Bug#844150: jessie-pu: package lxc/1:1.0.6-6+deb8u4

Sat, 12 Nov 2016 12:36:42 -0800 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu


Ohai,

we would like to fix two bugs in LXC in stable:
#838517 lxc-alpine template broken
        simple one-line patch to tell OpenSSL which hashing algo to use
#838957 read-only bind mounts are in fact read/write
        another quite short patch to trigger remounting bind mounts as RO

Full debdiff attached.

Thanks in advance
Evgeni

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/changelog b/debian/changelog
index 3902cc0..a025ddc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+lxc (1:1.0.6-6+deb8u4) jessie; urgency=medium
+
+  * fix Alpine Linux container creation
+    (Closes: #838517)
+  * remount bind mounts if read-only flag is provided
+    (Closes: #838957)
+
+ -- Evgeni Golov <evg...@debian.org>  Sat, 12 Nov 2016 21:14:50 +0100
+
 lxc (1:1.0.6-6+deb8u3) jessie; urgency=medium
 
   * 0023-lxc-debian-make-sure-init-is-installed.patch: make sure stretch/sid
diff --git a/debian/patches/0024-lxc-alpine-fix-verification-of-apk.static-binary.patch b/debian/patches/0024-lxc-alpine-fix-verification-of-apk.static-binary.patch
new file mode 100644
index 0000000..9f58bbf
--- /dev/null
+++ b/debian/patches/0024-lxc-alpine-fix-verification-of-apk.static-binary.patch
@@ -0,0 +1,32 @@
+From e00f9e4e7ab5a76cfd4068e09579f9f471666a90 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <nc...@alpinelinux.org>
+Date: Mon, 3 Aug 2015 13:40:25 +0200
+Subject: [PATCH] lxc-alpine: fix verification of apk.static binary
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We need specify which hashing algorithm was used to create the signature
+we check.
+
+Fixes #609
+
+Signed-off-by: Natanael Copa <nc...@alpinelinux.org>
+Acked-by: Stéphane Graber <stgra...@ubuntu.com>
+---
+ templates/lxc-alpine.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
+index 963c42a..6dcc51b 100644
+--- a/templates/lxc-alpine.in
++++ b/templates/lxc-alpine.in
+@@ -83,7 +83,7 @@ get_static_apk () {
+ 
+     # verify the static apk binary signature
+     APK=$rootfs/sbin/apk.static
+-    openssl dgst -verify $rootfs/etc/apk/keys/$keyname \
++    openssl dgst -sha1 -verify $rootfs/etc/apk/keys/$keyname \
+         -signature "$APK.SIGN.RSA.$keyname" "$APK" || return 1
+ 
+     if [ "$auto_repo_dir" ]; then
diff --git a/debian/patches/0025-Remounts-bind-mounts-if-read-only-flag-is-provided.patch b/debian/patches/0025-Remounts-bind-mounts-if-read-only-flag-is-provided.patch
new file mode 100644
index 0000000..b90d2ab
--- /dev/null
+++ b/debian/patches/0025-Remounts-bind-mounts-if-read-only-flag-is-provided.patch
@@ -0,0 +1,43 @@
+From 3fb22c29dcb647826aacd227efa506b17f50fcac Mon Sep 17 00:00:00 2001
+From: Abin Shahab <asha...@altiscale.com>
+Date: Wed, 12 Nov 2014 00:06:52 +0000
+Subject: [PATCH] Remounts bind mounts if read-only flag is provided
+
+Bind mounts do not honor filesystem mount options. This change will
+remount filesystems that are bind mounted if there are changes to
+filesystem mount options, specifically if the mount is readonly.
+
+Signed-off-by: Abin Shahab <asha...@altiscale.com>
+Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com>
+---
+ src/lxc/conf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 2a4d5c5..cb30d56 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -2054,10 +2054,12 @@ static int mount_entry(const char *fsname, const char *target,
+ 	if ((mountflags & MS_REMOUNT) || (mountflags & MS_BIND)) {
+ 		DEBUG("remounting %s on %s to respect bind or remount options",
+ 		      fsname ? fsname : "(none)", target ? target : "(none)");
+-
++		unsigned long rqd_flags = 0;
++		if (mountflags & MS_RDONLY)
++			rqd_flags |= MS_RDONLY;
+ #ifdef HAVE_STATVFS
+ 		if (statvfs(fsname, &sb) == 0) {
+-			unsigned long required_flags = 0;
++			unsigned long required_flags = rqd_flags;
+ 			if (sb.f_flag & MS_NOSUID)
+ 				required_flags |= MS_NOSUID;
+ 			if (sb.f_flag & MS_NODEV)
+@@ -2073,7 +2075,7 @@ static int mount_entry(const char *fsname, const char *target,
+ 			 * mountflags, then skip the remount
+ 			 */
+ 			if (!(mountflags & MS_REMOUNT)) {
+-				if (!(required_flags & ~mountflags)) {
++				if (!(required_flags & ~mountflags) && rqd_flags == 0) {
+ 					DEBUG("mountflags already was %lu, skipping remount",
+ 						mountflags);
+ 					goto skipremount;
diff --git a/debian/patches/series b/debian/patches/series
index 11f5062..f0fbe86 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,5 @@
 0021-CVE-2015-1335-2.patch
 0022-CVE-2015-1335-3.patch
 0023-lxc-debian-make-sure-init-is-installed.patch
+0024-lxc-alpine-fix-verification-of-apk.static-binary.patch
+0025-Remounts-bind-mounts-if-read-only-flag-is-provided.patch

Reply via email to