commit 21f1e3e3e44e19f99a3550edf00accfc6a2dc0fa Author: CentOS Sources Date: Tue Nov 8 01:33:44 2022 -0500 import conmon-2.0.26-3.module+el8.7.0+16212+65e1b35f diff --git a/.conmon.metadata b/.conmon.metadata new file mode 100644 index 0000000..10f3003 --- /dev/null +++ b/.conmon.metadata @@ -0,0 +1 @@ +ed12565698e4906511465d51df9914ea601e2c27 SOURCES/v2.0.26.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..54dac9c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/v2.0.26.tar.gz diff --git a/SOURCES/CVE-2022-1708.patch b/SOURCES/CVE-2022-1708.patch new file mode 100644 index 0000000..c8757e3 --- /dev/null +++ b/SOURCES/CVE-2022-1708.patch @@ -0,0 +1,93 @@ +diff --git a/src/cli.c b/src/cli.c +index 8e788f9..5761dde 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -38,6 +38,7 @@ gchar **opt_log_path = NULL; + char *opt_exit_dir = NULL; + int opt_timeout = 0; + int64_t opt_log_size_max = -1; ++int64_t opt_log_global_size_max = -1; + char *opt_socket_path = DEFAULT_SOCKET_PATH; + gboolean opt_no_new_keyring = FALSE; + char *opt_exit_command = NULL; +@@ -70,6 +71,7 @@ GOptionEntry opt_entries[] = { + {"log-level", 0, 0, G_OPTION_ARG_STRING, &opt_log_level, "Print debug logs based on log level", NULL}, + {"log-path", 'l', 0, G_OPTION_ARG_STRING_ARRAY, &opt_log_path, "Log file path", NULL}, + {"log-size-max", 0, 0, G_OPTION_ARG_INT64, &opt_log_size_max, "Maximum size of log file", NULL}, ++ {"log-global-size-max", 0, 0, G_OPTION_ARG_INT64, &opt_log_global_size_max, "Maximum size of all log files", NULL}, + {"log-tag", 0, 0, G_OPTION_ARG_STRING, &opt_log_tag, "Additional tag to use for logging", NULL}, + {"name", 'n', 0, G_OPTION_ARG_STRING, &opt_name, "Container name", NULL}, + {"no-new-keyring", 0, 0, G_OPTION_ARG_NONE, &opt_no_new_keyring, "Do not create a new session keyring for the container", NULL}, +@@ -180,5 +182,5 @@ void process_cli() + if (opt_container_pid_file == NULL) + opt_container_pid_file = g_strdup_printf("%s/pidfile-%s", cwd, opt_cid); + +- configure_log_drivers(opt_log_path, opt_log_size_max, opt_cid, opt_name, opt_log_tag); ++ configure_log_drivers(opt_log_path, opt_log_size_max, opt_log_global_size_max, opt_cid, opt_name, opt_log_tag); + } +diff --git a/src/ctr_logging.c b/src/ctr_logging.c +index c3fd5d2..8581783 100644 +--- a/src/ctr_logging.c ++++ b/src/ctr_logging.c +@@ -32,6 +32,9 @@ static const char *const JOURNALD_FILE_STRING = "journald"; + /* Max log size for any log file types */ + static int64_t log_size_max = -1; + ++/* Max total log size for any log file types */ ++static int64_t log_global_size_max = -1; ++ + /* k8s log file parameters */ + static int k8s_log_fd = -1; + static char *k8s_log_path = NULL; +@@ -77,9 +80,10 @@ static void reopen_k8s_file(void); + * (currently just k8s log file), it will also open the log_fd for that specific + * log file. + */ +-void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, char *cuuid_, char *name_, char *tag) ++void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, int64_t log_global_size_max_, char *cuuid_, char *name_, char *tag) + { + log_size_max = log_size_max_; ++ log_global_size_max = log_global_size_max_; + if (log_drivers == NULL) + nexit("Log driver not provided. Use --log-path"); + for (int driver = 0; log_drivers[driver]; ++driver) { +@@ -284,6 +288,7 @@ static int write_k8s_log(stdpipe_t pipe, const char *buf, ssize_t buflen) + writev_buffer_t bufv = {0}; + static int64_t bytes_written = 0; + int64_t bytes_to_be_written = 0; ++ static int64_t total_bytes_written = 0; + + /* + * Use the same timestamp for every line of the log in this buffer. +@@ -307,6 +312,10 @@ static int write_k8s_log(stdpipe_t pipe, const char *buf, ssize_t buflen) + bytes_to_be_written += 1; + } + ++ /* If the caller specified a global max, enforce it before writing */ ++ if (log_global_size_max > 0 && total_bytes_written >= log_global_size_max) ++ break; ++ + /* + * We re-open the log file if writing out the bytes will exceed the max + * log size. We also reset the state so that the new file is started with +@@ -360,6 +369,7 @@ static int write_k8s_log(stdpipe_t pipe, const char *buf, ssize_t buflen) + } + + bytes_written += bytes_to_be_written; ++ total_bytes_written += bytes_to_be_written; + next: + /* Update the head of the buffer remaining to output. */ + buf += line_len; +diff --git a/src/ctr_logging.h b/src/ctr_logging.h +index 1b63cd7..9b1f693 100644 +--- a/src/ctr_logging.h ++++ b/src/ctr_logging.h +@@ -7,7 +7,7 @@ + + void reopen_log_files(void); + bool write_to_logs(stdpipe_t pipe, char *buf, ssize_t num_read); +-void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, char *cuuid_, char *name_, char *tag); ++void configure_log_drivers(gchar **log_drivers, int64_t log_size_max_, int64_t log_global_size_max_, char *cuuid_, char *name_, char *tag); + void sync_logs(void); + + #endif /* !defined(CTR_LOGGING_H) */ diff --git a/SPECS/conmon.spec b/SPECS/conmon.spec new file mode 100644 index 0000000..b3417b8 --- /dev/null +++ b/SPECS/conmon.spec @@ -0,0 +1,163 @@ +%global with_check 0 + +%global _find_debuginfo_dwz_opts %{nil} +%global _dwz_low_mem_die_limit 0 + +# https://github.com/containers/conmon +%global import_path github.com/containers/%{name} +%global git0 https://%{import_path} + +Name: conmon +Epoch: 2 +Version: 2.0.26 +Release: 3%{?dist} +Summary: OCI container runtime monitor +License: ASL 2.0 +URL: %{git0} +Source0: %{git0}/archive/v%{version}.tar.gz +Patch0: CVE-2022-1708.patch +# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures +#ExclusiveArch: %%{go_arches} +# still use arch exclude as the macro above still refers %%{ix86} in RHEL8.4: +# https://bugzilla.redhat.com/show_bug.cgi?id=1905383 +ExcludeArch: %{ix86} +BuildRequires: gcc +BuildRequires: git +BuildRequires: glib2-devel +BuildRequires: systemd-devel +BuildRequires: golang >= 1.12.12-4 +BuildRequires: go-md2man + +%description +%{summary}. + +%prep +%autosetup -Sgit + +%build +export CFLAGS="%{optflags} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" +export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" +%{__make} all + +%install +%{__make} PREFIX=%{buildroot}%{_prefix} install + +#define license tag if not already defined +%{!?