File _patchinfo of Package patchinfo.37801
<patchinfo incident="37801">
<issue id="2024-22038" tracker="cve" />
<issue tracker="bnc" id="1217269">/usr/lib/build/createzyppdeps from package build fails to process tumbleweed repositories</issue>
<issue tracker="bnc" id="1230469">VUL-0: CVE-2024-22038: obs-scm-bridge: DoS attacks, information leaks etc. with crafted Git repositories</issue>
<packager>adrianSuSE</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for build</summary>
<description>This update for build fixes the following issues:
- CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469)
Other fixes:
- Fixed behaviour when using "--shell" aka "osc shell" option
in a VM build. Startup is faster and permissions stay intact
now.
- fixes for POSIX compatibility for obs-docker-support adn
mkbaselibs
- Add support for apk in docker/podman builds
- Add support for 'wget' in Docker images
- Fix debian support for Dockerfile builds
- Fix preinstallimages in containers
- mkosi: add back system-packages used by build-recipe directly
- pbuild: parse the Release files for debian repos
- mkosi: drop most systemd/build-packages deps and use obs_scm
directory as source if present
- improve source copy handling
- Introduce --repos-directory and --containers-directory options
- productcompose: support of building against a baseiso
- preinstallimage: avoid inclusion of build script generated files
- preserve timestamps on sources copy-in for kiwi and productcompose
- alpine package support updates
- tumbleweed config update
- debian: Support installation of foreign architecture packages
(required for armv7l setups)
- Parse unknown timezones as UTC
- Apk (Alpine Linux) format support added
- Implement default value in parameter expansion
- Also support supplements that use & as "and"
- Add workaround for skopeo's argument parser
- add cap-htm=off on power9
- Fixed usage of chown calls
- Remove leading `go` from `purl` locators
- container related:
* Implement support for the new <containers> element in kiwi recipes
* Fixes for SBOM and dependencies of multi stage container builds
* obs-docker-support: enable dnf and yum substitutions
- Arch Linux:
* fix file path for Arch repo
* exclude unsupported arch
* Use root as download user
- build-vm-qemu: force sv48 satp mode on riscv64
- mkosi:
* Create .sha256 files after mkosi builds
* Always pass --image-version to mkosi
- General improvements and bugfixes (mkosi, pbuild, appimage/livebuild,
obs work detection, documention, SBOM)
- Support slsa v1 in unpack_slsa_provenance
- generate_sbom: do not clobber spdx supplier
- Harden export_debian_orig_from_git (bsc#1230469)
- SBOM generation:
- Adding golang introspection support
- Adding rust binary introspection support
- Keep track of unknwon licenses and add a "hasExtractedLicensingInfos"
section
- Also normalize licenses for cyclonedx
- Make generate_sbom errors fatal
- general improvements
- Fix noprep building not working because the buildir is removed
- kiwi image: also detect a debian build if /var/lib/dpkg/status is present
- Do not use the Encode module to convert a code point to utf8
- Fix personality syscall number for riscv
- add more required recommendations for KVM builds
- set PACKAGER field in build-recipe-arch
- fix writing _modulemd.yaml
- pbuild: support --release and --baselibs option
- container:
- copy base container information from the annotation into the
containerinfo
- track base containers over multiple stages
- always put the base container last in the dependencies
- providing fileprovides in createdirdeps tool
- Introduce buildflag nochecks
- productcompose: support __all__ option
- config update: tumbleweed using preinstallexpand
- minor improvements
- tumbleweed build config update
- support the %load macro
- improve container filename generation (docker)
- fix hanging curl calls during build (docker)
- productcompose: fix milestone query
- tumbleweed build config update
- 15.6 build config fixes
- sourcerpm & sourcedep handling fixes
- productcompose:
- Fix milestone handling
- Support bcntsynctag
- Adding debian support to generate_sbom
- Add syscall for personality switch on loongarch64 kernel
- vm-build: ext3 & ext4: fix disk space allocation
- mkosi format updates, not fully working yet
- pbuild exception fixes
- Fixes for current fedora and centos distros
- Don't copy original dsc sources if OBS-DCH-RELEASE set
- Unbreak parsing of sources/patches
- Support ForceMultiVersion in the dockerfile parser
- Support %bcond of rpm 4.17.1
- Add a hack for systemd 255.3, creating an empty /etc/os-release
if missing after preinstall.
- docker: Fix HEAD request in dummyhttpserver
- pbuild: Make docker-nobasepackages expand flag the default
- rpm: Support a couple of builtin rpm macros
- rpm: Implement argument expansion for define/with/bcond...
- Fix multiline macro handling
- Accept -N parameter of %autosetup
- documentation updates
- various code cleanup and speedup work.
- ProductCompose: multiple improvements
- Add buildflags:define_specfile support
- Fix copy-in of git subdirectory sources
- pbuild: Speed up XML parsing
- pubild: product compose support
- generate_sbom: add help option
- podman: enforce runtime=runc
- Implement direct conflicts from the distro config
- changelog2spec: fix time zone handling
- Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts
- spec file cleanup
- documentation updates
- productcompose:
- support schema 0.1
- support milestones
- Leap 15.6 config
- SLE 15 SP6 config
- productcompose: follow incompatible flavor syntax change
- pbuild: support for zstd
- fixed handling for cmdline parameters via kernel packages
- productcompose:
* BREAKING: support new schema
* adapt flavor architecture parsing
- productcompose:
* support filtered package lists
* support default architecture listing
* fix copy in binaries in VM builds^
- obsproduct build type got renamed to productcompose
- Support zstd compressed rpm-md meta data (bsc#1217269)
- Added Debian 12 configuration
- First ObsProduct build format support
- fix SLE 15 SP5 build configuration
- Improve user agent handling for obs repositories
- Docker:
- Support flavor specific build descriptions via Dockerfile.$flavor
- support "PlusRecommended" hint to also provide recommended packages
- use the name/version as filename if both are known
- Produce docker format containers by default
- pbuild: Support for signature authentification of OBS resources
- Fix wiping build root for --vm-type podman
- Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv
- build-vm-kvm: use -cpu host on riscv64
- small fixes and cleanups
- Added parser for BcntSyncTag in sources
- pbuild:
* fix dependency expansion for build types other than spec
* Reworked cycle handling code
* add --extra-packs option
* add debugflags option
- Pass-through --buildtool-opt
- Parse Patch and Source lines more accurately
- fix tunefs functionality
- minor bugfixes
- --vm-type=podman added (supports also root-less builds)
- Also support build constraints in the Dockerfile
- minor fixes
- Add SUSE ALP build config
- BREAKING: Record errors when parsing the project config
former behaviour was undefined
- container: Support compression format configuration option
- Don't setup ccache with --no-init
- improved loongarch64 support
- sbom: SPDX supplier tag added
- kiwi: support different versions per profile
- preinstallimage: fail when recompression fails
- Add support for recommends and supplements dependencies
- Support the "keepfilerequires" expand flag
- add '--buildtool-opt=OPTIONS' to pass options to the used build tool
- distro config updates
* ArchLinux
* Tumbleweed
- documentation updates
- openSUSE Tumbleweed: sync config and move to suse_version 1699.
- universal post-build hook, just place a file in /usr/lib/build/post_build.d/
- mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3)
- KiwiProduct: add --use-newest-package hint if the option is set
- Dockerfile support:
* export multibuild flavor as argument
* allow parameters in FROM .. scratch lines
* include OS name in build result if != linux
- Workaround directory->symlink usrmerge problems for cross arch sysroot
- multiple fixes for SBOM support
- KIWI VM image SBOM support added
</description>
</patchinfo>
