Hello community, here is the log from the commit of package lxc for openSUSE:Factory checked in at 2017-04-11 09:36:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lxc (Old) and /work/SRC/openSUSE:Factory/.lxc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "lxc" Tue Apr 11 09:36:53 2017 rev:70 rq:483859 version:2.0.7 Changes: -------- --- /work/SRC/openSUSE:Factory/lxc/lxc.changes 2016-12-09 09:38:33.641620438 +0100 +++ /work/SRC/openSUSE:Factory/.lxc.new/lxc.changes 2017-04-11 09:36:58.458488200 +0200 @@ -1,0 +2,112 @@ +Thu Mar 30 06:31:37 UTC 2017 - opensuse_buildservice@ojkastl.de + +- fix for boo#1028264 + added patch 0003-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch + +------------------------------------------------------------------- +Wed Mar 29 20:01:55 UTC 2017 - opensuse_buildservice@ojkastl.de + +- backported two patches to get the package to build again for Tumbleweed + (applied only on tumbleweed aka suse_version >1315) + 0001-tree-wide-include-sys-sysmacros.h-directly.patch + 0002-tree-wide-include-sys-sysmacros.h-directly.patch + +------------------------------------------------------------------- +Fri Jan 27 19:10:11 UTC 2017 - opensuse_buildservice@ojkastl.de + +- all patches (00*.patch) are upstream already, thus deleted; patch lxc-aa_allow_incomplete-default.patch is now reworked and added as a drop-in file in /usr/share/lxc/config/common.conf.d/ + 0001-bdev-use-correct-overlay-module-name.patch + 0002-cleanup-tools-remove-name-from-lxc-top-usage-message.patch + 0003-cleanup-whitespaces-in-option-alignment-for-lxc-exec.patch + 0004-Use-full-GPG-fingerprint-instead-of-long-IDs.patch + 0005-tools-move-rcfile-to-the-common-options-list.patch + 0006-tools-set-configfile-after-load_config.patch + 0007-doc-add-rcfile-to-common-opts.patch + 0008-doc-Update-Korean-lxc-attach-1.patch + 0009-doc-Add-rcfile-to-Korean-common-opts.patch + 0010-doc-Add-rcfile-to-Japanese-common-opts.patch + 0011-tools-use-exit-EXIT_-everywhere.patch + 0012-tools-unify-exit-calls-outside-of-main.patch + 0013-utils-Add-mips-signalfd-syscall-numbers.patch + 0014-seccomp-Implement-MIPS-seccomp-handling.patch + 0015-seccomp-Add-mips-and-mips64-entries-to-lxc_config_pa.patch + 0016-seccomp-fix-strerror.patch + 0017-confile-add-more-archs-to-lxc_config_parse_arch.patch + 0018-seccomp-add-support-for-s390x.patch + 0019-seccomp-remove-double-include-and-order-includes.patch + 0020-seccomp-non-functional-changes.patch + 0021-templates-use-fd-9-instead-of-200.patch + 0022-templates-fedora-requires-openssl-binary.patch + 0023-tools-use-boolean-for-ret-in-lxc_device.c.patch + 0024-c-r-use-proc-self-tid-children-instead-of-pidfile.patch + 0025-c-r-Fix-pid_t-on-some-arches.patch + 0026-templates-Add-mips-hostarch-detection-to-debian.patch + 0027-cleanup-replace-tabs-wth-spaces-in-usage-strings.patch + lxc-aa_allow_incomplete-default.patch + 0001-attach-do-not-send-procfd-to-attached-process.patch + +------------------------------------------------------------------- +Tue Jan 24 15:51:26 UTC 2017 - opensuse_buildservice@ojkastl.de + +- update to version 2.0.7 + This is the seventh bugfix release for LXC 2.0. The main bugfixes in this release are: + - attach: Close lsm label