- Add backport for CVE-2024-29018 fix. bsc#1234089

+ 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
- Add backport for CVE-2024-23650 fix. bsc#1219437
  - 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
  + 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
- Reorder and rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
  * 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
  * 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
  - 0010-TESTS-backport-fixes-for-integration-tests.patch
  + 0011-TESTS-backport-fixes-for-integration-tests.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker-stable?expand=0&rev=16

0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch

@@ -1,7 +1,7 @@
 From a94378d92f7ef523b17aa399ce83b27f7986980f Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 01/13] SECRETS: daemon: allow directory creation in
+Subject: [PATCH 01/11] SECRETS: daemon: allow directory creation in
  /run/secrets
 
 Since FileMode can have the directory bit set, allow a SecretStore
@@ -70,5 +70,5 @@ index 290ec59a34a7..b7013fb89c83 100644
  			return errors.Wrap(err, "error setting ownership for secret")
  		}
 -- 
-2.47.0
+2.47.1
 

0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch

@@ -1,7 +1,7 @@
 From 009cad241857541779baa2a9fae8291597dc85f8 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 02/10] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 02/11] SECRETS: SUSE: implement SUSE container secrets
 
 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.

0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch

@@ -1,7 +1,7 @@
-From 7824330a0012e6b1d9b00db40a7c58b42d6adbfd Mon Sep 17 00:00:00 2001
+From 3f1bda82f345cc919a70cf747cc8c6f094c9451a Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 22 May 2023 15:44:54 +1000
-Subject: [PATCH 03/13] BUILD: SLE12: revert "graphdriver/btrfs: use kernel
+Subject: [PATCH 03/11] BUILD: SLE12: revert "graphdriver/btrfs: use kernel
  UAPI headers"
 
 This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
@@ -42,5 +42,5 @@ index d88efc4be2bb..4e976aa689cd 100644
  static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
      snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
 -- 
-2.47.0
+2.47.1
 

0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch

@@ -1,7 +1,7 @@
-From 5deaa3fad88f7a6d8d5d342e23d3e2027571b9e2 Mon Sep 17 00:00:00 2001
+From ba4df1cb80fa7956c148230193037a2b112a40a5 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 04/13] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 04/11] bsc1073877: apparmor: clobber docker-default profile on
  start
 
 In the process of making docker-default reloading far less expensive,
@@ -85,5 +85,5 @@ index 585d85086f8d..6e4c6ad1ac01 100644
  	}
  
 -- 
-2.47.0
+2.47.1
 

0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch

@@ -1,7 +1,7 @@
-From 6e3d78c8d9f569ed7142994a802e2bce988b59bf Mon Sep 17 00:00:00 2001
+From 0ca28257e81eed36ff840bff822ff7add3e2efa2 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 11 Oct 2023 21:19:12 +1100
-Subject: [PATCH 05/13] SLE12: revert "apparmor: remove version-conditionals
+Subject: [PATCH 05/11] SLE12: revert "apparmor: remove version-conditionals
  from template"
 
 This reverts the following commits:
@@ -237,5 +237,5 @@ index 9f207e2014a8..626e5f6789a3 100644
  }
  `
 -- 
-2.47.0
+2.47.1
 

0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch

@@ -1,19 +1,21 @@
-From d3d04b94a209b056c30bec37ce9dd42f646ebd54 Mon Sep 17 00:00:00 2001
+From 5cf2e26f5a8b7fefc62db7a75e04939f8db1a742 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Tue, 13 Feb 2024 16:57:32 +0100
-Subject: [PATCH 06/13] CVE-2024-23653: update buildkit to include CVE patches
+Subject: [PATCH 06/11] CVE-2024-2365x: update buildkit to include CVE patches
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
-- https://github.com/moby/buildkit/pull/4638
-- https://github.com/moby/buildkit/pull/4639
-- https://github.com/moby/buildkit/pull/4640
+ - https://github.com/moby/buildkit/pull/4638
+ - https://github.com/moby/buildkit/pull/4639
+ - https://github.com/moby/buildkit/pull/4640
+ - Backported versions of the various CVE-2024-23650 patches.
 
 additionally change the version in builder/builder-next/worker/worker.go
 and adjust calls to NewGatewayFrontend() in builder/builder-next (Worker
 is no longer implementing the correct interface).
 
+Fixes: CVE-2024-23650 CVE-2024-23651 CVE-2024-23652 CVE-2024-23653
 Signed-off-by: Dan Čermák <dcermak@suse.com>
 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 ---
@@ -21,29 +23,36 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
  builder/builder-next/worker/worker.go         |   2 +-
  vendor.mod                                    |   3 +
  vendor.sum                                    | 797 +++++++-----------
+ .../moby/buildkit/control/control.go          |   3 +
  .../moby/buildkit/executor/executor.go        |  10 +-
- .../moby/buildkit/executor/oci/spec.go        |  30 +-
+ .../moby/buildkit/executor/oci/spec.go        |  34 +-
  .../moby/buildkit/executor/oci/spec_linux.go  |  57 ++
  .../buildkit/executor/oci/spec_non_linux.go   |  18 +
  .../buildkit/executor/oci/spec_windows.go     |  11 +
  .../moby/buildkit/executor/stubs.go           |  18 +-
+ .../exporter/containerimage/exptypes/parse.go |  14 +
+ .../exporter/containerimage/writer.go         |  16 +
  .../moby/buildkit/frontend/frontend.go        |   3 +-
+ .../frontend/gateway/client/attestation.go    |   6 +
  .../buildkit/frontend/gateway/container.go    |   9 +-
  .../frontend/gateway/forwarder/forward.go     |   9 +-
  .../frontend/gateway/forwarder/frontend.go    |   5 +-
- .../moby/buildkit/frontend/gateway/gateway.go |  28 +-
+ .../moby/buildkit/frontend/gateway/gateway.go |  43 +-
  .../moby/buildkit/snapshot/localmounter.go    |  35 +-
  .../buildkit/snapshot/localmounter_unix.go    |  45 +-
  .../moby/buildkit/snapshot/snapshotter.go     |   7 +-
- .../moby/buildkit/solver/llbsolver/bridge.go  |  52 ++
+ .../moby/buildkit/solver/llbsolver/bridge.go  |  60 ++
  .../buildkit/solver/llbsolver/provenance.go   |   2 +-
- .../moby/buildkit/solver/llbsolver/solver.go  |   2 +-
+ .../moby/buildkit/solver/llbsolver/solver.go  |  25 +-
  .../moby/buildkit/solver/llbsolver/vertex.go  |  14 +-
+ .../moby/buildkit/sourcepolicy/matcher.go     |   3 +
  .../util/entitlements/entitlements.go         |  20 +
+ .../util/tracing/transform/attribute.go       |  21 +-
+ .../buildkit/util/tracing/transform/span.go   |  23 +-
  .../github.com/moby/buildkit/worker/worker.go |   2 +-
  .../moby/buildkit/worker/workercontroller.go  |  23 +
  vendor/modules.txt                            |   3 +-
- 26 files changed, 615 insertions(+), 598 deletions(-)
+ 33 files changed, 740 insertions(+), 609 deletions(-)
  create mode 100644 vendor/github.com/moby/buildkit/executor/oci/spec_linux.go
  create mode 100644 vendor/github.com/moby/buildkit/executor/oci/spec_non_linux.go
 
