROFS-for-access-check-of-proc-entries.patch
 Patch2: 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
 BuildRequires: autoconf automake libtool
 BuildRequires: gcc
@ -48,8 +49,11 @@ find %{buildroot} -name '*.la' -delete -print
 %{_mandir}/man1/*
 %changelog
-* Wed Aug 28 2024 Kir Kolyshkin <kolyshkin@gmail.com> - 0.4.1-7
+* Fri Aug 30 2024 Kalev Lember <klember@redhat.com> - 0.4.1-8
- Add support for --bind-fd and --ro-bind-fd (CVE-2024-42472)
+- Backport upstream fix to help address CVE-2024-42472 in flatpak
 * Fri Mar 15 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 0.4.1-7
 - Backport https://github.com/containers/bubblewrap/commit/4c35d7a5f92499d6ed646d4a5ffad9acc10cb432
 * Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 0.4.1-6
 - Rebuilt for MSVSphere 9.1.