runc-docker: upgrade 1.1.4 -> 1.1.12

This upgrade fixes a few CVEs: - CVE-2023-27561 - CVE-2023-25809 - CVE-2023-28642 - CVE-2024-21626 and other bug fixes Changelog: ========== https://github.com/opencontainers/runc/blob/v1.1.12/CHANGELOG.md Adjusted existing patches to align with v1.1.12 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-01-20 02:25:39 +0000
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-01-30 18:56:02 +0000
commit: 76f2999987fa3ea30a823de3bd79d0cc0e0c287f (patch)
tree: e35de5235ccbb4544523a960e451a80b484a00b3
parent: eaf63bbd9453799193f112134425fac0a1b99896 (diff)
download: meta-virtualization-76f2999987fa3ea30a823de3bd79d0cc0e0c287f.tar.gz
4 files changed, 45 insertions, 35 deletions
diff --git a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
index 4d35e58e..79e63322 100644
--- a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
+++ b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
@@ -1,7 +1,7 @@
 From 0fe50d2ca4517f5e3070585040f35ace413acd44 Mon Sep 17 00:00:00 2001
 From: Bruce Ashfield <bruce.ashfield@gmail.com>
 Date: Tue, 24 Aug 2021 11:38:23 -0400
-Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty
+Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty 
 from static
 Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
@@ -11,16 +11,20 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
 Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
-Index: git/src/import/Makefile
+diff --git a/Makefile b/Makefile
-===================================================================
+index e3af9bc1..f9d6de96 100644
--- git.orig/src/import/Makefile
+--- a/Makefile
-+++ git/src/import/Makefile
+++ b/Makefile
-@@ -20,7 +20,7 @@
+@@ -24,8 +24,7 @@ ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 ppc64le riscv64 s390x))
-                endif
+                GO_BUILDMODE := "-buildmode=pie"
        endif
 endif
-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
+-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) \
+-       $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
 +GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
-        -ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
+        -ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)"
- GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
+ 
-        -ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
+ GO_BUILDMODE_STATIC :=
+-- 
+2.40.0
diff --git a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
index bcf4c103..2a24df90 100644
--- a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
+++ b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
@@ -12,11 +12,11 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
 utils_linux.go | 5 +++++
 1 file changed, 5 insertions(+)
-Index: git/src/import/utils_linux.go
+diff --git a/utils_linux.go b/utils_linux.go
-===================================================================
+index 60d534e8..ddcab62f 100644
--- git.orig/src/import/utils_linux.go
+--- a/utils_linux.go
-+++ git/src/import/utils_linux.go
+++ b/utils_linux.go
-@@ -267,6 +267,11 @@
+@@ -234,6 +234,11 @@ type runner struct {
 }
 
 func (r *runner) run(config *specs.Process) (int, error) {
@@ -28,3 +28,6 @@ Index: git/src/import/utils_linux.go
        var err error
        defer func() {
                if err != nil {
+-- 
+2.40.0
diff --git a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
index 4350c40f..1065f23e 100644
--- a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
+++ b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
@@ -25,15 +25,15 @@ is set.
 Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
 ---
- signals.go     | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++----
+ signals.go     | 56 ++++++++++++++++++++++++++++++++++++++++++++++----
 utils_linux.go |  2 +-
- 2 files changed, 51 insertions(+), 5 deletions(-)
+ 2 files changed, 53 insertions(+), 5 deletions(-)
-Index: git/src/import/signals.go
+diff --git a/signals.go b/signals.go
-===================================================================
+index 2555b765..1266ee66 100644
--- git.orig/src/import/signals.go
+--- a/signals.go
-+++ git/src/import/signals.go
+++ b/signals.go
-@@ -5,7 +5,9 @@
+@@ -3,7 +3,9 @@ package main
 import (
        "os"
        "os/signal"
@@ -43,7 +43,7 @@ Index: git/src/import/signals.go
        "github.com/opencontainers/runc/libcontainer"
        "github.com/opencontainers/runc/libcontainer/system"
        "github.com/opencontainers/runc/libcontainer/utils"
-@@ -55,9 +57,6 @@
+@@ -53,9 +55,6 @@ type signalHandler struct {
 func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach bool) (int, error) {
        // make sure we know the pid of our main process so that we can return
        // after it dies.
@@ -53,7 +53,7 @@ Index: git/src/import/signals.go
 
