From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Divya.Chellam@windriver.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][kirkstone][PATCH 1/1] runc-docker: upgrade 1.1.4 -> 1.1.12
Date: Thu, 30 Jan 2025 18:56:20 +0000 [thread overview]
Message-ID: <Z5vLVAx4FJPTNmZU@gmail.com> (raw)
In-Reply-To: <20250120022539.3172433-1-divya.chellam@windriver.com>
merged.
Bruce
In message: [meta-virtualization][kirkstone][PATCH 1/1] runc-docker: upgrade 1.1.4 -> 1.1.12
on 20/01/2025 dchellam via lists.yoctoproject.org wrote:
> From: Divya Chellam <divya.chellam@windriver.com>
>
> This upgrade fixes a few CVEs:
> - CVE-2023-27561
> - CVE-2023-25809
> - CVE-2023-28642
> - CVE-2024-21626 and other bug fixes
>
> Changelog:
> ==========
> https://github.com/opencontainers/runc/blob/v1.1.12/CHANGELOG.md
>
> Adjusted existing patches to align with v1.1.12
>
> Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
> ---
> ...-GOBUILDFLAGS-for-runc-and-remove-re.patch | 26 +++++++++-------
> ...001-runc-Add-console-socket-dev-null.patch | 13 +++++---
> .../0001-runc-docker-SIGUSR1-daemonize.patch | 31 ++++++++++---------
> recipes-containers/runc/runc-docker_git.bb | 10 +++---
> 4 files changed, 45 insertions(+), 35 deletions(-)
>
> diff --git a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
> index 4d35e58e..79e63322 100644
> --- a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
> +++ b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
> @@ -1,7 +1,7 @@
> From 0fe50d2ca4517f5e3070585040f35ace413acd44 Mon Sep 17 00:00:00 2001
> From: Bruce Ashfield <bruce.ashfield@gmail.com>
> Date: Tue, 24 Aug 2021 11:38:23 -0400
> -Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty
> +Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty
> from static
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> @@ -11,16 +11,20 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
> Makefile | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> -Index: git/src/import/Makefile
> -===================================================================
> ---- git.orig/src/import/Makefile
> -+++ git/src/import/Makefile
> -@@ -20,7 +20,7 @@
> - endif
> +diff --git a/Makefile b/Makefile
> +index e3af9bc1..f9d6de96 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -24,8 +24,7 @@ ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 ppc64le riscv64 s390x))
> + GO_BUILDMODE := "-buildmode=pie"
> endif
> endif
> --GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
> +-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) \
> +- $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
> +GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
> - -ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
> - GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
> - -ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
> + -ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)"
> +
> + GO_BUILDMODE_STATIC :=
> +--
> +2.40.0
> +
> diff --git a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
> index bcf4c103..2a24df90 100644
> --- a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
> +++ b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
> @@ -12,11 +12,11 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
> utils_linux.go | 5 +++++
> 1 file changed, 5 insertions(+)
>
> -Index: git/src/import/utils_linux.go
> -===================================================================
> ---- git.orig/src/import/utils_linux.go
> -+++ git/src/import/utils_linux.go
> -@@ -267,6 +267,11 @@
> +diff --git a/utils_linux.go b/utils_linux.go
> +index 60d534e8..ddcab62f 100644
> +--- a/utils_linux.go
> ++++ b/utils_linux.go
> +@@ -234,6 +234,11 @@ type runner struct {
> }
>
> func (r *runner) run(config *specs.Process) (int, error) {
> @@ -28,3 +28,6 @@ Index: git/src/import/utils_linux.go
> var err error
> defer func() {
> if err != nil {
> +--
> +2.40.0
> +
> diff --git a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
> index 4350c40f..1065f23e 100644
> --- a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
> +++ b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
> @@ -25,15 +25,15 @@ is set.
