podman/SOURCES/podman-CVE-2020-10696.patch

From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
From: TomSweeneyRedHat <tsweeney@redhat.com>
Date: Tue, 24 Mar 2020 20:10:22 -0400
Subject: [PATCH] Fix potential CVE in tarfile w/ symlink

Stealing @nalind 's workaround to avoid refetching
content after a file read failure.  Under the right
circumstances that could be a symlink to a file meant
to overwrite a good file with bad data.

Testing:
```
goodstuff

[1] 14901

127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
no FROM statement found

goodstuff
```

Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
---
 imagebuildah/util.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
--- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696
+++ b/vendor/github.com/containers//buildah/imagebuildah/util.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/containers/buildah"
 	"github.com/containers/storage/pkg/chrootarchive"
+	"github.com/containers/storage/pkg/ioutils"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
 		}
 		dockerfile := filepath.Join(dir, "Dockerfile")
 		// Assume this is a Dockerfile
-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
+		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
 		}
 	}
import podman-1.0.0-8.git921f98f.module+el8.3.0+10171+12421f43 4 years ago			`From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001`
			`From: TomSweeneyRedHat <tsweeney@redhat.com>`
			`Date: Tue, 24 Mar 2020 20:10:22 -0400`
			`Subject: [PATCH] Fix potential CVE in tarfile w/ symlink`

			`Stealing @nalind 's workaround to avoid refetching`
			`content after a file read failure. Under the right`
			`circumstances that could be a symlink to a file meant`
			`to overwrite a good file with bad data.`

			`Testing:`
			```
			`goodstuff`

			`[1] 14901`

			`127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -`
			`127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -`
			`no FROM statement found`

			`goodstuff`
			```

			`Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>`
			`---`
			`imagebuildah/util.go \| 5 +++--`
			`1 file changed, 3 insertions(+), 2 deletions(-)`

			`diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go`
			`--- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696`
			`+++ b/vendor/github.com/containers//buildah/imagebuildah/util.go`
			`@@ -12,6 +12,7 @@ import (`

			`"github.com/containers/buildah"`
			`"github.com/containers/storage/pkg/chrootarchive"`
			`+ "github.com/containers/storage/pkg/ioutils"`
			`"github.com/pkg/errors"`
			`"github.com/sirupsen/logrus"`
			`)`
			`@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string`
			`}`
			`dockerfile := filepath.Join(dir, "Dockerfile")`
			`// Assume this is a Dockerfile`
			`- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {`
			`+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {`
			`return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)`
			`}`
			`}`