rpms
/
bubblewrap
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
...
pull from: rpms:c8
Branches Tags
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'c8' have entirely different histories.
c9 ... c8

5 changed files with 30 additions and 100 deletions
Show Stats

2
.bubblewrap.metadata
Unescape View File

@ -1 +1 @@
00e121950ea494fcd9cfbe23971c0938d6be6755 SOURCES/bubblewrap-0.4.1.tar.xz f62f7900c32a5fec4e53a929eae5a9fd16bb3536 SOURCES/bubblewrap-0.4.0.tar.xz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/bubblewrap-0.4.1.tar.xz SOURCES/bubblewrap-0.4.0.tar.xz

34
SOURCES/0001-0.4.0-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O.patch → SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
Unescape View File

@ -1,8 +1,7 @@
From 10e62a964d465884b972571b258042493259b00b Mon Sep 17 00:00:00 2001 From 52d5f7c3ba5c8e10b3a992304fd28cd4d18caeeb Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com> From: Alexander Larsson <alexl@redhat.com>
Date: Tue, 18 Jun 2024 10:20:36 +0200 Date: Tue, 18 Jun 2024 10:20:36 +0200
Subject: [PATCH] [0.4.0] Add --bind-fd and --ro-bind-fd to let you bind a Subject: [PATCH] Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd.
O_PATH fd.
This is useful for example if you for some reason don't have the real This is useful for example if you for some reason don't have the real
path. It is also a way to make bind-mounts race-free (i.e. to have the path. It is also a way to make bind-mounts race-free (i.e. to have the
@ -16,17 +15,17 @@ permitted, but at least we can delay resolving the fd to a path as much as
possible, and then validate after mount that we actually mounted the right possible, and then validate after mount that we actually mounted the right
thing. thing.
[@kolyshkin: backport commit a253257cd298892 to v0.4.0]
Signed-off-by: Alexander Larsson <alexl@redhat.com> Signed-off-by: Alexander Larsson <alexl@redhat.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit a253257cd298892da43e15201d83f9a02c9b58b5)
[kalev: Backport to 0.4.x]
Signed-off-by: Kalev Lember <klember@redhat.com>
--- ---
bubblewrap.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ bubblewrap.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
tests/test-run.sh | 5 +++++ tests/test-run.sh | 7 ++++++-
2 files changed, 55 insertions(+) 2 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/bubblewrap.c b/bubblewrap.c diff --git a/bubblewrap.c b/bubblewrap.c
index 8d0c5f7..209c1a5 100644 index b3d52bc..38b3646 100644
--- a/bubblewrap.c --- a/bubblewrap.c
+++ b/bubblewrap.c +++ b/bubblewrap.c
@@ -250,6 +250,8 @@ usage (int ecode, FILE *out) @@ -250,6 +250,8 @@ usage (int ecode, FILE *out)
@ -38,7 +37,7 @@ index 8d0c5f7..209c1a5 100644
" --remount-ro DEST Remount DEST as readonly; does not recursively remount\n" " --remount-ro DEST Remount DEST as readonly; does not recursively remount\n"
" --exec-label LABEL Exec label for the sandbox\n" " --exec-label LABEL Exec label for the sandbox\n"
" --file-label LABEL File label for temporary sandbox content\n" " --file-label LABEL File label for temporary sandbox content\n"
@@ -1106,6 +1108,30 @@ setup_newroot (bool unshare_pid, @@ -1111,6 +1113,30 @@ setup_newroot (bool unshare_pid,
(op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) | (op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) |
(op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0), (op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0),
source, dest); source, dest);
@ -69,7 +68,7 @@ index 8d0c5f7..209c1a5 100644
break; break;
case SETUP_REMOUNT_RO_NO_RECURSIVE: case SETUP_REMOUNT_RO_NO_RECURSIVE:
@@ -1643,6 +1669,30 @@ parse_args_recurse (int *argcp, @@ -1648,6 +1674,30 @@ parse_args_recurse (int *argcp,
if (strcmp(arg, "--dev-bind-try") == 0) if (strcmp(arg, "--dev-bind-try") == 0)
op->flags = ALLOW_NOTEXIST; op->flags = ALLOW_NOTEXIST;
@ -101,10 +100,19 @@ index 8d0c5f7..209c1a5 100644
argc -= 2; argc -= 2;
} }
diff --git a/tests/test-run.sh b/tests/test-run.sh diff --git a/tests/test-run.sh b/tests/test-run.sh
index a01f41c..345db46 100755 index 702c480..ce1eaf6 100755
--- a/tests/test-run.sh --- a/tests/test-run.sh
+++ b/tests/test-run.sh +++ b/tests/test-run.sh
@@ -375,5 +375,10 @@ else @@ -80,7 +80,7 @@ if ! $RUN true; then
skip Seems like bwrap is not working at all. Maybe setuid is not working
fi
-echo "1..49"
+echo "1..50"
# Test help
${BWRAP} --help > help.txt
@@ -382,5 +382,10 @@ else
echo "ok - Test --pidns" echo "ok - Test --pidns"
fi fi

39
SOURCES/0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch
Unescape View File

@ -1,39 +0,0 @@
From d70c640aecc30e9216dc1a614a207e85c8732036 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 27 May 2021 16:19:27 -0400
Subject: [PATCH] Avoid memory leak if --args is specified multiple times
Found by a static analyzer.
```
bubblewrap-0.4.1/bubblewrap.c:1500: overwrite_var: Overwriting "opt_args_data" in "opt_args_data = load_file_data(the_fd, &data_len)" leaks the storage that "opt_args_data" points to.
# 1498| * keep allocated until exit time, since its argv entries get used
# 1499| * by the other cases in parse_args_recurse() when we recurse. */
# 1500|-> opt_args_data = load_file_data (the_fd, &data_len);
# 1501| if (opt_args_data == NULL)
# 1502| die_with_error ("Can't read --args data");
```
---
bubblewrap.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/bubblewrap.c b/bubblewrap.c
index 771e1ea..56ac07c 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -1494,6 +1494,12 @@ parse_args_recurse (int *argcp,
if (argv[1][0] == 0 || endptr[0] != 0 || the_fd < 0)
die ("Invalid fd: %s", argv[1]);
+ /* Specifying --args multiple times doesn't work; this just pacifies
+ * a static analyzer which pointed out the memory leak
+ */
+ if (opt_args_data != NULL)
+ free (opt_args_data);
+
/* opt_args_data is essentially a recursive argv array, which we must
* keep allocated until exit time, since its argv entries get used
* by the other cases in parse_args_recurse() when we recurse. */
--
2.31.1

53
SPECS/bubblewrap.spec
Unescape View File

@ -1,14 +1,13 @@
Name: bubblewrap Name: bubblewrap
Version: 0.4.1 Version: 0.4.0
Release: 7%{?dist} Release: 2%{?dist}
Summary: Core execution tool for unprivileged containers Summary: Core execution tool for unprivileged containers
License: LGPLv2+ License: LGPLv2+
#VCS: git:https://github.com/projectatomic/bubblewrap #VCS: git:https://github.com/projectatomic/bubblewrap
URL: https://github.com/projectatomic/bubblewrap URL: https://github.com/projectatomic/bubblewrap
Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
Patch0: 0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch Patch0: 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
Patch1: 0001-0.4.0-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O.patch
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
BuildRequires: gcc BuildRequires: gcc
@ -16,7 +15,6 @@ BuildRequires: libcap-devel
BuildRequires: pkgconfig(libselinux) BuildRequires: pkgconfig(libselinux)
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: docbook-style-xsl BuildRequires: docbook-style-xsl
BuildRequires: make
%description %description
Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged
@ -48,48 +46,11 @@ find %{buildroot} -name '*.la' -delete -print
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Wed Aug 28 2024 Kir Kolyshkin <kolyshkin@gmail.com> - 0.4.1-7 * Fri Aug 30 2024 Kalev Lember <klember@redhat.com> - 0.4.0-2
- Add support for --bind-fd and --ro-bind-fd (CVE-2024-42472) - Backport upstream fix to help address CVE-2024-42472 in flatpak
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.1-6 * Thu Jan 09 2020 David King <dking@redhat.com> - 0.4.0-1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebase to 0.4.0 (#1788067)
Related: rhbz#1991688
* Thu May 27 2021 Colin Walters <walters@verbum.org> - 0.4.1-5
- Backport https://github.com/containers/bubblewrap/pull/426
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.1-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Mar 30 2020 David King <amigadave@amigadave.com> - 0.4.1-1
- Update to 0.4.1
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Nov 27 2019 Kalev Lember <klember@redhat.com> - 0.4.0-1
- Update to 0.4.0
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed May 01 2019 Colin Walters <walters@redhat.com> - 0.3.3-2
- New upstream release
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Oct 01 2018 Kalev Lember <klember@redhat.com> - 0.3.1-1
- Update to 0.3.1
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jul 11 2018 Colin Walters <walters@verbum.org> - 0.3.0-1 * Wed Jul 11 2018 Colin Walters <walters@verbum.org> - 0.3.0-1
- https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.0 - https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.0

Write Preview
Loading…
Cancel
Save