        pid1, err := process.Pid()
        if err != nil {
-@@ -67,12 +66,61 @@
+@@ -65,12 +64,61 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
        if h.notifySocket != nil {
                if detach {
                        _ = h.notifySocket.run(pid1)
@@ -116,11 +116,11 @@ Index: git/src/import/signals.go
        // Perform the initial tty resize. Always ignore errors resizing because
        // stdout might have disappeared (due to races with when SIGHUP is sent).
        _ = tty.resize()
-Index: git/src/import/utils_linux.go
+diff --git a/utils_linux.go b/utils_linux.go
-===================================================================
+index ddcab62f..280051ea 100644
--- git.orig/src/import/utils_linux.go
+--- a/utils_linux.go
-+++ git/src/import/utils_linux.go
+++ b/utils_linux.go
-@@ -345,7 +345,7 @@
+@@ -315,7 +315,7 @@ func (r *runner) run(config *specs.Process) (int, error) {
        if err != nil {
                r.terminate(process)
        }
@@ -129,3 +129,6 @@ Index: git/src/import/utils_linux.go
                return 0, nil
        }
        if err == nil {
+-- 
+2.40.0
diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb
index 97373a72..afecac67 100644
--- a/recipes-containers/runc/runc-docker_git.bb
+++ b/recipes-containers/runc/runc-docker_git.bb
@@ -2,13 +2,13 @@ include runc.inc
 # Note: this rev is before the required protocol field, update when all components
 #       have been updated to match.
-SRCREV_runc-docker = "974efd2dfca0abec041a3708a2b66bfac6bd2484"
+SRCREV_runc-docker = "a9833ff391a71b30069a6c3f816db113379a4346"
 SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.1;name=runc-docker;protocol=https \
-           file://0001-runc-Add-console-socket-dev-null.patch \
+           file://0001-runc-Add-console-socket-dev-null.patch;patchdir=src/import \
-           file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
+           file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch;patchdir=src/import \
-           file://0001-runc-docker-SIGUSR1-daemonize.patch \
+           file://0001-runc-docker-SIGUSR1-daemonize.patch;patchdir=src/import \
          "
-RUNC_VERSION = "1.1.4"
+RUNC_VERSION = "1.1.12"
 CVE_PRODUCT = "runc"
author	Divya Chellam <divya.chellam@windriver.com>	2025-01-20 02:25:39 +0000
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2025-01-30 18:56:02 +0000
commit	76f2999987fa3ea30a823de3bd79d0cc0e0c287f (patch)
tree	e35de5235ccbb4544523a960e451a80b484a00b3
parent	eaf63bbd9453799193f112134425fac0a1b99896 (diff)
download	meta-virtualization-76f2999987fa3ea30a823de3bd79d0cc0e0c287f.tar.gz

diff --git a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch index 4d35e58e..79e63322 100644 --- a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch +++ b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
@@ -1,7 +1,7 @@
1	From 0fe50d2ca4517f5e3070585040f35ace413acd44 Mon Sep 17 00:00:00 2001	1	From 0fe50d2ca4517f5e3070585040f35ace413acd44 Mon Sep 17 00:00:00 2001
2	From: Bruce Ashfield <bruce.ashfield@gmail.com>	2	From: Bruce Ashfield <bruce.ashfield@gmail.com>
3	Date: Tue, 24 Aug 2021 11:38:23 -0400	3	Date: Tue, 24 Aug 2021 11:38:23 -0400
4	Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty	4	Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty
5	from static	5	from static
6		6
7	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>	7	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
@@ -11,16 +11,20 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
11	Makefile \| 3 +--	11	Makefile \| 3 +--
12	1 file changed, 1 insertion(+), 2 deletions(-)	12	1 file changed, 1 insertion(+), 2 deletions(-)
13		13
14	Index: git/src/import/Makefile	14	diff --git a/Makefile b/Makefile
15	===================================================================	15	index e3af9bc1..f9d6de96 100644
16	--- git.orig/src/import/Makefile	16	--- a/Makefile
17	+++ git/src/import/Makefile	17	+++ b/Makefile
18	@@ -20,7 +20,7 @@	18	@@ -24,8 +24,7 @@ ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 ppc64le riscv64 s390x))
19	endif	19	GO_BUILDMODE := "-buildmode=pie"
20	endif	20	endif
21	endif	21	endif
22	-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \	22	-GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) \
		23	- $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
23	+GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \	24	+GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
24	-ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"	25	-ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)"
25	GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \	26
26	-ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"	27	GO_BUILDMODE_STATIC :=
		28	--
		29	2.40.0
		30


diff --git a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch index bcf4c103..2a24df90 100644 --- a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch +++ b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
@@ -12,11 +12,11 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
12	utils_linux.go \| 5 +++++	12	utils_linux.go \| 5 +++++
13	1 file changed, 5 insertions(+)	13	1 file changed, 5 insertions(+)
14		14
15	Index: git/src/import/utils_linux.go	15	diff --git a/utils_linux.go b/utils_linux.go
16	===================================================================	16	index 60d534e8..ddcab62f 100644
17	--- git.orig/src/import/utils_linux.go	17	--- a/utils_linux.go
18	+++ git/src/import/utils_linux.go	18	+++ b/utils_linux.go
19	@@ -267,6 +267,11 @@	19	@@ -234,6 +234,11 @@ type runner struct {
20	}	20	}
21		21
22	func (r runner) run(config specs.Process) (int, error) {	22	func (r runner) run(config specs.Process) (int, error) {
@@ -28,3 +28,6 @@ Index: git/src/import/utils_linux.go
28	var err error	28	var err error
29	defer func() {	29	defer func() {
30	if err != nil {	30	if err != nil {
		31	--
		32	2.40.0
		33


