Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to github.com/mtrmac/gpgme v0.1.2 #369

Open
wants to merge 2 commits into
base: docker-1.13.1-rhel
Choose a base branch
from

Conversation

mtrmac
Copy link

@mtrmac mtrmac commented Feb 20, 2020

- What I did

This fixes CVE-2020-8945 by incorporating proglottis/gpgme#23 .

Other changes included by the rebase:

  • Support for gpgme_off_t (~no-op with the RHEL 7 GPGME 1.3.2)
  • Wrapping a few more GPGME functions (irrelevant if we don't call them)
  • Better error reporting in Context.GetKey

Given how invasive the CVE fix is (affecting basically all binding code), it seems safer to just update the package (and be verifiably equivalent with upstream) than to backport and try to back out the few other changes.

- How I did it

Performed by updating vendor.conf, and

$ mkdir -p _build/src/github.com/docker
$ ln -s $(pwd) _build/src/github.com/docker/docker
$ GOPATH=$(pwd)/_build:$GOPATH vndr github.com/mtrmac/gpgme

- How to verify it

I have only checked that it compiles, via

$ mkdir -p _build/src/github.com/docker
$ ln -s $(pwd) _build/src/github.com/docker/docker
$ GOPATH=$(pwd)/_build:$GOPATH IAMSTATIC=false DOCKER_DEBUG=1 hack/make.sh dynbinary

- Description for the changelog
Incorporated a fix for CVE-2020-8945 .

This seems to be a mistaken commit of an intermediate build state
in the old times when vendoring was used via a GOPATH at vendor/src/...

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This fixes CVE-2020-8945 by incorporating
proglottis/gpgme#23 .

Other changes included by the rebase:
- Support for gpgme_off_t (~no-op with the RHEL 7 GPGME 1.3.2)
- Wrapping a few more GPGME functions (irrelevant if we don't call them)
- Better error reporting in Context.GetKey

Given how invasive the CVE fix is (affecting basically all binding
code), it seems safer to just update the package (and be verifiably
equivalent with upstream) than to backport and try to back out the few
other changes.

Performed by updating vendor.conf, and
$ mkdir -p _build/src/github.com/docker
$ ln -s $(pwd) _build/src/github.com/docker/docker
$ GOPATH=$(pwd)/_build:$GOPATH vndr github.com/mtrmac/gpgme

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Copy link
Author

mtrmac commented Feb 20, 2020

(Warning: I didn’t test one bit whether the result works.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant