Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runc: bump to newest version #3982

Merged
merged 2 commits into from
Feb 5, 2024
Merged

runc: bump to newest version #3982

merged 2 commits into from
Feb 5, 2024

Conversation

christoph-zededa
Copy link
Contributor

@christoph-zededa christoph-zededa commented Feb 2, 2024
edited

This version includes a fix for CVE-2024-21626 which allowed an attacker in bad circumstances to
"escape containerized environments".

See also https://access.redhat.com/security/cve/cve-2024-21626

- What I did

Bumped runc version

- How I did it
Changed variable in dockerfile

- How to verify it

  1. Remove in runc/Dockerfile everything from '#FROM scratch' (including itself)
  2. Run 'docker build -t runc . && docker run -it runc runc --version"
  3. Check that the version if 1.1.12

- Description for the changelog
Bumping runc to fix CVE-2024-21626

- A picture of a cute animal (not mandatory but encouraged)

https://en.wikipedia.org/wiki/Punxsutawney_Phil#/media/File:Punxsutawney_Phil_2018_(cropped).jpg

@deitch
Copy link
Collaborator

deitch commented Feb 4, 2024

@christoph-zededa this looks good. You need to update the downstream dependencies as well. CI will pick up on all of the changes and push them out, but you need to tell downstream to use the updated linuxkit/runc package.

I cannot find the docs on it now - no idea why - but all you need to do is run the update:

./scripts/update-component-sha.sh --pkg ./pkg/runc

That will calculate the tag for pkg/runc and then update any yml in any subdir. You will need to create a new commit for it.

Once that is in, CI will catch everything.

@christoph-zededa
Copy link
Contributor Author

@christoph-zededa this looks good. You need to update the downstream dependencies as well. CI will pick up on all of the changes and push them out, but you need to tell downstream to use the updated linuxkit/runc package.

I cannot find the docs on it now - no idea why - but all you need to do is run the update:

./scripts/update-component-sha.sh --pkg ./pkg/runc

That will calculate the tag for pkg/runc and then update any yml in any subdir. You will need to create a new commit for it.

Once that is in, CI will catch everything.

Done that, but now I see it has appended "-dirty" to the tags.

@christoph-zededa
runc: bump to newest version
c2b9970 
This version includes a fix for CVE-2024-21626 which
allowed an attacker in bad circumstances to
"escape containerized environments".

See also https://access.redhat.com/security/cve/cve-2024-21626

Signed-off-by: Christoph Ostarek <christoph@zededa.com>
@christoph-zededa
runc: bump to newest version
819d83b 
./scripts/update-component-sha.sh --pkg ./pkg/runc

Signed-off-by: Christoph Ostarek <christoph@zededa.com>
@christoph-zededa
Copy link
Contributor Author

@christoph-zededa this looks good. You need to update the downstream dependencies as well. CI will pick up on all of the changes and push them out, but you need to tell downstream to use the updated linuxkit/runc package.
I cannot find the docs on it now - no idea why - but all you need to do is run the update:

./scripts/update-component-sha.sh --pkg ./pkg/runc

That will calculate the tag for pkg/runc and then update any yml in any subdir. You will need to create a new commit for it.
Once that is in, CI will catch everything.

Done that, but now I see it has appended "-dirty" to the tags.

Resolved - seems the issue was that I had to rebase on latest master.

@deitch
Copy link
Collaborator

deitch commented Feb 5, 2024

Likely there were uncommitted changes in pkg/runc/ (it does a tree hash), but if you got it, then all is good. Letting CI run

@deitch
Copy link
Collaborator

deitch commented Feb 5, 2024

Yeah, I pulled your branch down and run update-component-sha.sh, and it generated no changes, which means it already go everything. Once CI is green (usually takes ~20 mins) we can merge it in.

@deitch deitch merged commit 657b338 into linuxkit:master Feb 5, 2024
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deitch deitch deitch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@christoph-zededa @deitch