@@ -74,7 +83,7 @@ index 46fc83eb7402..2693b8fab180 100644
  
  	return control.NewController(control.Opt{
 diff --git a/builder/builder-next/worker/worker.go b/builder/builder-next/worker/worker.go
-index 3773b95c949a..210218bf5a37 100644
+index 3773b95c949a..64d7b9131b16 100644
 --- a/builder/builder-next/worker/worker.go
 +++ b/builder/builder-next/worker/worker.go
 @@ -50,7 +50,7 @@ import (
@@ -82,26 +91,26 @@ index 3773b95c949a..210218bf5a37 100644
  
  func init() {
 -	version.Version = "v0.11.7+435cb77e369c"
-+	version.Version = "v0.11.7+5d3afed3f7b4"
++	version.Version = "v0.11.7+cd804dd86389"
  }
  
  const labelCreatedAt = "buildkit/createdat"
 diff --git a/vendor.mod b/vendor.mod
-index a1f8664e7d75..7946cbb75613 100644
+index a1f8664e7d75..2eb13746cacd 100644
 --- a/vendor.mod
 +++ b/vendor.mod
 @@ -98,6 +98,9 @@ require (
  	resenje.org/singleflight v0.3.0
  )
  
-+// github.com/cyphar/buildkit suse-stable-v24.0.9
-+replace github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4
++// github.com/SUSE/buildkit suse-stable-v24.0.9
++replace github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389
 +
  require (
  	cloud.google.com/go v0.102.1 // indirect
  	github.com/agext/levenshtein v1.2.3 // indirect
 diff --git a/vendor.sum b/vendor.sum
-index 11d3aa6860f2..a426cdb147ce 100644
+index 11d3aa6860f2..716245c80413 100644
 --- a/vendor.sum
 +++ b/vendor.sum
 @@ -1,19 +1,13 @@
@@ -125,7 +134,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
  cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
  cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-@@ -69,109 +63,78 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
+@@ -69,138 +63,100 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
  cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
  code.cloudfoundry.org/clock v1.0.0 h1:kFXWQM4bxYvdBw2X8BbBeXwQNgfoWv1vqAk2ZZyBN2o=
  code.cloudfoundry.org/clock v1.0.0/go.mod h1:QD9Lzhd/ux6eNQVUDVRJX/RKTigpewimNYBi7ivZKY8=
@@ -261,9 +270,11 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
  github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
  github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-@@ -179,28 +142,19 @@ github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdko
+ github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
  github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91 h1:vX+gnvBc56EbWYrmlhYbFYRaeikAke1GL84N4BEYOFE=
  github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91/go.mod h1:cDLGBht23g0XQdLjzn6xOGXDkLK182YfINAaZEQLCHQ=
++github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 h1:EKne0CAOXpf1QuZ3+jj7PTpOtSn+q1Yz5H6pAwrOktY=
++github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM=
  github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
 -github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 -github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
@@ -292,7 +303,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
  github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 h1:7Ip0wMmLHLRJdrloDxZfhMm0xrLXZS8+COSu2bXmEQs=
  github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
-@@ -209,44 +163,55 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
+@@ -209,44 +165,55 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
  github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA=
  github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4=
  github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
@@ -358,7 +369,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
  github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
  github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-@@ -258,31 +223,21 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
+@@ -258,31 +225,21 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
  github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
  github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
  github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
@@ -391,7 +402,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
  github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
  github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054 h1:uH66TXeswKn5PW5zdZ39xEwfS9an067BirqA+P4QaLI=
-@@ -293,6 +248,7 @@ github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cb
+@@ -293,6 +250,7 @@ github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cb
  github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
  github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
  github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
@@ -399,7 +410,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
  github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
  github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-@@ -301,6 +257,7 @@ github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLI
+@@ -301,6 +259,7 @@ github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLI
  github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
  github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
  github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
@@ -407,7 +418,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/cilium/ebpf v0.9.1 h1:64sn2K3UKw8NbP/blsixRpF3nXuyhz/VjRlRzvlBRu4=
  github.com/cilium/ebpf v0.9.1/go.mod h1:+OhNOIXx/Fnu1IE8bJz2dzOA+VSfyTfdNUVdlQnxUFY=
  github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
-@@ -324,8 +281,8 @@ github.com/cockroachdb/errors v1.2.4 h1:Lap807SXTH5tri2TivECb/4abUkMZC9zRoLarvcK
+@@ -324,8 +283,8 @@ github.com/cockroachdb/errors v1.2.4 h1:Lap807SXTH5tri2TivECb/4abUkMZC9zRoLarvcK
  github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
  github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f h1:o/kfcElHqOiXqcou5a3rIlMc7oJbMQkeLk0VQJ7zgqY=
  github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
@@ -417,7 +428,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/container-storage-interface/spec v1.5.0 h1:lvKxe3uLgqQeVQcrnL2CPQKISoKjTJxojEs9cBk+HXo=
  github.com/container-storage-interface/spec v1.5.0/go.mod h1:8K96oQNkJ7pFcC2R9Z1ynGGBB1I93kcS6PGg3SsOk8s=
  github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE=
-@@ -342,6 +299,7 @@ github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4S
+@@ -342,6 +301,7 @@ github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4S
  github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
  github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE=
  github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU=
@@ -425,7 +436,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA=
  github.com/containerd/cgroups v1.0.4/go.mod h1:nLNQtsF7Sl2HxNebu77i1R0oDlhiTG+kO4JTrUzo6IA=
  github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKkymb9L0=
-@@ -349,7 +307,6 @@ github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxz
+@@ -349,7 +309,6 @@ github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxz
  github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
  github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
  github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
@@ -433,7 +444,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw=
  github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
  github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw=
-@@ -360,16 +317,20 @@ github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMX
+@@ -360,16 +319,20 @@ github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMX
  github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
  github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
  github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
@@ -456,7 +467,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/containerd/containerd v1.6.22 h1:rGTIBxPJusM0evF6wKgIzuD+tV70nmx9eEjzHVm1JzI=
  github.com/containerd/containerd v1.6.22/go.mod h1:BQAJdahvGz8xboAvxKg9hsDYIovn79Ea318anowQ1/o=
  github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-@@ -379,6 +340,7 @@ github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cE
+@@ -379,6 +342,7 @@ github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cE
  github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y=
  github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ=
  github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM=
@@ -464,7 +475,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
  github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM=
  github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
-@@ -389,8 +351,11 @@ github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1S
+@@ -389,8 +353,11 @@ github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1S
  github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
  github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY=
  github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=
@@ -476,7 +487,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/containerd/go-cni v1.1.6 h1:el5WPymG5nRRLQF1EfB97FWob4Tdc8INg8RZMaXWZlo=
  github.com/containerd/go-cni v1.1.6/go.mod h1:BWtoWl5ghVymxu6MBjg79W9NZrCRyHIdUtk4cauMe34=
  github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
-@@ -404,13 +369,16 @@ github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak
+@@ -404,13 +371,16 @@ github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak
  github.com/containerd/imgcrypt v1.0.4-0.20210301171431-0ae5c75f59ba/go.mod h1:6TNsg0ctmizkrOgXRNQjAPFWpMYRWuiB6dSF4Pfa5SA=
  github.com/containerd/imgcrypt v1.1.1-0.20210312161619-7ed62a527887/go.mod h1:5AZJNI6sLHJljKuI9IHnw1pWqo/F0nGDOuR9zgTs7ow=
  github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJrXQb0Dpc4ms=
@@ -494,7 +505,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/containerd/stargz-snapshotter/estargz v0.13.0 h1:fD7AwuVV+B40p0d9qVkH/Au1qhp8hn/HWJHIYjpEcfw=
  github.com/containerd/stargz-snapshotter/estargz v0.13.0/go.mod h1:m+9VaGJGlhCnrcEUod8mYumTmRgblwd3rC5UCEh2Yp0=
  github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
-@@ -419,6 +387,7 @@ github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0x
+@@ -419,6 +389,7 @@ github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0x
  github.com/containerd/ttrpc v1.0.1/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
  github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
  github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
@@ -502,7 +513,7 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/containerd/ttrpc v1.1.2 h1:4jH6OQDQqjfVD2b5TJS5TxmGuLGmp5WW7KtW2TWOP7c=
  github.com/containerd/ttrpc v1.1.2/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
  github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
-@@ -436,36 +405,39 @@ github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNR
+@@ -436,36 +407,39 @@ github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNR
  github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
  github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
  github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
@@ -546,12 +557,9 @@ index 11d3aa6860f2..a426cdb147ce 100644
  github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
  github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
  github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-@@ -474,44 +446,48 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
- github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+@@ -475,43 +449,45 @@ github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ
  github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
  github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-+github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 h1:e2A5JTqDADxy9xYHM0KxRXfYl9wCISpo5TitiaUmfGw=
-+github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM=
  github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 +github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
  github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
@@ -2249,6 +2257,20 @@ index 11d3aa6860f2..a426cdb147ce 100644
  sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
 -sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0=
 -sourcegraph.com/sqs/pbtypes v1.0.0/go.mod h1:3AciMUv4qUuRHRHhOG4TZOB+72GdPVz5k+c648qsFS4=
+diff --git a/vendor/github.com/moby/buildkit/control/control.go b/vendor/github.com/moby/buildkit/control/control.go
+index 2bd06db2576b..f81b176d11be 100644
+--- a/vendor/github.com/moby/buildkit/control/control.go
++++ b/vendor/github.com/moby/buildkit/control/control.go
+@@ -394,6 +394,9 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (*
+ 
+ 	var cacheImports []frontend.CacheOptionsEntry
+ 	for _, im := range req.Cache.Imports {
++		if im == nil {
++			continue
++		}
+ 		cacheImports = append(cacheImports, frontend.CacheOptionsEntry{
+ 			Type:  im.Type,
+ 			Attrs: im.Attrs,
 diff --git a/vendor/github.com/moby/buildkit/executor/executor.go b/vendor/github.com/moby/buildkit/executor/executor.go
 index a323bcc9cc94..61da4c9dd7c3 100644
 --- a/vendor/github.com/moby/buildkit/executor/executor.go
@@ -2279,7 +2301,7 @@ index a323bcc9cc94..61da4c9dd7c3 100644
  
