Commit 43a49c74 authored by Héctor Orón Martínez's avatar Héctor Orón Martínez
Browse files

Merge branch 'merge-debian-master' into 'collabora/master'

Merge debian master

See merge request !4
parents ee18240a 3ece0dad
open-build-service (2.7.4-3) UNRELEASED; urgency=medium
open-build-service (2.7.4-3co1) stretch; urgency=medium
[ Andrew Lee (李健秋) ]
* Added forward ported reprepro support.
[ Sjoerd Simons ]
* Add patch to support crypted passwords
* Add patches to fix publishing
* Add patch to resolve issues with https DoD repositories
* Remove stray debug print from backend-Handle-ERROR_WANT_-READ-WRITE-
from-ssl-reads.patch
* Update patches
[ Héctor Orón Martínez ]
* obs-api: embed sanitize-4.0.0 to fix runtime issue
[ Andrew Lee (李健秋) ]
* debian/gbp.conf: adjust branch and tags.
* Ship our patches in a collabora subdir
-- Andrew Lee (李健秋) <andrew.lee@collabora.co.uk> Wed, 19 Sep 2018 13:11:02 +0800
open-build-service (2.7.4-3) unstable; urgency=medium
[ Héctor Orón Martínez ]
* Embed sanitize 4.0.0 ruby gem to fix breakeage.
- add obs-api runtime depends on ruby-nokogumbo and ruby-crass.
* worker: document enable switch
* worker: use /var/lib/obsworker as OBS_RUN_DIR
-- Héctor Orón Martínez <zumbi@debian.org> Tue, 06 Mar 2018 14:30:19 +0100
[ Andrew Lee (李健秋) ]
* debian/gbp.conf: adjust gbp configuration file.
* obs-worker: depends on fdisk | util-linux (<< 2.29.2-3~). (Closes:
#872093)
* CVE-2017-5188.patch: Apply upstream fixes for
CVE-2017-5188.(Closes:#900133)
* fix-kiwitree-symlink.patch: cherry-pick bad code fix from upstream.
* Handle links properly when doing backend build operations.
* Make passenger rubyapp runs as obsapi user.
* Update correct group permission for rb_sysopen.
-- Andrew Lee (李健秋) <andrew.lee@collabora.co.uk> Wed, 19 Sep 2018 13:07:48 +0800
open-build-service (2.7.4-2) unstable; urgency=medium
......
......@@ -121,6 +121,7 @@ Depends: apt-utils,
cpio,
curl,
debootstrap,
fdisk | util-linux (<< 2.29.2-3~),
libcompress-raw-zlib-perl,
libtimedate-perl,
libxml-parser-perl,
......@@ -131,7 +132,6 @@ Depends: apt-utils,
psmisc,
rpm,
screen,
util-linux (>= 2.16),
${misc:Depends},
${shlibs:Depends}
Description: Open Build Service (build host component)
......
......@@ -5,6 +5,7 @@ Listen 82
# Passenger defaults
PassengerSpawnMethod "smart"
PassengerMaxPoolSize 20
PassengerDefaultUser obsapi
#RailsEnv "development"
# allow long request urls and being part of headers
......
#!/bin/sh -e
# Add obsapi user and group to run the passenger RubyApp
if ! getent group obsapi > /dev/null; then
addgroup --system --quiet obsapi
fi
if ! getent passwd obsapi > /dev/null; then
adduser --system --quiet \
--ingroup obsapi --shell /bin/false \
--no-create-home --home /nonexistent obsapi
usermod -c "User for build service api/webui" obsapi
fi
# Place api and repo url on index page
if [ ! -f /usr/share/obs/overview/index.html ] ; then
FQHOSTNAME=`hostname -f`
......@@ -13,13 +24,19 @@ fi
if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
rm -f /usr/share/obs/api/config/secret.key
fi
SECRET_KEY="/etc/obs/api/config/secret.key"
if [ ! -e "$SECRET_KEY" ]; then
( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
touch $SECRET_KEY
chmod 0640 $SECRET_KEY
chown obsapi:www-data $SECRET_KEY
( dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
fi
else
# cope with upgrades here to ensure that obsapi user own the key.
chmod 0640 $SECRET_KEY
chown nobody:www-data $SECRET_KEY
chown obsapi:www-data $SECRET_KEY
fi
# Generate log files
touch /var/log/obs/access.log
......
......@@ -67,6 +67,9 @@ if [ "$1" = "purge" ]; then
# Disable the obs site if not already disabled
a2dissite obs.conf > /dev/null || true
fi
# Delete obsapi user and group
deluser --system --quiet obsapi || true
delgroup --system --quiet obsapi || true
# Restart Apache to really unload obs.conf
reload_apache restart
fi
......
Author: Michael Schroeder <mls@suse.de>
Date: Mon Mar 20 10:28:41 2017 +0100
[backend] ignore symlinks in build result
[backend] only allow plain files in cpio_sender
No devices, sockets, directories, symlinks please...
Origin: upstream, https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661, https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
Bug: https://bugzilla.suse.com/show_bug.cgi?id=1029824
Bug-Debian: https://bugs.debian.org/900133
--- a/src/backend/bs_worker
+++ b/src/backend/bs_worker
@@ -3394,7 +3394,7 @@ if ($ex == 0) {
undef $kiwitree unless @$kiwitree;
undef $kiwitree if defined($BSConfig::nokiwitree) && $BSConfig::nokiwitree;
}
- @files = grep {-f "$buildroot/.build.packages/$d/$_"} @files;
+ @files = grep {! -l "$buildroot/.build.packages/$d/$_" && -f _} @files;
push @send, map {"$buildroot/.build.packages/$d/$_"} @files;
}
@send = map {{name => (split('/', $_))[-1], filename => $_}} @send;
--- a/src/backend/BSHTTP.pm
+++ b/src/backend/BSHTTP.pm
@@ -357,13 +357,24 @@ sub cpio_sender {
my $filename = $file->{'filename'};
if (ref($filename)) {
*F = $filename;
- } elsif (!open(F, '<', $filename)) {
- $errors->{'data'} .= "$file->{'name'}: $filename: $!\n";
- next;
+ } else {
+ @s = lstat($filename);
+ if (!@s) {
+ $errors->{'data'} .= "$file->{'name'}: $filename: $!\n";
+ next;
+ }
+ if (-l _ || ! -f _) {
+ $errors->{'data'} .= "$file->{'name'}: $filename: not a plain file\n";
+ next;
+ }
+ if (!open(F, '<', $filename)) {
+ $errors->{'data'} .= "$file->{'name'}: $filename: $!\n";
+ next;
+ }
}
@s = stat(F);
if (!@s) {
- $errors->{'data'} .= "$file->{'name'}: stat: $!\n";
+ $errors->{'data'} .= "$file->{'name'}: fstat: $!\n";
close F unless ref $filename;
next;
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment