diff --git a/git-commit b/git-commit index 6c731699e52707abbb4d394ac9d0ff4325067e03..0facadba6b73ffc26c9415a58900c325cd230522 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -8fc687c6fb64e110866466035e90c718d58f2c7f +288b7252b0db60842f5d7e1b9716c84c98f4ea30 diff --git a/patch/0039-runc-fix-CVE-2024-3154.patch b/patch/0039-runc-fix-CVE-2024-3154.patch index 648898fb5ce108908ab755a3c5a2aad1293857da..baabd2f027b25cdc07a0680bb0d46d550056ff6b 100644 --- a/patch/0039-runc-fix-CVE-2024-3154.patch +++ b/patch/0039-runc-fix-CVE-2024-3154.patch @@ -1,35 +1,20 @@ -From eefc6ae2544a6819da9f92c5aa8e65d356da4c96 Mon Sep 17 00:00:00 2001 -From: Akihiro Suda -Date: Sat, 9 Mar 2024 21:30:56 +0900 +From 3107921b5e32c860e476fe413dcd70174dd38401 Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Thu, 23 May 2024 19:15:34 +0800 Subject: [PATCH] features: implement returning potentiallyUnsafeConfigAnnotations list -See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson - -Signed-off-by: Akihiro Suda --- - docs/spec-conformance.md | 1 - - features.go | 5 +++++ - 2 files changed, 5 insertions(+), 1 deletion(-) + features.go | 5 +++++ + types/features/features.go | 6 ++++++ + 2 files changed, 11 insertions(+) -diff --git a/docs/spec-conformance.md b/docs/spec-conformance.md -index 91c12aea8ac..b4f3b9df660 100644 ---- a/docs/spec-conformance.md -+++ b/docs/spec-conformance.md -@@ -9,7 +9,6 @@ Spec version | Feature | PR - -------------|------------------------------------------------|---------------------------------------------------------- - v1.1.0 | `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV` | [#3862](https://github.com/opencontainers/runc/pull/3862) - v1.1.0 | `.process.ioPriority` | [#3783](https://github.com/opencontainers/runc/pull/3783) --v1.2.0 | Features: `potentiallyUnsafeConfigAnnotations` | TODO - - ## Architectures - diff --git a/features.go b/features.go -index 81cd149ac73..eff04c1b2d2 100644 +index c9cd15c..7f76e7a 100644 --- a/features.go +++ b/features.go -@@ -64,6 +64,11 @@ var featuresCommand = cli.Command{ - }, +@@ -55,6 +55,11 @@ var featuresCommand = cli.Command{ + Enabled: &tru, }, }, + PotentiallyUnsafeConfigAnnotations: []string{ @@ -40,3 +25,23 @@ index 81cd149ac73..eff04c1b2d2 100644 } if seccomp.Enabled { +diff --git a/types/features/features.go b/types/features/features.go +index c6269ca..8b467f7 100644 +--- a/types/features/features.go ++++ b/types/features/features.go +@@ -25,6 +25,12 @@ type Features struct { + // Annotations contains implementation-specific annotation strings, + // such as the implementation version, and third-party extensions. + Annotations map[string]string `json:"annotations,omitempty"` ++ ++ // PotentiallyUnsafeConfigAnnotations the list of the potential unsafe annotations ++ // that may appear in `config.json`. ++ // ++ // A value that ends with "." is interpreted as a prefix of annotations. ++ PotentiallyUnsafeConfigAnnotations []string `json:"potentiallyUnsafeConfigAnnotations,omitempty"` + } + + // Linux is specific to Linux. +-- +2.33.0 + diff --git a/runc.spec b/runc.spec index cde7f44a1584321ba06c133dfe2ec72d9b6684dd..479666f4dc2ac186b00efc9d400090dc72e40b87 100644 --- a/runc.spec +++ b/runc.spec @@ -3,7 +3,7 @@ Name: runc Version: 1.1.8 -Release: 15 +Release: 16 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -57,6 +57,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Thu May 23 2024 zhongjiawei - 1.1.8-16 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix apply failed for patch of fix CVE-2024-3154 + * Thu May 09 2024 zhaosai - 1.1.8-15 - Type:cves - CVE:CVE-2024-3154 diff --git a/series.conf b/series.conf index 6674de184ace94827ae2f39d4c80b02485204524..681bf5b7d047733d03a0c4b3a448e78259964679 100644 --- a/series.conf +++ b/series.conf @@ -35,3 +35,4 @@ patch/0035-runc-Fix-undefined-behavior.patch patch/0036-runc-increase-the-number-of-cgroup-deletion-retries.patch patch/0037-runc-fix-CVE-2024-21626.patch patch/0038-runc-check-cmd-exist.patch +patch/0039-runc-fix-CVE-2024-3154.patch