_licensedir:%global license %doc} + +%files +%license LICENSE +%doc README.md +%{_bindir}/%{name} +%{_mandir}/man8/* + +%changelog +* Thu Jul 14 2022 Jindrich Novy - 2:2.0.26-3 +- amend CVE-2022-1708 +- Related: #2093390 + +* Mon Jun 06 2022 Jindrich Novy - 2:2.0.26-2 +- fix CVE-2022-1708 - thanks to Peter Hunt +- Related: #2061390 + +* Thu Feb 04 2021 Jindrich Novy - 2:2.0.26-1 +- update to https://github.com/containers/conmon/releases/tag/v2.0.26 +- Related: #1883490 + +* Thu Jan 21 2021 Jindrich Novy - 2:2.0.25-1 +- update to https://github.com/containers/conmon/releases/tag/v2.0.25 +- Related: #1883490 + +* Fri Jan 15 2021 Jindrich Novy - 2:2.0.24-1 +- update to https://github.com/containers/conmon/releases/tag/v2.0.24 +- Related: #1883490 + +* Mon Jan 04 2021 Jindrich Novy - 2:2.0.22-3 +- exclude i686 as golang is not suppoerted there +- Related: #1883490 + +* Sat Dec 26 2020 Jindrich Novy - 2:2.0.22-2 +- add BR: golang, go-md2man +- add man pages +- Related: #1883490 + +* Mon Dec 21 2020 Jindrich Novy - 2:2.0.22-1 +- update to https://github.com/containers/conmon/releases/tag/v2.0.22 +- Related: #1883490 + +* Tue Dec 08 2020 Jindrich Novy - 2:2.0.21-3 +- simplify spec +- Related: #1883490 + +* Mon Nov 09 2020 Jindrich Novy - 2:2.0.21-2 +- be sure to harden the linked binary +- compile with debuginfo enabled +- Related: #1883490 + +* Wed Oct 21 2020 Jindrich Novy - 2:2.0.21-1 +- synchronize with stream-container-tools-rhel8 +- Related: #1883490 + +* Tue Aug 11 2020 Jindrich Novy - 2:2.0.20-2 +- use proper CFLAGS +- Related: #1821193 + +* Wed Jul 29 2020 Jindrich Novy - 2:2.0.20-1 +- update to https://github.com/containers/conmon/releases/tag/v2.0.20 +- Related: #1821193 + +* Wed Jul 15 2020 Jindrich Novy - 2:2.0.19-1 +- update to https://github.com/containers/conmon/releases/tag/v2.0.19 +- Related: #1821193 + +* Tue Jun 16 2020 Jindrich Novy - 2:2.0.18-1 +- update to https://github.com/containers/conmon/releases/tag/v2.0.18 +- Related: #1821193 + +* Tue May 26 2020 Jindrich Novy - 2:2.0.17-1 +- update to https://github.com/containers/conmon/releases/tag/v2.0.17 +- Related: #1821193 + +* Wed May 13 2020 Jindrich Novy - 2:2.0.16-1 +- update to https://github.com/containers/conmon/releases/tag/v2.0.16 +- Related: #1821193 + +* Tue May 12 2020 Jindrich Novy - 2:2.0.15-2 +- synchronize containter-tools 8.3.0 with 8.2.1 +- Related: #1821193 + +* Mon Apr 06 2020 Jindrich Novy - 2:2.0.15-1 +- update to 2.0.15 +- Related: #1821193 + +* Wed Dec 11 2019 Jindrich Novy - 2:2.0.6-1 +- update to 2.0.6 +- Related: RHELPLAN-25139 + +* Tue Dec 10 2019 Jindrich Novy - 2:2.0.5-1 +- update to 2.0.5 +- Related: RHELPLAN-25139 + +* Mon Dec 09 2019 Jindrich Novy - 2:2.0.4-1 +- update to 2.0.4 bugfix release +- Related: RHELPLAN-25139 + +* Mon Nov 25 2019 Jindrich Novy - 2:2.0.3-2.giteb5fa88 +- BR: systemd-devel +- Related: RHELPLAN-25139 + +* Wed Nov 20 2019 Jindrich Novy - 2:2.0.3-1.giteb5fa88 +- update to 2.0.3 +- Related: RHELPLAN-25139 + +* Wed Sep 25 2019 Lokesh Mandvekar - 2:2.0.2-0.1.dev.git422ce21 +- build latest upstream master + +* Tue Sep 10 2019 Lokesh Mandvekar - 2:2.0.0-2 +- remove BR: go-md2man since no manpages yet + +* Tue Sep 10 2019 Lokesh Mandvekar - 2:2.0.0-1 +- bump to v2.0.0 + +* Fri May 31 2019 Lokesh Mandvekar - 2:0.2.0-1 +- initial package