  type Mount struct {
 diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec.go b/vendor/github.com/moby/buildkit/executor/oci/spec.go
-index f825b1dce7ef..2c0e81b7b5b2 100644
+index f825b1dce7ef..d8bdf898953b 100644
 --- a/vendor/github.com/moby/buildkit/executor/oci/spec.go
 +++ b/vendor/github.com/moby/buildkit/executor/oci/spec.go
 @@ -12,7 +12,6 @@ import (
@@ -2298,8 +2320,12 @@ index f825b1dce7ef..2c0e81b7b5b2 100644
  }
  
  type submounts struct {
-@@ -226,10 +226,17 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error)
- 		return mount.Mount{}, nil
+@@ -223,12 +223,19 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error)
+ 	}
+ 	h, err := hashstructure.Hash(m, hashstructure.FormatV2, nil)
+ 	if err != nil {
+-		return mount.Mount{}, nil
++		return mount.Mount{}, err
  	}
  	if mr, ok := s.m[h]; ok {
 -		sm, err := sub(mr.mount, subPath)
@@ -2308,15 +2334,15 @@ index f825b1dce7ef..2c0e81b7b5b2 100644
 +		}
 +		sm, unmount, err := sub(mr.mount, subPath)
  		if err != nil {
- 			return mount.Mount{}, nil
- 		}
+-			return mount.Mount{}, nil
++			return mount.Mount{}, err
++		}
 +		mr.subRefs[subPath] = mountRef{
 +			mount:   sm,
 +			unmount: unmount,
-+		}
+ 		}
  		return sm, nil
  	}
- 
 @@ -254,12 +261,17 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error)
  			Options: opts,
  		},
@@ -2533,6 +2559,70 @@ index 22a8ac1310c4..09e26581a68c 100644
  				logrus.WithError(err).Warnf("Failed to restore time time mount stub timestamp (os.Chtimes(%q, %v, %v))", dir, atime, mtime)
  			}
  		}
+diff --git a/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go b/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go
+index f77cd3f52565..6d01dc0f6e33 100644
+--- a/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go
++++ b/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go
+@@ -17,6 +17,18 @@ func ParsePlatforms(meta map[string][]byte) (Platforms, error) {
+ 				return Platforms{}, errors.Wrapf(err, "failed to parse platforms passed to provenance processor")
+ 			}
+ 		}
++		if len(ps.Platforms) == 0 {
++			return Platforms{}, errors.Errorf("invalid empty platforms index for exporter")
++		}
++		for i, p := range ps.Platforms {
++			if p.ID == "" {
++				return Platforms{}, errors.Errorf("invalid empty platform key for exporter")
++			}
++			if p.Platform.OS == "" || p.Platform.Architecture == "" {
++				return Platforms{}, errors.Errorf("invalid platform value %v for exporter", p.Platform)
++			}
++			ps.Platforms[i].Platform = platforms.Normalize(p.Platform)
++		}
+ 		return ps, nil
+ 	}
+ 
+@@ -36,6 +48,8 @@ func ParsePlatforms(meta map[string][]byte) (Platforms, error) {
+ 				OSFeatures:   img.OSFeatures,
+ 				Variant:      img.Variant,
+ 			}
++		} else if img.OS != "" || img.Architecture != "" {
++			return Platforms{}, errors.Errorf("invalid image config: os and architecture must be specified together")
+ 		}
+ 	}
+ 	p = platforms.Normalize(p)
+diff --git a/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go b/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go
+index 4cccd9db5128..cf61e0c8e6f4 100644
+--- a/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go
++++ b/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go
+@@ -611,11 +611,27 @@ func parseHistoryFromConfig(dt []byte) ([]ocispecs.History, error) {
+ }
+ 
+ func patchImageConfig(dt []byte, descs []ocispecs.Descriptor, history []ocispecs.History, cache []byte, buildInfo []byte, epoch *time.Time) ([]byte, error) {
++	var img ocispecs.Image
++	if err := json.Unmarshal(dt, &img); err != nil {
++		return nil, errors.Wrap(err, "invalid image config for export")
++	}
++
+ 	m := map[string]json.RawMessage{}
+ 	if err := json.Unmarshal(dt, &m); err != nil {
+ 		return nil, errors.Wrap(err, "failed to parse image config for patch")
+ 	}
+ 
++	if m == nil {
++		return nil, errors.Errorf("invalid null image config for export")
++	}
++
++	if img.OS == "" {
++		return nil, errors.Errorf("invalid image config for export: missing os")
++	}
++	if img.Architecture == "" {
++		return nil, errors.Errorf("invalid image config for export: missing architecture")
++	}
++
+ 	var rootFS ocispecs.RootFS
+ 	rootFS.Type = "layers"
+ 	for _, desc := range descs {
 diff --git a/vendor/github.com/moby/buildkit/frontend/frontend.go b/vendor/github.com/moby/buildkit/frontend/frontend.go
 index 024ac802045c..4a068d17d41f 100644
 --- a/vendor/github.com/moby/buildkit/frontend/frontend.go
@@ -2554,6 +2644,25 @@ index 024ac802045c..4a068d17d41f 100644
  }
  
  type FrontendLLBBridge interface {
+diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go b/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go
+index 5ffe67233c50..c5112db9db64 100644
+--- a/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go
++++ b/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go
+@@ -30,8 +30,14 @@ func AttestationToPB[T any](a *result.Attestation[T]) (*pb.Attestation, error) {
+ }
+ 
+ func AttestationFromPB[T any](a *pb.Attestation) (*result.Attestation[T], error) {
++	if a == nil {
++		return nil, errors.Errorf("invalid nil attestation")
++	}
+ 	subjects := make([]result.InTotoSubject, len(a.InTotoSubjects))
+ 	for i, subject := range a.InTotoSubjects {
++		if subject == nil {
++			return nil, errors.Errorf("invalid nil attestation subject")
++		}
+ 		subjects[i] = result.InTotoSubject{
+ 			Kind:   subject.Kind,
+ 			Name:   subject.Name,
 diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/container.go b/vendor/github.com/moby/buildkit/frontend/gateway/container.go
 index d6161d1def93..9fb4d928d66d 100644
 --- a/vendor/github.com/moby/buildkit/frontend/gateway/container.go
@@ -2665,7 +2774,7 @@ index 7cd25a0e8ea0..331559a39057 100644
  		return nil, err
  	}
 diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go b/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go
-index 79825d0b651a..8f2af4d34101 100644
+index 79825d0b651a..32971aabab57 100644
 --- a/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go
 +++ b/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go
 @@ -82,7 +82,7 @@ func filterPrefix(opts map[string]string, pfx string) map[string]string {
@@ -2747,7 +2856,29 @@ index 79825d0b651a..8f2af4d34101 100644
  	*pipe
  	ctrs   map[string]gwclient.Container
  	ctrsMu sync.Mutex
-@@ -1001,7 +997,7 @@ func (lbf *llbBridgeForwarder) NewContainer(ctx context.Context, in *pb.NewConta
+@@ -615,12 +611,21 @@ func (lbf *llbBridgeForwarder) registerResultIDs(results ...solver.Result) (ids
+ func (lbf *llbBridgeForwarder) Solve(ctx context.Context, req *pb.SolveRequest) (*pb.SolveResponse, error) {
+ 	var cacheImports []frontend.CacheOptionsEntry
+ 	for _, e := range req.CacheImports {
++		if e == nil {
++			return nil, errors.Errorf("invalid nil cache import")
++		}
+ 		cacheImports = append(cacheImports, frontend.CacheOptionsEntry{
+ 			Type:  e.Type,
+ 			Attrs: e.Attrs,
+ 		})
+ 	}
+ 
++	for _, p := range req.SourcePolicies {
++		if p == nil {
++			return nil, errors.Errorf("invalid nil source policy")
++		}
++	}
++
+ 	ctx = tracing.ContextWithSpanFromContext(ctx, lbf.callCtx)
+ 	res, err := lbf.llbBridge.Solve(ctx, frontend.SolveRequest{
+ 		Evaluate:       req.Evaluate,
+@@ -1001,7 +1006,7 @@ func (lbf *llbBridgeForwarder) NewContainer(ctx context.Context, in *pb.NewConta
  	// and we want the context to live for the duration of the container.
  	group := session.NewGroup(lbf.sid)
  
@@ -2756,7 +2887,7 @@ index 79825d0b651a..8f2af4d34101 100644
  	if err != nil {
  		return nil, stack.Enable(err)
  	}
-@@ -1011,7 +1007,7 @@ func (lbf *llbBridgeForwarder) NewContainer(ctx context.Context, in *pb.NewConta
+@@ -1011,7 +1016,7 @@ func (lbf *llbBridgeForwarder) NewContainer(ctx context.Context, in *pb.NewConta
  		return nil, stack.Enable(err)
  	}
  