diff --git a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch index 4350c40f..1065f23e 100644 --- a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch +++ b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
@@ -25,15 +25,15 @@ is set.
25		25
26	Signed-off-by: Jason Wessel <jason.wessel@windriver.com>	26	Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
27	---	27	---
28	signals.go \| 54 ++++++++++++++++++++++++++++++++++++++++++++++++++----	28	signals.go \| 56 ++++++++++++++++++++++++++++++++++++++++++++++----
29	utils_linux.go \| 2 +-	29	utils_linux.go \| 2 +-
30	2 files changed, 51 insertions(+), 5 deletions(-)	30	2 files changed, 53 insertions(+), 5 deletions(-)
31		31
32	Index: git/src/import/signals.go	32	diff --git a/signals.go b/signals.go
33	===================================================================	33	index 2555b765..1266ee66 100644
34	--- git.orig/src/import/signals.go	34	--- a/signals.go
35	+++ git/src/import/signals.go	35	+++ b/signals.go
36	@@ -5,7 +5,9 @@	36	@@ -3,7 +3,9 @@ package main
37	import (	37	import (
38	"os"	38	"os"
39	"os/signal"	39	"os/signal"
@@ -43,7 +43,7 @@ Index: git/src/import/signals.go
43	"github.com/opencontainers/runc/libcontainer"	43	"github.com/opencontainers/runc/libcontainer"
44	"github.com/opencontainers/runc/libcontainer/system"	44	"github.com/opencontainers/runc/libcontainer/system"
45	"github.com/opencontainers/runc/libcontainer/utils"	45	"github.com/opencontainers/runc/libcontainer/utils"
46	@@ -55,9 +57,6 @@	46	@@ -53,9 +55,6 @@ type signalHandler struct {
47	func (h signalHandler) forward(process libcontainer.Process, tty *tty, detach bool) (int, error) {	47	func (h signalHandler) forward(process libcontainer.Process, tty *tty, detach bool) (int, error) {
48	// make sure we know the pid of our main process so that we can return	48	// make sure we know the pid of our main process so that we can return
49	// after it dies.	49	// after it dies.
@@ -53,7 +53,7 @@ Index: git/src/import/signals.go
53		53
54	pid1, err := process.Pid()	54	pid1, err := process.Pid()
55	if err != nil {	55	if err != nil {
56	@@ -67,12 +66,61 @@	56	@@ -65,12 +64,61 @@ func (h signalHandler) forward(process libcontainer.Process, tty *tty, detach
57	if h.notifySocket != nil {	57	if h.notifySocket != nil {
58	if detach {	58	if detach {
59	_ = h.notifySocket.run(pid1)	59	_ = h.notifySocket.run(pid1)
@@ -116,11 +116,11 @@ Index: git/src/import/signals.go
116	// Perform the initial tty resize. Always ignore errors resizing because	116	// Perform the initial tty resize. Always ignore errors resizing because
117	// stdout might have disappeared (due to races with when SIGHUP is sent).	117	// stdout might have disappeared (due to races with when SIGHUP is sent).
118	_ = tty.resize()	118	_ = tty.resize()
119	Index: git/src/import/utils_linux.go	119	diff --git a/utils_linux.go b/utils_linux.go
120	===================================================================	120	index ddcab62f..280051ea 100644
121	--- git.orig/src/import/utils_linux.go	121	--- a/utils_linux.go
122	+++ git/src/import/utils_linux.go	122	+++ b/utils_linux.go
123	@@ -345,7 +345,7 @@	123	@@ -315,7 +315,7 @@ func (r runner) run(config specs.Process) (int, error) {
124	if err != nil {	124	if err != nil {
125	r.terminate(process)	125	r.terminate(process)
126	}	126	}
@@ -129,3 +129,6 @@ Index: git/src/import/utils_linux.go
129	return 0, nil	129	return 0, nil
130	}	130	}
131	if err == nil {	131	if err == nil {
		132	--
		133	2.40.0
		134


diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb index 97373a72..afecac67 100644 --- a/recipes-containers/runc/runc-docker_git.bb +++ b/recipes-containers/runc/runc-docker_git.bb
@@ -2,13 +2,13 @@ include runc.inc
2		2
3	# Note: this rev is before the required protocol field, update when all components	3	# Note: this rev is before the required protocol field, update when all components
4	# have been updated to match.	4	# have been updated to match.
5	SRCREV_runc-docker = "974efd2dfca0abec041a3708a2b66bfac6bd2484"	5	SRCREV_runc-docker = "a9833ff391a71b30069a6c3f816db113379a4346"
6	SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.1;name=runc-docker;protocol=https \	6	SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.1;name=runc-docker;protocol=https \
7	file://0001-runc-Add-console-socket-dev-null.patch \	7	file://0001-runc-Add-console-socket-dev-null.patch;patchdir=src/import \
8	file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \	8	file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch;patchdir=src/import \
9	file://0001-runc-docker-SIGUSR1-daemonize.patch \	9	file://0001-runc-docker-SIGUSR1-daemonize.patch;patchdir=src/import \
10	"	10	"
11		11
12	RUNC_VERSION = "1.1.4"	12	RUNC_VERSION = "1.1.12"
13		13
14	CVE_PRODUCT = "runc"	14	CVE_PRODUCT = "runc"