Hello community,
here is the log from the commit of package singularity for openSUSE:Factory checked in at 2019-01-05 14:42:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/singularity (Old)
and /work/SRC/openSUSE:Factory/.singularity.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "singularity"
Sat Jan 5 14:42:48 2019 rev:7 rq:662782 version:2.6.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/singularity/singularity.changes 2018-11-01 14:40:06.466903282 +0100
+++ /work/SRC/openSUSE:Factory/.singularity.new.28833/singularity.changes 2019-01-05 14:42:50.076455974 +0100
@@ -1,0 +2,15 @@
+Fri Jan 4 11:05:14 UTC 2019 - eich@suse.com
+
+- Change from /var/singularity to /var/lib/singularity
+- zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch:
+ Fix the RPM db path for later versions of SUSE.
+- Fix warning on bash-completion file about non-executible script.
+
+-------------------------------------------------------------------
+Mon Dec 17 09:48:05 UTC 2018 - cgoll@suse.com
+
+- Updated to 2.6.1 to fix CVE-2018-19295 (bsc#1111411).
+ * mount points are not mounted with shared mount propagation by
+ default anymore, as this may result in privilege escalation.
+
+-------------------------------------------------------------------
@@ -7,0 +23,6 @@
+
+-------------------------------------------------------------------
+Tue Oct 30 16:13:05 UTC 2018 - eich@suse.com
+
+- Add bash completions directory to file list for suse_version < 1500
+ to keep the build checker happy.
Old:
----
singularity-2.6.0.tar.gz
New:
----
singularity-2.6.1.tar.gz
zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ singularity.spec ++++++
--- /var/tmp/diff_new_pack.xVv8WD/_old 2019-01-05 14:42:50.616455516 +0100
+++ /var/tmp/diff_new_pack.xVv8WD/_new 2019-01-05 14:42:50.620455513 +0100
@@ -1,7 +1,7 @@
#
# spec file for package singularity
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
#
%define libsingularity libsingularity1
-%define git_version 2.6.0
+%define git_version 2.6.1
# slurm build broken
%define have_slurm 0
@@ -41,6 +41,7 @@
Source: https://github.com/singularityware/%{name}/archive/%{github_ref}.tar.gz#/%{name}-%{version}.tar.gz
Source1: README.SUSE
Source5: singularity-rpmlintrc
+Patch1: zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
@@ -79,11 +80,13 @@
%prep
%setup -q -n %{name}-%{github_ref}
+%patch1 -p1
cp %{S:1} .
%build
./autogen.sh
%configure \
+ --localstatedir=%{_localstatedir}/lib \
%{!?allow_suid:--disable-suid} \
--with-userns \
--with-gnu-ld \
@@ -104,6 +107,8 @@
mkdir -p %{buildroot}/%{_datadir}/bash-completion/completions/
mv %{buildroot}/%{_sysconfdir}/bash_completion.d/%{name} \
%{buildroot}/%{_datadir}/bash-completion/completions/%{name}
+sed -i -e '/#\!/d' %{buildroot}/%{_datadir}/bash-completion/completions/%{name}
+for file in $(find %{buildroot}/%{_libexecdir} -name \*.py); do grep "/usr/bin/env" $file && sed -i 's@/usr/bin/env python@/usr/bin/python@' $file; done
%fdupes %{buildroot}
%post -n %{libsingularity} -p /sbin/ldconfig
@@ -150,6 +155,10 @@
%config(noreplace) %{_sysconfdir}/%{name}/init
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %{_sysconfdir}/%{name}/nvliblist.conf
+%if 0%{?suse_version} < 1500
+%dir %{_datadir}/bash-completion
+%dir %{_datadir}/bash-completion/completions
+%endif
%{_datadir}/bash-completion/completions/%{name}
%{_bindir}/%{name}
%{_bindir}/run-%{name}
@@ -157,7 +166,7 @@
%exclude %{_libdir}/%{name}/lib%{name}-*.so*
%{?allow_suid:%verify(not mode) %attr(4750,root,%{name}) %{_libexecdir}/%{name}/bin/*-suid}
%{_mandir}/man1/%{name}.1.gz
-%{_var}/%{name}
+%{_localstatedir}/lib/%{name}
%files -n %{libsingularity}
%defattr(-,root,root)
++++++ singularity-2.6.0.tar.gz -> singularity-2.6.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/CHANGELOG.md new/singularity-2.6.1/CHANGELOG.md
--- old/singularity-2.6.0/CHANGELOG.md 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/CHANGELOG.md 2018-12-11 15:24:13.000000000 +0100
@@ -12,8 +12,17 @@
- migration guidance (how to convert images?)
