commit singularity for openSUSE:Factory

Hello community, here is the log from the commit of package singularity for openSUSE:Factory checked in at 2019-01-05 14:42:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/singularity (Old) and /work/SRC/openSUSE:Factory/.singularity.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "singularity" Sat Jan 5 14:42:48 2019 rev:7 rq:662782 version:2.6.1 Changes: -------- --- /work/SRC/openSUSE:Factory/singularity/singularity.changes 2018-11-01 14:40:06.466903282 +0100 +++ /work/SRC/openSUSE:Factory/.singularity.new.28833/singularity.changes 2019-01-05 14:42:50.076455974 +0100 @@ -1,0 +2,15 @@ +Fri Jan 4 11:05:14 UTC 2019 - eich@suse.com + +- Change from /var/singularity to /var/lib/singularity +- zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch: + Fix the RPM db path for later versions of SUSE. +- Fix warning on bash-completion file about non-executible script. + +------------------------------------------------------------------- +Mon Dec 17 09:48:05 UTC 2018 - cgoll@suse.com + +- Updated to 2.6.1 to fix CVE-2018-19295 (bsc#1111411). + * mount points are not mounted with shared mount propagation by + default anymore, as this may result in privilege escalation. + +------------------------------------------------------------------- @@ -7,0 +23,6 @@ + +------------------------------------------------------------------- +Tue Oct 30 16:13:05 UTC 2018 - eich@suse.com + +- Add bash completions directory to file list for suse_version < 1500 + to keep the build checker happy. Old: ---- singularity-2.6.0.tar.gz New: ---- singularity-2.6.1.tar.gz zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ singularity.spec ++++++ --- /var/tmp/diff_new_pack.xVv8WD/_old 2019-01-05 14:42:50.616455516 +0100 +++ /var/tmp/diff_new_pack.xVv8WD/_new 2019-01-05 14:42:50.620455513 +0100 @@ -1,7 +1,7 @@ # # spec file for package singularity # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ # %define libsingularity libsingularity1 -%define git_version 2.6.0 +%define git_version 2.6.1 # slurm build broken %define have_slurm 0 @@ -41,6 +41,7 @@ Source: https://github.com/singularityware/%{name}/archive/%{github_ref}.tar.gz#/%{name}-%{version}.tar.gz Source1: README.SUSE Source5: singularity-rpmlintrc +Patch1: zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -79,11 +80,13 @@ %prep %setup -q -n %{name}-%{github_ref} +%patch1 -p1 cp %{S:1} . %build ./autogen.sh %configure \ + --localstatedir=%{_localstatedir}/lib \ %{!?allow_suid:--disable-suid} \ --with-userns \ --with-gnu-ld \ @@ -104,6 +107,8 @@ mkdir -p %{buildroot}/%{_datadir}/bash-completion/completions/ mv %{buildroot}/%{_sysconfdir}/bash_completion.d/%{name} \ %{buildroot}/%{_datadir}/bash-completion/completions/%{name} +sed -i -e '/#\!/d' %{buildroot}/%{_datadir}/bash-completion/completions/%{name} +for file in $(find %{buildroot}/%{_libexecdir} -name \*.py); do grep "/usr/bin/env" $file && sed -i 's@/usr/bin/env python@/usr/bin/python@' $file; done %fdupes %{buildroot} %post -n %{libsingularity} -p /sbin/ldconfig @@ -150,6 +155,10 @@ %config(noreplace) %{_sysconfdir}/%{name}/init %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %{_sysconfdir}/%{name}/nvliblist.conf +%if 0%{?suse_version} < 1500 +%dir %{_datadir}/bash-completion +%dir %{_datadir}/bash-completion/completions +%endif %{_datadir}/bash-completion/completions/%{name} %{_bindir}/%{name} %{_bindir}/run-%{name} @@ -157,7 +166,7 @@ %exclude %{_libdir}/%{name}/lib%{name}-*.so* %{?allow_suid:%verify(not mode) %attr(4750,root,%{name}) %{_libexecdir}/%{name}/bin/*-suid} %{_mandir}/man1/%{name}.1.gz -%{_var}/%{name} +%{_localstatedir}/lib/%{name} %files -n %{libsingularity} %defattr(-,root,root) ++++++ singularity-2.6.0.tar.gz -> singularity-2.6.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/CHANGELOG.md new/singularity-2.6.1/CHANGELOG.md --- old/singularity-2.6.0/CHANGELOG.md 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/CHANGELOG.md 2018-12-11 15:24:13.000000000 +0100 @@ -12,8 +12,17 @@ - migration guidance (how to convert images?) - changed behaviour (recipe sections work differently) +## [v2.6.1] + +### [Security related fixes](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1929) + - disables instance features for mount commands, disables instance join for + start command, and disables daemon start for action commands + ## [v2.6.0] - + +### Bug fixes + - Fix image expand functionality by additional losetup/mount -o bind,offset=31 + ### Implemented enhancements - Allow admin to specify a non-standard location for mksquashfs binary at build time with `--with-mksquashfs` option #1662 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/CONTRIBUTORS.md new/singularity-2.6.1/CONTRIBUTORS.md --- old/singularity-2.6.0/CONTRIBUTORS.md 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/CONTRIBUTORS.md 2018-12-11 15:24:13.000000000 +0100 @@ -51,3 +51,4 @@ - Thomas Hamel - Yaroslav Halchenko - Matt Wiens + - Marcin Stolarek diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/configure.ac new/singularity-2.6.1/configure.ac --- old/singularity-2.6.0/configure.ac 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/configure.ac 2018-12-11 15:24:13.000000000 +0100 @@ -1,5 +1,5 @@ AC_PREREQ(2.59) -AC_INIT([singularity],[2.6.0],[gmkurtzer@gmail.com]) +AC_INIT([singularity],[2.6.1],[gmkurtzer@gmail.com]) if test -z "$prefix" -o "$prefix" = "NONE" ; then prefix=${ac_default_prefix} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/debian/changelog new/singularity-2.6.1/debian/changelog --- old/singularity-2.6.0/debian/changelog 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/debian/changelog 2018-12-11 15:24:13.000000000 +0100 @@ -1,3 +1,10 @@ +singularity-container (2.6.1-1) unstable; urgency=high + + * disables instance features for mount commands, disables instance join for + start command, and disables daemon start for action commands + + -- Gregory M. Kurtzer Tue, 11 Dec 2018 09:25:53 -0700 + singularity-container (2.6.0-1) unstable; urgency=high * Allow admin to specify a non-standard location for mksquashfs binary at diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/libexec/cli/bootstrap.exec new/singularity-2.6.1/libexec/cli/bootstrap.exec --- old/singularity-2.6.0/libexec/cli/bootstrap.exec 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/libexec/cli/bootstrap.exec 2018-12-11 15:24:13.000000000 +0100 @@ -119,7 +119,7 @@ ${SINGULARITY_bindir}/singularity build -w ${SINGULARITY_IMAGE} ${SINGULARITY_BUILDDEF} exit 0 else - message ERROR "Could not locate the Singularity binary: $SINGULARITY_home/singularity\n" + message ERROR "Could not locate the Singularity binary: $SINGULARITY_bindir/singularity\n" exit 1 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/libexec/cli/image.expand.exec new/singularity-2.6.1/libexec/cli/image.expand.exec --- old/singularity-2.6.0/libexec/cli/image.expand.exec 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/libexec/cli/image.expand.exec 2018-12-11 15:24:13.000000000 +0100 @@ -112,15 +112,30 @@ exit 1 fi +message 1 "Create loop device\n" +SINGULARITY_LOOP_DEVICE=$(losetup --show -o 31 -f $SINGULARITY_IMAGE 2> /dev/null) +if [ $? -ne 0 ]; then + exit 1 +fi + + message 1 "Checking image's file system\n" -if ! /sbin/e2fsck -fy "$SINGULARITY_IMAGE"; then +if ! /sbin/e2fsck -fy "$SINGULARITY_LOOP_DEVICE"; then + umount "$SINGULARITY_LOOP_DEVICE" exit 1 fi message 1 "Resizing image's file system\n" -if ! /sbin/resize2fs "$SINGULARITY_IMAGE"; then +if ! /sbin/resize2fs "$SINGULARITY_LOOP_DEVICE"; then + umount "$SINGULARITY_LOOP_DEVICE" exit 1 fi +#For some reason without this dummy sleep sometimes umount failed for me with "device busy" +sleep 3 +message 1 "Unmounting loop device: $SINGULARITY_LOOP_DEVICE\n" +losetup -d "$SINGULARITY_LOOP_DEVICE" + message 1 "Image is done: $SINGULARITY_IMAGE\n" exit 0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/libexec/cli/pull.exec new/singularity-2.6.1/libexec/cli/pull.exec --- old/singularity-2.6.0/libexec/cli/pull.exec 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/libexec/cli/pull.exec 2018-12-11 15:24:13.000000000 +0100 @@ -160,7 +160,7 @@ ${SINGULARITY_bindir}/singularity ${DBGFLAG} build ${SINGULARITY_IMAGE} ${SINGULARITY_CONTAINER} RETVAL=$? else - message ERROR "Could not locate the Singularity binary: $SINGULARITY_home/singularity\n" + message ERROR "Could not locate the Singularity binary: $SINGULARITY_bindir/singularity\n" exit 1 fi ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/action.c new/singularity-2.6.1/src/action.c --- old/singularity-2.6.0/src/action.c 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/src/action.c 2018-12-11 15:24:13.000000000 +0100 @@ -81,6 +81,8 @@ singularity_runtime_autofs(); + singularity_registry_set("DAEMON_START", NULL); + singularity_daemon_init(); if ( singularity_registry_get("WRITABLE") != NULL ) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/lib/image/image.c new/singularity-2.6.1/src/lib/image/image.c --- old/singularity-2.6.0/src/lib/image/image.c 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/src/lib/image/image.c 2018-12-11 15:24:13.000000000 +0100 @@ -163,6 +163,7 @@ int singularity_image_mount(struct image_object *image, char *mount_point) { if ( singularity_registry_get("DAEMON_JOIN") ) { singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n"); + ABORT(255); } singularity_message(DEBUG, "Figuring out which mount module to use...\n"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/lib/runtime/runtime.c new/singularity-2.6.1/src/lib/runtime/runtime.c --- old/singularity-2.6.0/src/lib/runtime/runtime.c 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/src/lib/runtime/runtime.c 2018-12-11 15:24:13.000000000 +0100 @@ -65,6 +65,7 @@ int singularity_runtime_overlayfs(void) { if ( singularity_registry_get("DAEMON_JOIN") ) { singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n"); + ABORT(255); } return(_singularity_runtime_overlayfs()); @@ -77,6 +78,7 @@ int singularity_runtime_mounts(void) { if ( singularity_registry_get("DAEMON_JOIN") ) { singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n"); + ABORT(255); } return(_singularity_runtime_mounts()); @@ -85,6 +87,7 @@ int singularity_runtime_files(void) { if ( singularity_registry_get("DAEMON_JOIN") ) { singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n"); + ABORT(255); } return(_singularity_runtime_files()); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/mount.c new/singularity-2.6.1/src/mount.c --- old/singularity-2.6.0/src/mount.c 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/src/mount.c 2018-12-11 15:24:13.000000000 +0100 @@ -72,6 +72,9 @@ ABORT(255); } + singularity_registry_set("DAEMON_START", NULL); + singularity_registry_set("DAEMON_JOIN", NULL); + singularity_runtime_ns(SR_NS_MNT); singularity_image_mount(&image, CONTAINER_FINALDIR); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/start.c new/singularity-2.6.1/src/start.c --- old/singularity-2.6.0/src/start.c 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/src/start.c 2018-12-11 15:24:13.000000000 +0100 @@ -83,6 +83,7 @@ singularity_registry_set("UNSHARE_PID", "1"); singularity_registry_set("NOSHIMINIT", "1"); singularity_registry_set("UNSHARE_IPC", "1"); + singularity_registry_set("DAEMON_JOIN", NULL); singularity_cleanupd(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/util/cleanupd.c new/singularity-2.6.1/src/util/cleanupd.c --- old/singularity-2.6.0/src/util/cleanupd.c 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/src/util/cleanupd.c 2018-12-11 15:24:13.000000000 +0100 @@ -53,6 +53,7 @@ if ( singularity_registry_get("DAEMON_JOIN") ) { singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n"); + ABORT(255); } if ( ( singularity_registry_get("NOSESSIONCLEANUP") != NULL ) || ( singularity_registry_get("NOCLEANUP") != NULL ) ) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/util/daemon.c new/singularity-2.6.1/src/util/daemon.c --- old/singularity-2.6.0/src/util/daemon.c 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/src/util/daemon.c 2018-12-11 15:24:13.000000000 +0100 @@ -60,16 +60,22 @@ } } -int daemon_is_owner(char *pid_path) { +int daemon_is_owner(int proc_fd) { int retval = 0; - char *proc_status = joinpath(pid_path, "/status"); char *uid_check = (char *)malloc(2048); char *line = (char *)malloc(2048); - FILE *status = fopen(proc_status, "r"); + int status_fd; + FILE *status; pid_t uid = singularity_priv_getuid(); + if ( ( status_fd = openat(proc_fd, "status", O_RDONLY) ) < 0 ) { + singularity_message(ERROR, "Failed to open proc status: %s\n", strerror(errno)); + ABORT(255); + } + + status = fdopen(status_fd, "r"); if ( status == NULL ) { - singularity_message(ERROR, "Failed to open %s to check instance owner\n", proc_status); + singularity_message(ERROR, "Failed to open status to check instance owner\n"); ABORT(255); } @@ -85,16 +91,15 @@ free(uid_check); free(line); - free(proc_status); fclose(status); return(retval); } void daemon_init_join(void) { - char *ns_path, *ns_fd_str; + char *ns_fd_str; char *pid_path; - int lock_result, ns_fd; + int lock_result, proc_fd, ns_fd; int *lock_fd = malloc(sizeof(int)); char *daemon_file = singularity_registry_get("DAEMON_FILE"); char *daemon_name = singularity_registry_get("DAEMON_NAME"); @@ -130,24 +135,27 @@ } snprintf(pid_path, PATH_MAX-1, "/proc/%lu", pid); //Flawfinder: ignore - if ( daemon_is_owner(pid_path) == 0 ) { - singularity_message(ERROR, "Unable to join instance: you are not the owner\n"); + if ( ( proc_fd = open(pid_path, O_RDONLY) ) < 0 ) { + singularity_message(ERROR, "Unable to open %s directory: %s\n", pid_path, strerror(errno)); ABORT(255); } - ns_path = joinpath(pid_path, "/ns"); + if ( daemon_is_owner(proc_fd) == 0 ) { + singularity_message(ERROR, "Unable to join instance: you are not the owner\n"); + ABORT(255); + } free(pid_path); /* Open FD to /proc/[PID]/ns directory to call openat() for ns files */ singularity_priv_escalate(); - if ( ( ns_fd = open(ns_path, O_RDONLY | O_CLOEXEC) ) == -1 ) { + if ( ( ns_fd = openat(proc_fd, "ns", O_RDONLY | O_CLOEXEC) ) < 0 ) { singularity_message(ERROR, "Unable to open ns directory of PID in daemon file: %s\n", strerror(errno)); ABORT(255); } singularity_priv_drop(); - free(ns_path); + close(proc_fd); ns_fd_str = int2str(ns_fd); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/util/sessiondir.c new/singularity-2.6.1/src/util/sessiondir.c --- old/singularity-2.6.0/src/util/sessiondir.c 2018-08-04 03:00:49.000000000 +0200 +++ new/singularity-2.6.1/src/util/sessiondir.c 2018-12-11 15:24:13.000000000 +0100 @@ -60,6 +60,7 @@ if ( singularity_registry_get("DAEMON_JOIN") ) { singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n"); + ABORT(255); } singularity_message(DEBUG, "Setting sessiondir\n"); ++++++ zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch ++++++ From: Egbert Eich Date: Mon Nov 19 14:35:23 2018 +0100 Subject: zypper install: Fix dbpath for newer versions of SUSE Linux Patch-mainline: Not yet Git-commit: 4c921f9889d1d072e8aecdeeb3bffe1557c0c619 References: Signed-off-by: Egbert Eich --- singularity-2.6.0/libexec/bootstrap-scripts/deffile-driver-zypper.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libexec/bootstrap-scripts/deffile-driver-zypper.sh b/libexec/bootstrap-scripts/deffile-driver-zypper.sh index 5e0470c..1f8252d 100644 --- a/libexec/bootstrap-scripts/deffile-driver-zypper.sh +++ b/libexec/bootstrap-scripts/deffile-driver-zypper.sh @@ -66,7 +66,8 @@ if [ -z "${RPM_CMD:-}" ]; then ABORT 1 fi RPM_DBPATH=$(rpm --showrc | grep -E ":\s_dbpath\s" | cut -f2) -if [ "$RPM_DBPATH" != '%{_var}/lib/rpm' ]; then +if [ "$RPM_DBPATH" != '%{_var}/lib/rpm' \ + -a "$RPM_DBPATH" != '%{_usr}/lib/sysimage/rpm' ]; then message ERROR "RPM database is using a weird path: %s\n" "$RPM_DBPATH" message WARNING "You are probably running this bootstrap on Debian or Ubuntu.\n" message WARNING "There is a way to work around this problem:\n"