Fix plugin builds with sources using type=git
A recent change to git [1] introduced a new behaviour to work around a CVE [2] that disallows any git operations in directories not owned by the current user. A fix was introduced for general checkouts, but it was not applied to the plugins archive, resulting in PBR still not working as intended. Fixed conflict added in I093620679016b37e1664c9fe4cf7559433e744b7. [1]8959555cee
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765. Closes-Bug: #1969096 Related-Bug: #1968877 Co-Authored-By: Mark Goddard <mark@stackhpc.com> Co-Authored-By: Marcin Juszkiewicz <marcin.juszkiewicz+kolla@linaro.org> Signed-off-by: Jakub Neumann <jneumann@cloudferro.com> Change-Id: Ib3a37eebb29d975fc51a117cecdff74baafd8941 (cherry picked from commit6be0068f37
)
This commit is contained in:
parent
b7c886ae08
commit
6ba7df3618
@ -498,8 +498,18 @@ class BuildTask(DockerTask):
|
||||
image.status = Status.CONNECTION_ERROR
|
||||
raise ArchivingError
|
||||
arc_path = os.path.join(image.path, '%s-archive' % arcname)
|
||||
|
||||
# NOTE(jneumann): Change ownership of files to root:root. This
|
||||
# avoids an issue introduced by the fix for git CVE-2022-24765,
|
||||
# which breaks PBR when the source checkout is not owned by the
|
||||
# user installing it. LP#1969096
|
||||
def reset_userinfo(tarinfo):
|
||||
tarinfo.uid = tarinfo.gid = 0
|
||||
tarinfo.uname = tarinfo.gname = "root"
|
||||
return tarinfo
|
||||
|
||||
with tarfile.open(arc_path, 'w') as tar:
|
||||
tar.add(items_path, arcname=arcname)
|
||||
tar.add(items_path, arcname=arcname, filter=reset_userinfo)
|
||||
return len(os.listdir(items_path))
|
||||
|
||||
self.logger.debug('Processing')
|
||||
|
Loading…
Reference in New Issue
Block a user