Skip to content

vendor: github.com/opencontainers/runc v1.1.14#48425

Merged
vvoland merged 1 commit intomoby:masterfrom
thaJeztah:vendor_runc_1.1.14
Sep 4, 2024
Merged

vendor: github.com/opencontainers/runc v1.1.14#48425
vvoland merged 1 commit intomoby:masterfrom
thaJeztah:vendor_runc_1.1.14

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Sep 3, 2024

diff: opencontainers/runc@v1.1.13...v1.1.14

Release Notes:

  • Fix CVE-2024-45310 / GHSA-jfvp-7x6p-h2pv, a low-severity attack that allowed maliciously configured containers to create empty files and directories on the host.
  • Add support for Go 1.23.
  • Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION.
  • rootfs: consolidate mountpoint creation logic.

@thaJeztah thaJeztah added this to the 28.0.0 milestone Sep 3, 2024
thaJeztah
thaJeztah commented Sep 3, 2024
View reviewed changes
vendor/modules.txt
github.com/opencontainers/runc/libcontainer/cgroups
github.com/opencontainers/runc/libcontainer/configs
github.com/opencontainers/runc/libcontainer/devices
github.com/opencontainers/runc/libcontainer/system
Copy link
Member Author

@thaJeztah thaJeztah Sep 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, this reintroduces libcontainer/system as a dependency, because we use thelibcontainer/cgroups, which uses libcontainer/utils.CleanPath

moby/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go

Line 127 in 5213a5a

path := path.Join(dir, utils.CleanPath(file))

moby/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go

Lines 61 to 82 in 5213a5a

func CleanPath(path string) string {
// Deal with empty strings nicely.
if path == "" {
return ""
}
// Ensure that all paths are cleaned (especially problematic ones like
// "/../../../../../" which can cause lots of issues).
path = filepath.Clean(path)
// If the path isn't absolute, we need to do more processing to fix paths
// such as "../../../../<etc>/some/path". We also shouldn't convert absolute
// paths to relative ones.
if !filepath.IsAbs(path) {
path = filepath.Clean(string(os.PathSeparator) + path)
// This can't fail, as (by definition) all paths are relative to root.
path, _ = filepath.Rel(string(os.PathSeparator), path)
}
// Clean the path again for good measure.
return filepath.Clean(path)
}

@thaJeztah thaJeztah mentioned this pull request Sep 3, 2024
Closed
19 tasks
@thaJeztah thaJeztah changed the title vendor: update runc binary to 1.1.14 vendor: github.com/opencontainers/runc v1.1.14 Sep 3, 2024
@thaJeztah
vendor: github.com/opencontainers/runc v1.1.14
b5ec31f 
diff: opencontainers/runc@v1.1.13...v1.1.14

Release Notes:

- Fix CVE-2024-45310 / GHSA-jfvp-7x6p-h2pv, a low-severity attack that allowed maliciously configured containers to create empty files and directories on the host.
- Add support for Go 1.23.
- Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION.
- rootfs: consolidate mountpoint creation logic.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@vvoland vvoland mentioned this pull request Sep 3, 2024
Merged
@austinvazquez austinvazquez mentioned this pull request Sep 3, 2024
Merged
@vvoland vvoland merged commit 0b9779f into moby:master Sep 4, 2024
@thaJeztah thaJeztah deleted the vendor_runc_1.1.14 branch September 4, 2024 09:26
@austinvazquez austinvazquez mentioned this pull request Sep 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vvoland vvoland vvoland approved these changes

@austinvazquez austinvazquez austinvazquez approved these changes

@laurazard laurazard laurazard approved these changes

Assignees

No one assigned

Labels

process/cherry-picked status/2-code-review

Projects

None yet

Milestone

28.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@thaJeztah @vvoland @austinvazquez @laurazard