mirror of
git://git.yoctoproject.org/meta-virtualization.git
synced 2025-07-19 12:50:22 +02:00
runc-docker: upgrade 1.1.4 -> 1.1.12
This upgrade fixes a few CVEs: - CVE-2023-27561 - CVE-2023-25809 - CVE-2023-28642 - CVE-2024-21626 and other bug fixes Changelog: ========== https://github.com/opencontainers/runc/blob/v1.1.12/CHANGELOG.md Adjusted existing patches to align with v1.1.12 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
This commit is contained in:
Divya Chellam
Bruce Ashfield
parent
eaf63bbd94
commit
76f2999987
|
|
@ -1,7 +1,7 @@
|
|||
From 0fe50d2ca4517f5e3070585040f35ace413acd44 Mon Sep 17 00:00:00 2001
|
||||
From: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||||
Date: Tue, 24 Aug 2021 11:38:23 -0400
|
||||
Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty
|
||||
Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty
|
||||
from static
|
||||
|
||||
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
||||
|
|
@ -11,16 +11,20 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|||
Makefile | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
Index: git/src/import/Makefile
|
||||
===================================================================
|
||||
--- git.orig/src/import/Makefile
|
||||
+++ git/src/import/Makefile
|
||||
@@ -20,7 +20,7 @@
|
||||
endif
|
||||
diff --git a/Makefile b/Makefile
|
||||
index e3af9bc1..f9d6de96 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -24,8 +24,7 @@ ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 ppc64le riscv64 s390x))
|
||||
GO_BUILDMODE := "-buildmode=pie"
|
||||
endif
|
||||
endif
|
||||
-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
|
||||
-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) \
|
||||
- $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
|
||||
+GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
|
||||
-ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
|
||||
GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
|
||||
-ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
|
||||
-ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)"
|
||||
|
||||
GO_BUILDMODE_STATIC :=
|
||||
--
|
||||
2.40.0
|
||||
|
||||
|
|
|
|||
|
|
@ -12,11 +12,11 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|||
utils_linux.go | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
Index: git/src/import/utils_linux.go
|
||||
===================================================================
|
||||
--- git.orig/src/import/utils_linux.go
|
||||
+++ git/src/import/utils_linux.go
|
||||
@@ -267,6 +267,11 @@
|
||||
diff --git a/utils_linux.go b/utils_linux.go
|
||||
index 60d534e8..ddcab62f 100644
|
||||
--- a/utils_linux.go
|
||||
+++ b/utils_linux.go
|
||||
@@ -234,6 +234,11 @@ type runner struct {
|
||||
}
|
||||
|
||||
func (r *runner) run(config *specs.Process) (int, error) {
|
||||
|
|
@ -28,3 +28,6 @@ Index: git/src/import/utils_linux.go
|
|||
var err error
|
||||
defer func() {
|
||||
if err != nil {
|
||||
--
|
||||
2.40.0
|
||||
|
||||
|
|
|
|||
|
|
@ -25,15 +25,15 @@ is set.
|
|||
|
||||
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
||||
---
|
||||
signals.go | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++----
|
||||
signals.go | 56 ++++++++++++++++++++++++++++++++++++++++++++++----
|
||||
utils_linux.go | 2 +-
|
||||
2 files changed, 51 insertions(+), 5 deletions(-)
|
||||
2 files changed, 53 insertions(+), 5 deletions(-)
|
||||
|
||||
Index: git/src/import/signals.go
|
||||
===================================================================
|
||||
--- git.orig/src/import/signals.go
|
||||
+++ git/src/import/signals.go
|
||||
@@ -5,7 +5,9 @@
|
||||
diff --git a/signals.go b/signals.go
|
||||
index 2555b765..1266ee66 100644
|
||||
--- a/signals.go
|
||||
+++ b/signals.go
|
||||
@@ -3,7 +3,9 @@ package main
|
||||
import (
|
||||
"os"
|
||||
"os/signal"
|
||||
|
|
@ -43,7 +43,7 @@ Index: git/src/import/signals.go
|
|||
"github.com/opencontainers/runc/libcontainer"
|
||||
"github.com/opencontainers/runc/libcontainer/system"
|
||||
"github.com/opencontainers/runc/libcontainer/utils"
|
||||
@@ -55,9 +57,6 @@
|
||||
@@ -53,9 +55,6 @@ type signalHandler struct {
|
||||
func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach bool) (int, error) {
|
||||
// make sure we know the pid of our main process so that we can return
|
||||
// after it dies.
|
||||
|
|
@ -53,7 +53,7 @@ Index: git/src/import/signals.go
|
|||
|
||||
pid1, err := process.Pid()
|
||||
if err != nil {
|
||||
@@ -67,12 +66,61 @@
|
||||
@@ -65,12 +64,61 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
|
||||
if h.notifySocket != nil {
|
||||
if detach {
|
||||
_ = h.notifySocket.run(pid1)
|
||||
|
|
@ -116,11 +116,11 @@ Index: git/src/import/signals.go
|
|||
// Perform the initial tty resize. Always ignore errors resizing because
|
||||
// stdout might have disappeared (due to races with when SIGHUP is sent).
|
||||
_ = tty.resize()
|
||||
Index: git/src/import/utils_linux.go
|
||||
===================================================================
|
||||
--- git.orig/src/import/utils_linux.go
|
||||
+++ git/src/import/utils_linux.go
|
||||
@@ -345,7 +345,7 @@
|
||||
diff --git a/utils_linux.go b/utils_linux.go
|
||||
index ddcab62f..280051ea 100644
|
||||
--- a/utils_linux.go
|
||||
+++ b/utils_linux.go
|
||||
@@ -315,7 +315,7 @@ func (r *runner) run(config *specs.Process) (int, error) {
|
||||
if err != nil {
|
||||
r.terminate(process)
|
||||
}
|
||||
|
|
@ -129,3 +129,6 @@ Index: git/src/import/utils_linux.go
|
|||
return 0, nil
|
||||
}
|
||||
if err == nil {
|
||||
--
|
||||
2.40.0
|
||||
|
||||
|
|
|
|||
|
|
@ -2,13 +2,13 @@ include runc.inc
|
|||
|
||||
# Note: this rev is before the required protocol field, update when all components
|
||||
# have been updated to match.
|
||||
SRCREV_runc-docker = "974efd2dfca0abec041a3708a2b66bfac6bd2484"
|
||||
SRCREV_runc-docker = "a9833ff391a71b30069a6c3f816db113379a4346"
|
||||
SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.1;name=runc-docker;protocol=https \
|
||||
file://0001-runc-Add-console-socket-dev-null.patch \
|
||||
file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
|
||||
file://0001-runc-docker-SIGUSR1-daemonize.patch \
|
||||
file://0001-runc-Add-console-socket-dev-null.patch;patchdir=src/import \
|
||||
file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch;patchdir=src/import \
|
||||
file://0001-runc-docker-SIGUSR1-daemonize.patch;patchdir=src/import \
|
||||
"
|
||||
|
||||
RUNC_VERSION = "1.1.4"
|
||||
RUNC_VERSION = "1.1.12"
|
||||
|
||||
CVE_PRODUCT = "runc"
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user