file descriptor + - attach: Non-functional changes + - attach: Simplify lsm_openat() + - caps: Add lxc_cap_is_set() + - conf: attach: Save errno across call to close + - conf: Clearly report to either use drop or keep + - conf: criu: Add make_anonymous_mount_file() + - conf: Fix suggest_default_idmap() + - configure: Add --enable-gnutls option + - configure: Check for memfd_create() + - configure: Check whether gettid() is declared + - configure: Do not allow variable length arrays + - configure: Remove -Werror=vla + - configure: Use AC_HEADER_MAJOR to detect major()/minor()/makedev() + - conf: Non-functional changes + - conf: Remove thread-unsafe strsignal + improve log + - init: Add cgroupfs-mount to Should-Start/Stop sysvinit LSB headers + - log: Add lxc_unix_epoch_to_utc() + - log: Annotate lxc_unix_epoch_to_utc() + - log: Drop all timezone conversion functions + - log: Make sure that date is correctly formatted + - log: Use lxc_unix_epoch_to_utc() + - log: Use N/A if getpid() != gettid() when threaded + - log: Use thread-safe localtime_r() + - lvm: Supress warnings about leaked files + - lxccontainer: Log failure to send sig to init pid + - monitor: Add more logging + - monitor: Close mainloop on exit if we opened it + - monitor: Improve log + set log level to DEBUG + - monitor: Log which pipe fd is currently used + - monitor: Make lxc-monitord async signal safe + - monitor: Non-functional changes + - python3-lxc: Fix api_test.py on s390x + - start: Check for CAP_SETGID before setgroups() + - start: Fix execute and improve setgroups() calls + - state: Use async signal safe fun in lxc_wait() + - templates: lxc-debian: Don't try to get stuff from /usr/lib/systemd on the host + - templates: lxc-debian: Fix getty service startup + - templates: lxc-debian: Fix typo in calling dpkg with --print-foreign-architectures option + - templates: lxc-debian: Handle ppc hostarch -> powerpc + - templates: lxc-opensuse: Change openSUSE default release to Leap 42.2 + - templates: lxc-opensuse: Remove libgcc_s1 + - templates: lxc-opensuse: Remove poweroff.target -> sigpwr.target copy + - templates: lxc-opensuse: Set to be unconfined by AppArmor + - templates: lxc-opensuse: Update for Leap 42.2 + - tests; Don't cause test failures on cleanup errors + - tests: Skip unpriv tests on broken overlay module + - tools: Improve logging + - tools: lxc-start: Remove c->is_defined(c) check + - tools: lxc-start: Set configfile after load_config + - tools: Only check for O_RDONLY + - tree-wide: Random macro cleanups + - tree-wide: Remove any variable length arrays + - tree-wide: Sic semper assertis! + - utils: Add macro __LXC_NUMSTRLEN + - utils: Add uid, gid, group convenience wrappers + +- commented out the patches, as they no longer apply cleanly + +------------------------------------------------------------------- Old: ---- 0001-attach-do-not-send-procfd-to-attached-process.patch 0001-bdev-use-correct-overlay-module-name.patch 0002-cleanup-tools-remove-name-from-lxc-top-usage-message.patch 0003-cleanup-whitespaces-in-option-alignment-for-lxc-exec.patch 0004-Use-full-GPG-fingerprint-instead-of-long-IDs.patch 0005-tools-move-rcfile-to-the-common-options-list.patch 0006-tools-set-configfile-after-load_config.patch 0007-doc-add-rcfile-to-common-opts.patch 0008-doc-Update-Korean-lxc-attach-1.patch 0009-doc-Add-rcfile-to-Korean-common-opts.patch 0010-doc-Add-rcfile-to-Japanese-common-opts.patch 0011-tools-use-exit-EXIT_-everywhere.patch 0012-tools-unify-exit-calls-outside-of-main.patch 0013-utils-Add-mips-signalfd-syscall-numbers.patch 0014-seccomp-Implement-MIPS-seccomp-handling.patch 0015-seccomp-Add-mips-and-mips64-entries-to-lxc_config_pa.patch 0016-seccomp-fix-strerror.patch 0017-confile-add-more-archs-to-lxc_config_parse_arch.patch 0018-seccomp-add-support-for-s390x.patch 0019-seccomp-remove-double-include-and-order-includes.patch 0020-seccomp-non-functional-changes.patch 0021-templates-use-fd-9-instead-of-200.patch 0022-templates-fedora-requires-openssl-binary.patch 0023-tools-use-boolean-for-ret-in-lxc_device.c.patch 0024-c-r-use-proc-self-tid-children-instead-of-pidfile.patch 0025-c-r-Fix-pid_t-on-some-arches.patch 0026-templates-Add-mips-hostarch-detection-to-debian.patch 0027-cleanup-replace-tabs-wth-spaces-in-usage-strings.patch lxc-2.0.4.tar.gz lxc-aa_allow_incomplete-default.patch New: ---- 0001-tree-wide-include-sys-sysmacros.h-directly.patch 0002-tree-wide-include-sys-sysmacros.h-directly.patch 0003-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch lxc-2.0.7.tar.gz openSUSE_apparmor_mount.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ --- /var/tmp/diff_new_pack.MuACMF/_old 2017-04-11 09:36:59.386357127 +0200 +++ /var/tmp/diff_new_pack.MuACMF/_new 2017-04-11 09:36:59.386357127 +0200 @@ -18,44 +18,21 @@ %define shlib_version 1 Name: lxc -Version: 2.0.4 +Version: 2.0.7 Release: 0 Url: http://linuxcontainers.org/ Summary: Userspace tools for Linux kernel containers License: LGPL-2.1+ Group: System/Management Source: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz -Source1: README.SUSE -Source2: lxc-createconfig.in -Patch0001: 0001-bdev-use-correct-overlay-module-name.patch -Patch0002: 0002-cleanup-tools-remove-name-from-lxc-top-usage-message.patch -Patch0003: 0003-cleanup-whitespaces-in-option-alignment-for-lxc-exec.patch -Patch0004: 0004-Use-full-GPG-fingerprint-instead-of-long-IDs.patch -Patch0005: 0005-tools-move-rcfile-to-the-common-options-list.patch -Patch0006: 0006-tools-set-configfile-after-load_config.patch -Patch0007: 0007-doc-add-rcfile-to-common-opts.patch -Patch0008: 0008-doc-Update-Korean-lxc-attach-1.patch -Patch0009: 0009-doc-Add-rcfile-to-Korean-common-opts.patch -Patch0010: 0010-doc-Add-rcfile-to-Japanese-common-opts.patch -Patch0011: 0011-tools-use-exit-EXIT_-everywhere.patch -Patch0012: 0012-tools-unify-exit-calls-outside-of-main.patch -Patch0013: 0013-utils-Add-mips-signalfd-syscall-numbers.patch -Patch0014: 0014-seccomp-Implement-MIPS-seccomp-handling.patch -Patch0015: 0015-seccomp-Add-mips-and-mips64-entries-to-lxc_config_pa.patch -Patch0016: 0016-seccomp-fix-strerror.patch -Patch0017: 0017-confile-add-more-archs-to-lxc_config_parse_arch.patch -Patch0018: 0018-seccomp-add-support-for-s390x.patch -Patch0019: 0019-seccomp-remove-double-include-and-order-includes.patch -Patch0020: 0020-seccomp-non-functional-changes.patch -Patch0021: 0021-templates-use-fd-9-instead-of-200.patch -Patch0022: 0022-templates-fedora-requires-openssl-binary.patch -Patch0023: 0023-tools-use-boolean-for-ret-in-lxc_device.c.patch -Patch0024: 0024-c-r-use-proc-self-tid-children-instead-of-pidfile.patch -Patch0025: 0025-c-r-Fix-pid_t-on-some-arches.patch -Patch0026: 0026-templates-Add-mips-hostarch-detection-to-debian.patch -Patch0027: 0027-cleanup-replace-tabs-wth-spaces-in-usage-strings.patch -Patch0028: lxc-aa_allow_incomplete-default.patch -Patch0029: 0001-attach-do-not-send-procfd-to-attached-process.patch +Source1: lxc-createconfig.in +Source2: README.SUSE +Source3: openSUSE_apparmor_mount.conf +%if 0%{?suse_version} > 1315 +Patch0: 0001-tree-wide-include-sys-sysmacros.h-directly.patch +Patch1: 0002-tree-wide-include-sys-sysmacros.h-directly.patch +%endif +Patch2: 0003-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: docbook-utils @@ -119,35 +96,11 @@ %prep %setup -%patch0001 -p1 -%patch0002 -p1 -%patch0003 -p1 -%patch0004 -p1 -%patch0005 -p1 -%patch0006 -p1 -%patch0007 -p1 -%patch0008 -p1 -%patch0009 -p1 -%patch0010 -p1 -%patch0011 -p1 -%patch0012 -p1 -%patch0013 -p1 -%patch0014 -p1 -%patch0015 -p1 -%patch0016 -p1 -%patch0017 -p1 -%patch0018 -p1 -%patch0019 -p1 -%patch0020 -p1 -%patch0021 -p1 -%patch0022 -p1 -%patch0023 -p1 -%patch0024 -p1 -%patch0025 -p1 -%patch0026 -p1 -%patch0027 -p1 -%patch0028 -p1 -%patch0029 -p1 +%if 0%{?suse_version} > 1315 +%patch0 -p1 +%patch1 -p1 +%endif +%patch2 -p1 %build chmod 755 configure @@ -156,7 +109,8 @@ --with-init-script=systemd \ --with-systemdsystemunitdir=%{_unitdir} make %{?_smp_mflags} -cp %{SOURCE1} . +cp %{SOURCE2} . +cp %{SOURCE3} . rm -rf .doc mkdir -p .doc/examples cp doc/examples/*.conf .doc/examples @@ -166,10 +120,11 @@ install -d -m 755 %{buildroot}/var/lib/lxc find %buildroot -type f -name '*.la' -delete chmod u-s %{buildroot}/%{_libexecdir}/%{name}/lxc-user-nic -./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:2} +./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:1} chmod a+x %{buildroot}%{_bindir}/lxc-createconfig ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc-net +%__cp %{SOURCE3} %{buildroot}/usr/share/lxc/config/common.conf.d/ %fdupes %{buildroot}/%{_datadir}/%{name}/config/ %pre ++++++ 0001-tree-wide-include-sys-sysmacros.h-directly.patch ++++++
From 1750a26028f6e6543795fe6b1d26e8f241348390 Mon Sep 17 00:00:00 2001 From: Christian Brauner
Date: Mon, 20 Mar 2017 15:42:50 +0100 Subject: [PATCH] tree-wide: include directly
Signed-off-by: Christian Brauner
From cef0cc991720bbf9ac9a8492a7aa7170daf17b07 Mon Sep 17 00:00:00 2001 From: Christian Brauner
Date: Tue, 21 Mar 2017 12:03:16 +0100 Subject: [PATCH] tree-wide: include directly
Signed-off-by: Christian Brauner
From d512bd5efb0e407eba350c4e649c464a65b712a3 Mon Sep 17 00:00:00 2001 From: Christian Brauner
Date: Sat, 28 Jan 2017 13:02:34 +0100 Subject: [PATCH] CVE-2017-5985: Ensure target netns is caller-owned
Before this commit, lxc-user-nic could potentially have been tricked into
operating on a network namespace over which the caller did not hold privilege.
This commit ensures that the caller is privileged over the network namespace by
temporarily dropping privilege.
Launchpad: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676
Reported-by: Jann Horn