From 6ba7df36182e709f154e8ec7a482464d054e99f6 Mon Sep 17 00:00:00 2001 From: Jakub Neumann Date: Thu, 24 Nov 2022 10:29:47 +0100 Subject: [PATCH] Fix plugin builds with sources using type=git A recent change to git [1] introduced a new behaviour to work around a CVE [2] that disallows any git operations in directories not owned by the current user. A fix was introduced for general checkouts, but it was not applied to the plugins archive, resulting in PBR still not working as intended. Fixed conflict added in I093620679016b37e1664c9fe4cf7559433e744b7. [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765. Closes-Bug: #1969096 Related-Bug: #1968877 Co-Authored-By: Mark Goddard Co-Authored-By: Marcin Juszkiewicz Signed-off-by: Jakub Neumann Change-Id: Ib3a37eebb29d975fc51a117cecdff74baafd8941 (cherry picked from commit 6be0068f376b0ae67bc81b50a97e042a88317d28) --- kolla/image/build.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/kolla/image/build.py b/kolla/image/build.py index c0edd23ab6..b6f4a880ee 100755 --- a/kolla/image/build.py +++ b/kolla/image/build.py @@ -498,8 +498,18 @@ class BuildTask(DockerTask): image.status = Status.CONNECTION_ERROR raise ArchivingError arc_path = os.path.join(image.path, '%s-archive' % arcname) + + # NOTE(jneumann): Change ownership of files to root:root. This + # avoids an issue introduced by the fix for git CVE-2022-24765, + # which breaks PBR when the source checkout is not owned by the + # user installing it. LP#1969096 + def reset_userinfo(tarinfo): + tarinfo.uid = tarinfo.gid = 0 + tarinfo.uname = tarinfo.gname = "root" + return tarinfo + with tarfile.open(arc_path, 'w') as tar: - tar.add(items_path, arcname=arcname) + tar.add(items_path, arcname=arcname, filter=reset_userinfo) return len(os.listdir(items_path)) self.logger.debug('Processing')