- changed behaviour (recipe sections work differently)
+## [v2.6.1]
+
+### [Security related fixes](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1929)
+ - disables instance features for mount commands, disables instance join for
+ start command, and disables daemon start for action commands
+
## [v2.6.0]
-
+
+### Bug fixes
+ - Fix image expand functionality by additional losetup/mount -o bind,offset=31
+
### Implemented enhancements
- Allow admin to specify a non-standard location for mksquashfs binary at
build time with `--with-mksquashfs` option #1662
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/CONTRIBUTORS.md new/singularity-2.6.1/CONTRIBUTORS.md
--- old/singularity-2.6.0/CONTRIBUTORS.md 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/CONTRIBUTORS.md 2018-12-11 15:24:13.000000000 +0100
@@ -51,3 +51,4 @@
- Thomas Hamel
- Yaroslav Halchenko
- Matt Wiens
+ - Marcin Stolarek
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/configure.ac new/singularity-2.6.1/configure.ac
--- old/singularity-2.6.0/configure.ac 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/configure.ac 2018-12-11 15:24:13.000000000 +0100
@@ -1,5 +1,5 @@
AC_PREREQ(2.59)
-AC_INIT([singularity],[2.6.0],[gmkurtzer@gmail.com])
+AC_INIT([singularity],[2.6.1],[gmkurtzer@gmail.com])
if test -z "$prefix" -o "$prefix" = "NONE" ; then
prefix=${ac_default_prefix}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/debian/changelog new/singularity-2.6.1/debian/changelog
--- old/singularity-2.6.0/debian/changelog 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/debian/changelog 2018-12-11 15:24:13.000000000 +0100
@@ -1,3 +1,10 @@
+singularity-container (2.6.1-1) unstable; urgency=high
+
+ * disables instance features for mount commands, disables instance join for
+ start command, and disables daemon start for action commands
+
+ -- Gregory M. Kurtzer Tue, 11 Dec 2018 09:25:53 -0700
+
singularity-container (2.6.0-1) unstable; urgency=high
* Allow admin to specify a non-standard location for mksquashfs binary at
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/libexec/cli/bootstrap.exec new/singularity-2.6.1/libexec/cli/bootstrap.exec
--- old/singularity-2.6.0/libexec/cli/bootstrap.exec 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/libexec/cli/bootstrap.exec 2018-12-11 15:24:13.000000000 +0100
@@ -119,7 +119,7 @@
${SINGULARITY_bindir}/singularity build -w ${SINGULARITY_IMAGE} ${SINGULARITY_BUILDDEF}
exit 0
else
- message ERROR "Could not locate the Singularity binary: $SINGULARITY_home/singularity\n"
+ message ERROR "Could not locate the Singularity binary: $SINGULARITY_bindir/singularity\n"
exit 1
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/libexec/cli/image.expand.exec new/singularity-2.6.1/libexec/cli/image.expand.exec
--- old/singularity-2.6.0/libexec/cli/image.expand.exec 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/libexec/cli/image.expand.exec 2018-12-11 15:24:13.000000000 +0100
@@ -112,15 +112,30 @@
exit 1
fi
+message 1 "Create loop device\n"
+SINGULARITY_LOOP_DEVICE=$(losetup --show -o 31 -f $SINGULARITY_IMAGE 2> /dev/null)
+if [ $? -ne 0 ]; then
+ exit 1
+fi
+
+
message 1 "Checking image's file system\n"
-if ! /sbin/e2fsck -fy "$SINGULARITY_IMAGE"; then
+if ! /sbin/e2fsck -fy "$SINGULARITY_LOOP_DEVICE"; then
+ umount "$SINGULARITY_LOOP_DEVICE"
exit 1
fi
message 1 "Resizing image's file system\n"
-if ! /sbin/resize2fs "$SINGULARITY_IMAGE"; then
+if ! /sbin/resize2fs "$SINGULARITY_LOOP_DEVICE"; then
+ umount "$SINGULARITY_LOOP_DEVICE"
exit 1
fi
+#For some reason without this dummy sleep sometimes umount failed for me with "device busy"
+sleep 3
+message 1 "Unmounting loop device: $SINGULARITY_LOOP_DEVICE\n"
+losetup -d "$SINGULARITY_LOOP_DEVICE"
+
message 1 "Image is done: $SINGULARITY_IMAGE\n"
exit 0
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/libexec/cli/pull.exec new/singularity-2.6.1/libexec/cli/pull.exec
--- old/singularity-2.6.0/libexec/cli/pull.exec 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/libexec/cli/pull.exec 2018-12-11 15:24:13.000000000 +0100
@@ -160,7 +160,7 @@
${SINGULARITY_bindir}/singularity ${DBGFLAG} build ${SINGULARITY_IMAGE} ${SINGULARITY_CONTAINER}
RETVAL=$?
else
- message ERROR "Could not locate the Singularity binary: $SINGULARITY_home/singularity\n"
+ message ERROR "Could not locate the Singularity binary: $SINGULARITY_bindir/singularity\n"
exit 1
fi
;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/action.c new/singularity-2.6.1/src/action.c
--- old/singularity-2.6.0/src/action.c 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/src/action.c 2018-12-11 15:24:13.000000000 +0100
@@ -81,6 +81,8 @@
singularity_runtime_autofs();
+ singularity_registry_set("DAEMON_START", NULL);
+
singularity_daemon_init();
if ( singularity_registry_get("WRITABLE") != NULL ) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/lib/image/image.c new/singularity-2.6.1/src/lib/image/image.c
--- old/singularity-2.6.0/src/lib/image/image.c 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/src/lib/image/image.c 2018-12-11 15:24:13.000000000 +0100
@@ -163,6 +163,7 @@
int singularity_image_mount(struct image_object *image, char *mount_point) {
if ( singularity_registry_get("DAEMON_JOIN") ) {
singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n");
+ ABORT(255);
}
singularity_message(DEBUG, "Figuring out which mount module to use...\n");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/lib/runtime/runtime.c new/singularity-2.6.1/src/lib/runtime/runtime.c
--- old/singularity-2.6.0/src/lib/runtime/runtime.c 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/src/lib/runtime/runtime.c 2018-12-11 15:24:13.000000000 +0100
@@ -65,6 +65,7 @@
int singularity_runtime_overlayfs(void) {
if ( singularity_registry_get("DAEMON_JOIN") ) {
singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n");
+ ABORT(255);
}
return(_singularity_runtime_overlayfs());
@@ -77,6 +78,7 @@
int singularity_runtime_mounts(void) {
if ( singularity_registry_get("DAEMON_JOIN") ) {
singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n");
+ ABORT(255);
}
return(_singularity_runtime_mounts());
@@ -85,6 +87,7 @@
int singularity_runtime_files(void) {
if ( singularity_registry_get("DAEMON_JOIN") ) {
singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n");
+ ABORT(255);
}
return(_singularity_runtime_files());
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/mount.c new/singularity-2.6.1/src/mount.c
--- old/singularity-2.6.0/src/mount.c 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/src/mount.c 2018-12-11 15:24:13.000000000 +0100
@@ -72,6 +72,9 @@
ABORT(255);
}
+ singularity_registry_set("DAEMON_START", NULL);
+ singularity_registry_set("DAEMON_JOIN", NULL);
+
singularity_runtime_ns(SR_NS_MNT);
singularity_image_mount(&image, CONTAINER_FINALDIR);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/start.c new/singularity-2.6.1/src/start.c
--- old/singularity-2.6.0/src/start.c 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/src/start.c 2018-12-11 15:24:13.000000000 +0100
@@ -83,6 +83,7 @@
singularity_registry_set("UNSHARE_PID", "1");
singularity_registry_set("NOSHIMINIT", "1");
singularity_registry_set("UNSHARE_IPC", "1");
+ singularity_registry_set("DAEMON_JOIN", NULL);
singularity_cleanupd();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/util/cleanupd.c new/singularity-2.6.1/src/util/cleanupd.c
--- old/singularity-2.6.0/src/util/cleanupd.c 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/src/util/cleanupd.c 2018-12-11 15:24:13.000000000 +0100
@@ -53,6 +53,7 @@
if ( singularity_registry_get("DAEMON_JOIN") ) {
singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n");
+ ABORT(255);
}
if ( ( singularity_registry_get("NOSESSIONCLEANUP") != NULL ) || ( singularity_registry_get("NOCLEANUP") != NULL ) ) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/util/daemon.c new/singularity-2.6.1/src/util/daemon.c
--- old/singularity-2.6.0/src/util/daemon.c 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/src/util/daemon.c 2018-12-11 15:24:13.000000000 +0100
@@ -60,16 +60,22 @@
}
}
-int daemon_is_owner(char *pid_path) {
+int daemon_is_owner(int proc_fd) {
int retval = 0;
- char *proc_status = joinpath(pid_path, "/status");
char *uid_check = (char *)malloc(2048);
char *line = (char *)malloc(2048);
- FILE *status = fopen(proc_status, "r");
+ int status_fd;
+ FILE *status;
pid_t uid = singularity_priv_getuid();
+ if ( ( status_fd = openat(proc_fd, "status", O_RDONLY) ) < 0 ) {
+ singularity_message(ERROR, "Failed to open proc status: %s\n", strerror(errno));
+ ABORT(255);
+ }
+
+ status = fdopen(status_fd, "r");
if ( status == NULL ) {
- singularity_message(ERROR, "Failed to open %s to check instance owner\n", proc_status);
+ singularity_message(ERROR, "Failed to open status to check instance owner\n");
ABORT(255);
}
@@ -85,16 +91,15 @@
free(uid_check);
free(line);
- free(proc_status);
fclose(status);
return(retval);
}
void daemon_init_join(void) {
- char *ns_path, *ns_fd_str;
+ char *ns_fd_str;
char *pid_path;
- int lock_result, ns_fd;
+ int lock_result, proc_fd, ns_fd;
int *lock_fd = malloc(sizeof(int));
char *daemon_file = singularity_registry_get("DAEMON_FILE");
char *daemon_name = singularity_registry_get("DAEMON_NAME");
@@ -130,24 +135,27 @@
}
snprintf(pid_path, PATH_MAX-1, "/proc/%lu", pid); //Flawfinder: ignore
- if ( daemon_is_owner(pid_path) == 0 ) {
- singularity_message(ERROR, "Unable to join instance: you are not the owner\n");
+ if ( ( proc_fd = open(pid_path, O_RDONLY) ) < 0 ) {
+ singularity_message(ERROR, "Unable to open %s directory: %s\n", pid_path, strerror(errno));
ABORT(255);
}
- ns_path = joinpath(pid_path, "/ns");
+ if ( daemon_is_owner(proc_fd) == 0 ) {
+ singularity_message(ERROR, "Unable to join instance: you are not the owner\n");
+ ABORT(255);
+ }
free(pid_path);
/* Open FD to /proc/[PID]/ns directory to call openat() for ns files */
singularity_priv_escalate();
- if ( ( ns_fd = open(ns_path, O_RDONLY | O_CLOEXEC) ) == -1 ) {
+ if ( ( ns_fd = openat(proc_fd, "ns", O_RDONLY | O_CLOEXEC) ) < 0 ) {
singularity_message(ERROR, "Unable to open ns directory of PID in daemon file: %s\n", strerror(errno));
ABORT(255);
}
singularity_priv_drop();
- free(ns_path);
+ close(proc_fd);
ns_fd_str = int2str(ns_fd);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/singularity-2.6.0/src/util/sessiondir.c new/singularity-2.6.1/src/util/sessiondir.c
--- old/singularity-2.6.0/src/util/sessiondir.c 2018-08-04 03:00:49.000000000 +0200
+++ new/singularity-2.6.1/src/util/sessiondir.c 2018-12-11 15:24:13.000000000 +0100
@@ -60,6 +60,7 @@
if ( singularity_registry_get("DAEMON_JOIN") ) {
singularity_message(ERROR, "Internal Error - This function should not be called when joining an instance\n");
+ ABORT(255);
}
singularity_message(DEBUG, "Setting sessiondir\n");
++++++ zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch ++++++
From: Egbert Eich
Date: Mon Nov 19 14:35:23 2018 +0100
Subject: zypper install: Fix dbpath for newer versions of SUSE Linux
Patch-mainline: Not yet
Git-commit: 4c921f9889d1d072e8aecdeeb3bffe1557c0c619
References:
Signed-off-by: Egbert Eich
---
singularity-2.6.0/libexec/bootstrap-scripts/deffile-driver-zypper.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libexec/bootstrap-scripts/deffile-driver-zypper.sh b/libexec/bootstrap-scripts/deffile-driver-zypper.sh
index 5e0470c..1f8252d 100644
--- a/libexec/bootstrap-scripts/deffile-driver-zypper.sh
+++ b/libexec/bootstrap-scripts/deffile-driver-zypper.sh
@@ -66,7 +66,8 @@ if [ -z "${RPM_CMD:-}" ]; then
ABORT 1
fi
RPM_DBPATH=$(rpm --showrc | grep -E ":\s_dbpath\s" | cut -f2)
-if [ "$RPM_DBPATH" != '%{_var}/lib/rpm' ]; then
+if [ "$RPM_DBPATH" != '%{_var}/lib/rpm' \
+ -a "$RPM_DBPATH" != '%{_usr}/lib/sysimage/rpm' ]; then
message ERROR "RPM database is using a weird path: %s\n" "$RPM_DBPATH"
message WARNING "You are probably running this bootstrap on Debian or Ubuntu.\n"
message WARNING "There is a way to work around this problem:\n"