>
> Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
> ---
> - signals.go | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++----
> + signals.go | 56 ++++++++++++++++++++++++++++++++++++++++++++++----
> utils_linux.go | 2 +-
> - 2 files changed, 51 insertions(+), 5 deletions(-)
> + 2 files changed, 53 insertions(+), 5 deletions(-)
>
> -Index: git/src/import/signals.go
> -===================================================================
> ---- git.orig/src/import/signals.go
> -+++ git/src/import/signals.go
> -@@ -5,7 +5,9 @@
> +diff --git a/signals.go b/signals.go
> +index 2555b765..1266ee66 100644
> +--- a/signals.go
> ++++ b/signals.go
> +@@ -3,7 +3,9 @@ package main
> import (
> "os"
> "os/signal"
> @@ -43,7 +43,7 @@ Index: git/src/import/signals.go
> "github.com/opencontainers/runc/libcontainer"
> "github.com/opencontainers/runc/libcontainer/system"
> "github.com/opencontainers/runc/libcontainer/utils"
> -@@ -55,9 +57,6 @@
> +@@ -53,9 +55,6 @@ type signalHandler struct {
> func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach bool) (int, error) {
> // make sure we know the pid of our main process so that we can return
> // after it dies.
> @@ -53,7 +53,7 @@ Index: git/src/import/signals.go
>
> pid1, err := process.Pid()
> if err != nil {
> -@@ -67,12 +66,61 @@
> +@@ -65,12 +64,61 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
> if h.notifySocket != nil {
> if detach {
> _ = h.notifySocket.run(pid1)
> @@ -116,11 +116,11 @@ Index: git/src/import/signals.go
> // Perform the initial tty resize. Always ignore errors resizing because
> // stdout might have disappeared (due to races with when SIGHUP is sent).
> _ = tty.resize()
> -Index: git/src/import/utils_linux.go
> -===================================================================
> ---- git.orig/src/import/utils_linux.go
> -+++ git/src/import/utils_linux.go
> -@@ -345,7 +345,7 @@
> +diff --git a/utils_linux.go b/utils_linux.go
> +index ddcab62f..280051ea 100644
> +--- a/utils_linux.go
> ++++ b/utils_linux.go
> +@@ -315,7 +315,7 @@ func (r *runner) run(config *specs.Process) (int, error) {
> if err != nil {
> r.terminate(process)
> }
> @@ -129,3 +129,6 @@ Index: git/src/import/utils_linux.go
> return 0, nil
> }
> if err == nil {
> +--
> +2.40.0
> +
> diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb
> index 97373a72..afecac67 100644
> --- a/recipes-containers/runc/runc-docker_git.bb
> +++ b/recipes-containers/runc/runc-docker_git.bb
> @@ -2,13 +2,13 @@ include runc.inc
>
> # Note: this rev is before the required protocol field, update when all components
> # have been updated to match.
> -SRCREV_runc-docker = "974efd2dfca0abec041a3708a2b66bfac6bd2484"
> +SRCREV_runc-docker = "a9833ff391a71b30069a6c3f816db113379a4346"
> SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.1;name=runc-docker;protocol=https \
> - file://0001-runc-Add-console-socket-dev-null.patch \
> - file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
> - file://0001-runc-docker-SIGUSR1-daemonize.patch \
> + file://0001-runc-Add-console-socket-dev-null.patch;patchdir=src/import \
> + file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch;patchdir=src/import \
> + file://0001-runc-docker-SIGUSR1-daemonize.patch;patchdir=src/import \
> "
>
> -RUNC_VERSION = "1.1.4"
> +RUNC_VERSION = "1.1.12"
>
> CVE_PRODUCT = "runc"
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9100): https://lists.yoctoproject.org/g/meta-virtualization/message/9100
> Mute This Topic: https://lists.yoctoproject.org/mt/110709071/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2025-01-30 18:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-20 2:25 [meta-virtualization][kirkstone][PATCH 1/1] runc-docker: upgrade 1.1.4 -> 1.1.12 dchellam
2025-01-30 18:56 ` Bruce Ashfield [this message]
2025-02-05 5:09 ` [kirkstone][PATCH " Ranjitsinh Rathod
2025-02-05 9:36 ` Jonas Gorski
2025-02-05 12:24 ` [meta-virtualization] " Bruce Ashfield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z5vLVAx4FJPTNmZU@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=Divya.Chellam@windriver.com \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.