@@ -2765,6 +2896,19 @@ index 79825d0b651a..8f2af4d34101 100644
  	if err != nil {
  		return nil, stack.Enable(err)
  	}
+@@ -1045,6 +1050,12 @@ func (lbf *llbBridgeForwarder) ReleaseContainer(ctx context.Context, in *pb.Rele
+ }
+ 
+ func (lbf *llbBridgeForwarder) Warn(ctx context.Context, in *pb.WarnRequest) (*pb.WarnResponse, error) {
++	// validate ranges are valid
++	for _, r := range in.Ranges {
++		if r == nil {
++			return nil, status.Errorf(codes.InvalidArgument, "invalid source range")
++		}
++	}
+ 	err := lbf.llbBridge.Warn(ctx, in.Digest, string(in.Short), frontend.WarnOpts{
+ 		Level:      int(in.Level),
+ 		SourceInfo: in.Info,
 diff --git a/vendor/github.com/moby/buildkit/snapshot/localmounter.go b/vendor/github.com/moby/buildkit/snapshot/localmounter.go
 index 9ddb7c1af642..304eebc9e02d 100644
 --- a/vendor/github.com/moby/buildkit/snapshot/localmounter.go
@@ -2914,7 +3058,7 @@ index edf95cee70cd..3150815bb3bc 100644
  // Snapshotter defines interface that any snapshot implementation should satisfy
  type Snapshotter interface {
 diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go b/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go
-index 185fe81f0649..5c95a3e7e958 100644
+index 185fe81f0649..64cdf4cc916c 100644
 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go
 +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go
 @@ -11,6 +11,7 @@ import (
@@ -2944,7 +3088,22 @@ index 185fe81f0649..5c95a3e7e958 100644
  }
  
  func (b *llbBridge) Warn(ctx context.Context, dgst digest.Digest, msg string, opts frontend.WarnOpts) error {
-@@ -151,6 +157,52 @@ func (b *llbBridge) loadResult(ctx context.Context, def *pb.Definition, cacheImp
+@@ -79,6 +85,14 @@ func (b *llbBridge) loadResult(ctx context.Context, def *pb.Definition, cacheImp
+ 	}
+ 	var polEngine SourcePolicyEvaluator
+ 	if srcPol != nil || len(pol) > 0 {
++		for _, p := range pol {
++			if p == nil {
++				return nil, errors.Errorf("invalid nil policy")
++			}
++			if err := validateSourcePolicy(*p); err != nil {
++				return nil, err
++			}
++		}
+ 		if srcPol != nil {
+ 			pol = append([]*spb.Policy{srcPol}, pol...)
+ 		}
+@@ -151,6 +165,52 @@ func (b *llbBridge) loadResult(ctx context.Context, def *pb.Definition, cacheImp
  	return res, nil
  }
  
@@ -3011,10 +3170,20 @@ index b30581c852d9..8b60f5e885fb 100644
  			return nil, err
  		}
 diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go b/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go
-index 94d25ce5b7b2..c9921085337c 100644
+index 94d25ce5b7b2..16015244aa4b 100644
 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go
 +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go
-@@ -440,7 +440,7 @@ func (s *Solver) Solve(ctx context.Context, id string, sessionID string, req fro
+@@ -432,6 +432,9 @@ func (s *Solver) Solve(ctx context.Context, id string, sessionID string, req fro
+ 	j.SetValue(keyEntitlements, set)
+ 
+ 	if srcPol != nil {
++		if err := validateSourcePolicy(*srcPol); err != nil {
++			return nil, err
++		}
+ 		j.SetValue(keySourcePolicy, *srcPol)
+ 	}
+ 
+@@ -440,7 +443,7 @@ func (s *Solver) Solve(ctx context.Context, id string, sessionID string, req fro
  	br := s.bridge(j)
  	var fwd gateway.LLBBridgeForwarder
  	if s.gatewayForwarder != nil && req.Definition == nil && req.Frontend == "" {
@@ -3023,6 +3192,40 @@ index 94d25ce5b7b2..c9921085337c 100644
  		defer fwd.Discard()
  		// Register build before calling s.recordBuildHistory, because
  		// s.recordBuildHistory can block for several seconds on
+@@ -583,6 +586,23 @@ func (s *Solver) Solve(ctx context.Context, id string, sessionID string, req fro
+ 	}, nil
+ }
+ 
++func validateSourcePolicy(pol spb.Policy) error {
++	for _, r := range pol.Rules {
++		if r == nil {
++			return errors.New("invalid nil rule in policy")
++		}
++		if r.Selector == nil {
++			return errors.New("invalid nil selector in policy")
++		}
++		for _, c := range r.Selector.Constraints {
++			if c == nil {
++				return errors.New("invalid nil constraint in policy")
++			}
++		}
++	}
++	return nil
++}
++
+ func runCacheExporters(ctx context.Context, exporters []RemoteCacheExporter, j *solver.Job, cached *result.Result[solver.CachedResult], inp *result.Result[cache.ImmutableRef]) (map[string]string, error) {
+ 	eg, ctx := errgroup.WithContext(ctx)
+ 	g := session.NewGroup(j.SessionID)
+@@ -984,6 +1004,9 @@ func loadSourcePolicy(b solver.Builder) (*spb.Policy, error) {
+ 			return errors.Errorf("invalid source policy %T", v)
+ 		}
+ 		for _, f := range x.Rules {
++			if f == nil {
++				return errors.Errorf("invalid nil policy rule")
++			}
+ 			r := *f
+ 			srcPol.Rules = append(srcPol.Rules, &r)
+ 		}
 diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go b/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go
 index 41a31bb9bbba..d57f2a053db1 100644
 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go
@@ -3049,6 +3252,20 @@ index 41a31bb9bbba..d57f2a053db1 100644
  			}
  		}
  		return nil
+diff --git a/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go b/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go
+index 79ab4032a5ae..2abe1039071f 100644
+--- a/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go
++++ b/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go
+@@ -10,6 +10,9 @@ import (
+ 
+ func match(ctx context.Context, src *selectorCache, ref string, attrs map[string]string) (bool, error) {
+ 	for _, c := range src.Constraints {
++		if c == nil {
++			return false, errors.Errorf("invalid nil constraint for %v", src)
++		}
+ 		switch c.Condition {
+ 		case spb.AttrMatch_EQUAL:
+ 			if attrs[c.Key] != c.Value {
 diff --git a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go b/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go
 index f65b426bb201..328580c326df 100644
 --- a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go
@@ -3077,6 +3294,130 @@ index f65b426bb201..328580c326df 100644
 +	NetworkHost      bool
 +	SecurityInsecure bool
 +}
+diff --git a/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go b/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go
+index 2debe8835924..bc0df048d0a2 100644
+--- a/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go
++++ b/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go
+@@ -13,6 +13,9 @@ func Attributes(attrs []*commonpb.KeyValue) []attribute.KeyValue {
+ 
+ 	out := make([]attribute.KeyValue, 0, len(attrs))
+ 	for _, a := range attrs {
++		if a == nil {
++			continue
++		}
+ 		kv := attribute.KeyValue{
+ 			Key:   attribute.Key(a.Key),
+ 			Value: toValue(a.Value),
+@@ -42,7 +45,9 @@ func toValue(v *commonpb.AnyValue) attribute.Value {
+ func boolArray(kv []*commonpb.AnyValue) attribute.Value {
+ 	arr := make([]bool, len(kv))
+ 	for i, v := range kv {
+-		arr[i] = v.GetBoolValue()
++		if v != nil {
++			arr[i] = v.GetBoolValue()
++		}
+ 	}
+ 	return attribute.BoolSliceValue(arr)
+ }
+@@ -50,7 +55,9 @@ func boolArray(kv []*commonpb.AnyValue) attribute.Value {
+ func intArray(kv []*commonpb.AnyValue) attribute.Value {
+ 	arr := make([]int64, len(kv))
+ 	for i, v := range kv {
+-		arr[i] = v.GetIntValue()
++		if v != nil {
++			arr[i] = v.GetIntValue()
++		}
+ 	}
+ 	return attribute.Int64SliceValue(arr)
+ }
+@@ -58,7 +65,9 @@ func intArray(kv []*commonpb.AnyValue) attribute.Value {
+ func doubleArray(kv []*commonpb.AnyValue) attribute.Value {
+ 	arr := make([]float64, len(kv))
+ 	for i, v := range kv {
+-		arr[i] = v.GetDoubleValue()
++		if v != nil {
++			arr[i] = v.GetDoubleValue()
++		}
+ 	}
+ 	return attribute.Float64SliceValue(arr)
+ }
+@@ -66,13 +75,15 @@ func doubleArray(kv []*commonpb.AnyValue) attribute.Value {
+ func stringArray(kv []*commonpb.AnyValue) attribute.Value {
+ 	arr := make([]string, len(kv))
+ 	for i, v := range kv {
+-		arr[i] = v.GetStringValue()
++		if v != nil {
++			arr[i] = v.GetStringValue()
++		}
+ 	}
+ 	return attribute.StringSliceValue(arr)
+ }
+ 
+ func arrayValues(kv []*commonpb.AnyValue) attribute.Value {
+-	if len(kv) == 0 {
++	if len(kv) == 0 || kv[0] == nil {
+ 		return attribute.StringSliceValue([]string{})
+ 	}
+ 
+diff --git a/vendor/github.com/moby/buildkit/util/tracing/transform/span.go b/vendor/github.com/moby/buildkit/util/tracing/transform/span.go
+index f07d0c98e974..21137e704139 100644
+--- a/vendor/github.com/moby/buildkit/util/tracing/transform/span.go
++++ b/vendor/github.com/moby/buildkit/util/tracing/transform/span.go
+@@ -32,14 +32,20 @@ func Spans(sdl []*tracepb.ResourceSpans) []tracesdk.ReadOnlySpan {
+ 		}
+ 
+ 		for _, sdi := range sd.InstrumentationLibrarySpans {
+-			sda := make([]tracesdk.ReadOnlySpan, len(sdi.Spans))
+-			for i, s := range sdi.Spans {
+-				sda[i] = &readOnlySpan{
++			if sdi == nil {
++				continue
++			}
++			sda := make([]tracesdk.ReadOnlySpan, 0, len(sdi.Spans))
++			for _, s := range sdi.Spans {
++				if s == nil {
++					continue
++				}
++				sda = append(sda, &readOnlySpan{
+ 					pb:        s,
+ 					il:        sdi.InstrumentationLibrary,
+ 					resource:  sd.Resource,
+ 					schemaURL: sd.SchemaUrl,
+-				}
++				})
+ 			}
+ 			out = append(out, sda...)
+ 		}
+@@ -165,6 +171,9 @@ var _ tracesdk.ReadOnlySpan = &readOnlySpan{}
+ 
+ // status transform a OTLP span status into span code.
+ func statusCode(st *tracepb.Status) codes.Code {
++	if st == nil {
++		return codes.Unset
++	}
+ 	switch st.Code {
+ 	case tracepb.Status_STATUS_CODE_ERROR:
+ 		return codes.Error
+@@ -181,6 +190,9 @@ func links(links []*tracepb.Span_Link) []tracesdk.Link {
+ 
+ 	sl := make([]tracesdk.Link, 0, len(links))
+ 	for _, otLink := range links {
++		if otLink == nil {
++			continue
++		}
+ 		// This redefinition is necessary to prevent otLink.*ID[:] copies
+ 		// being reused -- in short we need a new otLink per iteration.
+ 		otLink := otLink
+@@ -221,6 +233,9 @@ func spanEvents(es []*tracepb.Span_Event) []tracesdk.Event {
+ 		if messageEvents >= maxMessageEventsPerSpan {
+ 			break
+ 		}
++		if e == nil {
++			continue
++		}
+ 		messageEvents++
+ 		events = append(events,
+ 			tracesdk.Event{
 diff --git a/vendor/github.com/moby/buildkit/worker/worker.go b/vendor/github.com/moby/buildkit/worker/worker.go
 index 2f426e9ead40..0a708227204b 100644
 --- a/vendor/github.com/moby/buildkit/worker/worker.go
@@ -3128,7 +3469,7 @@ index e175b4002b4a..150eed352a3a 100644
 +	return c.c.WorkerInfos()
 +}
 diff --git a/vendor/modules.txt b/vendor/modules.txt
-index dd3fb54fefd2..2a3b597c5858 100644
+index dd3fb54fefd2..9adbc22b99fc 100644
 --- a/vendor/modules.txt
 +++ b/vendor/modules.txt
 @@ -577,7 +577,7 @@ github.com/mistifyio/go-zfs/v3
@@ -3136,7 +3477,7 @@ index dd3fb54fefd2..2a3b597c5858 100644
  ## explicit; go 1.14
  github.com/mitchellh/hashstructure/v2
 -# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c
-+# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4
++# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389
  ## explicit; go 1.18
  github.com/moby/buildkit/api/services/control
  github.com/moby/buildkit/api/types
@@ -3144,7 +3485,7 @@ index dd3fb54fefd2..2a3b597c5858 100644
  # resenje.org/singleflight v0.3.0
  ## explicit; go 1.18
  resenje.org/singleflight
-+# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4
++# github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389
 -- 
-2.47.0
+2.47.1
 

0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch

@@ -1,7 +1,7 @@
-From 7719675180f785c4e92df7efc25df9adc882b289 Mon Sep 17 00:00:00 2001
+From b760758157cd0d00f46f37f86a9cbee7810cb666 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Thu, 2 May 2024 22:50:23 +1000
-Subject: [PATCH 07/13] bsc1221916: update to patched buildkit version to fix
+Subject: [PATCH 07/11] bsc1221916: update to patched buildkit version to fix
  symlink resolution
 
 SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1221916
@@ -16,46 +16,46 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
  6 files changed, 314 insertions(+), 252 deletions(-)
 
 diff --git a/builder/builder-next/worker/worker.go b/builder/builder-next/worker/worker.go
-index 210218bf5a37..e36517da2914 100644
+index 64d7b9131b16..7b40ac63ce7f 100644
 --- a/builder/builder-next/worker/worker.go
 +++ b/builder/builder-next/worker/worker.go
 @@ -50,7 +50,7 @@ import (
  )
  
  func init() {
--	version.Version = "v0.11.7+5d3afed3f7b4"
-+	version.Version = "v0.11.7+ea1ca9670261"
+-	version.Version = "v0.11.7+cd804dd86389"
++	version.Version = "v0.11.7+6b814972ef19"
  }
  
  const labelCreatedAt = "buildkit/createdat"
 diff --git a/vendor.mod b/vendor.mod
-index 7946cbb75613..878ec24cee4b 100644
+index 2eb13746cacd..021d62b21d19 100644
 --- a/vendor.mod
 +++ b/vendor.mod
 @@ -99,7 +99,7 @@ require (
  )
  
- // github.com/cyphar/buildkit suse-stable-v24.0.9
--replace github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4
-+replace github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261
+ // github.com/SUSE/buildkit suse-stable-v24.0.9
+-replace github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389
++replace github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19
  
  require (
  	cloud.google.com/go v0.102.1 // indirect
 diff --git a/vendor.sum b/vendor.sum
-index a426cdb147ce..187a4138d110 100644
+index 716245c80413..4bdbbeb3f073 100644
 --- a/vendor.sum
 +++ b/vendor.sum
-@@ -446,8 +446,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
- github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
- github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
- github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
--github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 h1:e2A5JTqDADxy9xYHM0KxRXfYl9wCISpo5TitiaUmfGw=
--github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM=
-+github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261 h1:xcmjjOjBMdaa2Z3Blblc3J2FraOISKtT6I/cjGG/244=
-+github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM=
- github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
- github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
- github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+@@ -141,8 +141,8 @@ github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdko
+ github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+ github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91 h1:vX+gnvBc56EbWYrmlhYbFYRaeikAke1GL84N4BEYOFE=
+ github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91/go.mod h1:cDLGBht23g0XQdLjzn6xOGXDkLK182YfINAaZEQLCHQ=
+-github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 h1:EKne0CAOXpf1QuZ3+jj7PTpOtSn+q1Yz5H6pAwrOktY=
+-github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM=
++github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19 h1:3gfqJcXxLASvlAfgd+TFPrrhNrM+O26HplOhi3BNT+A=
++github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM=
+ github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
+ github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
+ github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 diff --git a/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go b/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go
 index dcf424a6b4fc..13a74be24c4e 100644
 --- a/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go
@@ -875,15 +875,15 @@ index 42b7fd8349c7..ae950f713241 100644
 +	return filepath.Join(root, finalPath), nil
  }
 diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 2a3b597c5858..335c85392288 100644
+index 9adbc22b99fc..27bc31dfd397 100644
 --- a/vendor/modules.txt
 +++ b/vendor/modules.txt
 @@ -577,7 +577,7 @@ github.com/mistifyio/go-zfs/v3
  # github.com/mitchellh/hashstructure/v2 v2.0.2
  ## explicit; go 1.14
  github.com/mitchellh/hashstructure/v2
--# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4
-+# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261
+-# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389
++# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19
  ## explicit; go 1.18
  github.com/moby/buildkit/api/services/control
  github.com/moby/buildkit/api/types
@@ -891,8 +891,8 @@ index 2a3b597c5858..335c85392288 100644
  # resenje.org/singleflight v0.3.0
  ## explicit; go 1.18
  resenje.org/singleflight
--# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4
-+# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261
+-# github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389
++# github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19
 -- 
-2.47.0
+2.47.1
 

0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch

@@ -1,7 +1,7 @@
-From b6213c77313f15ac74a551b9a03670fce06280fb Mon Sep 17 00:00:00 2001
+From 12c8b7a22f7140b5b4d2c87a7e5d70da082fe558 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Wed, 19 Jun 2024 16:30:49 +1000
-Subject: [PATCH 08/13] bsc1214855: volume: use AtomicWriteFile to save volume
+Subject: [PATCH 08/11] bsc1214855: volume: use AtomicWriteFile to save volume
  options
 
 If the system (or Docker) crashes while saivng the volume options, on
@@ -22,6 +22,7 @@ that has the wrong config is better than Docker not being able to start.
 [1]: commit b05b2370757d ("Support mount opts for `local` volume driver")
 
 SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1214855
+(Cherry-picked from commit b4c20da143502e5fc21cc4996b63e83691c515bf.)
 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 ---
  volume/local/local.go | 3 ++-
@@ -49,5 +50,5 @@ index b4f3a3669a84..077b26f1b813 100644
  		return errdefs.System(errors.Wrap(err, "error while persisting volume options"))
  	}
 -- 
-2.47.0
+2.47.1
 

0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch

@@ -1,7 +1,7 @@
-From 989f5ae4dea1619b7e1d7ec7f9cac8d64b3a2209 Mon Sep 17 00:00:00 2001
+From 49605be604df94e216168288cdbcae0fda04d641 Mon Sep 17 00:00:00 2001
 From: Jameson Hyde <jameson.hyde@docker.com>
 Date: Mon, 26 Nov 2018 14:15:22 -0500
-Subject: [PATCH 09/13] CVE-2024-41110: AuthZ plugin securty fixes
+Subject: [PATCH 09/11] CVE-2024-41110: AuthZ plugin securty fixes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -205,5 +205,5 @@ index 835cb703839b..8bfe44e1a840 100644
  	}
  }
 -- 
-2.47.0
+2.47.1
 

0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch

@@ -0,0 +1,139 @@
+From 60abff4c864c08b4ea05d96a304f6cf3f0cca787 Mon Sep 17 00:00:00 2001
+From: Albin Kerouanton <albinker@gmail.com>
+Date: Tue, 10 Oct 2023 01:13:25 +0200
+Subject: [PATCH 10/11] CVE-2024-29018: libnet: Don't forward to upstream
+ resolvers on internal nw
+
+Commit cbc2a71c2 makes `connect` syscall fail fast when a container is
+only attached to an internal network. Thanks to that, if such a
+container tries to resolve an "external" domain, the embedded resolver
+returns an error immediately instead of waiting for a timeout.
+
+This commit makes sure the embedded resolver doesn't even try to forward
+to upstream servers.
+
+Co-authored-by: Albin Kerouanton <albinker@gmail.com>
+Signed-off-by: Rob Murray <rob.murray@docker.com>
+(Cherry-picked from commit 790c3039d0ca5ed86ecd099b4b571496607628bc.)
+[Drop test additions and test-related patches.]
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ libnetwork/endpoint.go         | 12 +++++++++++-
+ libnetwork/resolver.go         | 17 +++++++++++++----
+ libnetwork/sandbox_dns_unix.go |  6 +++++-
+ 3 files changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go
+index b9903bb90188..b90500ce97a1 100644
+--- a/libnetwork/endpoint.go
++++ b/libnetwork/endpoint.go
+@@ -520,8 +520,13 @@ func (ep *Endpoint) sbJoin(sb *Sandbox, options ...EndpointOption) (err error) {
+ 		return sb.setupDefaultGW()
+ 	}
+ 
+-	moveExtConn := sb.getGatewayEndpoint() != extEp
++	currentExtEp := sb.getGatewayEndpoint()
++	// Enable upstream forwarding if the sandbox gained external connectivity.
++	if sb.resolver != nil {
++		sb.resolver.SetForwardingPolicy(currentExtEp != nil)
++	}
+ 
++	moveExtConn := currentExtEp != extEp
+ 	if moveExtConn {
+ 		if extEp != nil {
+ 			logrus.Debugf("Revoking external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
+@@ -751,6 +756,11 @@ func (ep *Endpoint) sbLeave(sb *Sandbox, force bool, options ...EndpointOption)
+ 
+ 	// New endpoint providing external connectivity for the sandbox
+ 	extEp = sb.getGatewayEndpoint()
++	// Disable upstream forwarding if the sandbox lost external connectivity.
++	if sb.resolver != nil {
++		sb.resolver.SetForwardingPolicy(extEp != nil)
++	}
++
+ 	if moveExtConn && extEp != nil {
+ 		logrus.Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
+ 		extN, err := extEp.getNetworkFromStore()
+diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go
+index ab19b7b08fc0..70ca33b53590 100644
+--- a/libnetwork/resolver.go
++++ b/libnetwork/resolver.go
+@@ -7,6 +7,7 @@ import (
+ 	"net"
+ 	"strings"
+ 	"sync"
++	"sync/atomic"
+ 	"time"
+ 
+ 	"github.com/docker/docker/libnetwork/types"
+@@ -69,7 +70,7 @@ type Resolver struct {
+ 	tcpListen     *net.TCPListener
+ 	err           error
+ 	listenAddress string
+-	proxyDNS      bool
++	proxyDNS      atomic.Bool
+ 	startCh       chan struct{}
+ 	logger        *logrus.Logger
+ 
+@@ -79,15 +80,17 @@ type Resolver struct {
+ 
+ // NewResolver creates a new instance of the Resolver
+ func NewResolver(address string, proxyDNS bool, backend DNSBackend) *Resolver {
+-	return &Resolver{
++	r := &Resolver{
+ 		backend:       backend,
+-		proxyDNS:      proxyDNS,
+ 		listenAddress: address,
+ 		err:           fmt.Errorf("setup not done yet"),
+ 		startCh:       make(chan struct{}, 1),
+ 		fwdSem:        semaphore.NewWeighted(maxConcurrent),
+ 		logInverval:   rate.Sometimes{Interval: logInterval},
+ 	}
++	r.proxyDNS.Store(proxyDNS)
++
++	return r
+ }
+ 
+ func (r *Resolver) log() *logrus.Logger {
+@@ -192,6 +195,12 @@ func (r *Resolver) SetExtServers(extDNS []extDNSEntry) {
+ 	}
+ }
+ 
++// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to
++// external servers.
++func (r *Resolver) SetForwardingPolicy(policy bool) {
++	r.proxyDNS.Store(policy)
++}
++
+ // NameServer returns the IP of the DNS resolver for the containers.
+ func (r *Resolver) NameServer() string {
+ 	return r.listenAddress
+@@ -407,7 +416,7 @@ func (r *Resolver) serveDNS(w dns.ResponseWriter, query *dns.Msg) {
+ 		return
+ 	}
+ 
+-	if r.proxyDNS {
++	if r.proxyDNS.Load() {
+ 		// If the user sets ndots > 0 explicitly and the query is
+ 		// in the root domain don't forward it out. We will return
+ 		// failure and let the client retry with the search domain
+diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go
+index 2218c6960e45..e3bb9abce93b 100644
+--- a/libnetwork/sandbox_dns_unix.go
++++ b/libnetwork/sandbox_dns_unix.go
+@@ -28,7 +28,11 @@ const (
+ func (sb *Sandbox) startResolver(restore bool) {
+ 	sb.resolverOnce.Do(func() {
+ 		var err error
+-		sb.resolver = NewResolver(resolverIPSandbox, true, sb)
++		// The resolver is started with proxyDNS=false if the sandbox does not currently
++		// have a gateway. So, if the Sandbox is only connected to an 'internal' network,
++		// it will not forward DNS requests to external resolvers. The resolver's
++		// proxyDNS setting is then updated as network Endpoints are added/removed.
++		sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb)
+ 		defer func() {
+ 			if err != nil {
+ 				sb.resolver = nil
+-- 
+2.47.1
+

0011-TESTS-backport-fixes-for-integration-tests.patch

@@ -1,7 +1,7 @@
-From 971d5a3b8431c9263060b12c6b131ebb8158a389 Mon Sep 17 00:00:00 2001
+From 0392c617b8e75f0b59a922f95c691fdd05eaf99f Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Thu, 21 Nov 2024 20:00:07 +1100
-Subject: [PATCH 10/10] TESTS: backport fixes for integration tests
+Subject: [PATCH 11/11] TESTS: backport fixes for integration tests
 
 We need a couple of patches to make the tests work on SLES:
 

docker-stable.changes

@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Wed Dec 18 05:53:11 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Add backport for CVE-2024-29018 fix. bsc#1234089
+  + 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
+- Add backport for CVE-2024-23650 fix. bsc#1219437
+  - 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
+  + 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
+- Reorder and rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  * 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
+  * 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
+  * 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
+  - 0010-TESTS-backport-fixes-for-integration-tests.patch
+  + 0011-TESTS-backport-fixes-for-integration-tests.patch
+
 -------------------------------------------------------------------
 Tue Dec 17 13:20:39 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 

docker-stable.spec

@@ -113,10 +113,11 @@ Patch201:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 # UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12.
 Patch202:       0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
 # UPSTREAM: Backport of several BuildKit patches:
+#           (Various patches.) CVE-2024-23650
 #           <https://github.com/moby/buildkit/pull/4604> CVE-2024-23651
 #           <https://github.com/moby/buildkit/pull/4603> CVE-2024-23652
 #           <https://github.com/moby/buildkit/pull/4602> CVE-2024-23653
-Patch203:       0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
+Patch203:       0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
 # UPSTREAM: Backport of <https://github.com/moby/buildkit/pull/4896> and
 #           <https://github.com/moby/buildkit/pull/5060>. bsc#1221916
 Patch204:       0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
@@ -125,9 +126,11 @@ Patch205:       0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
 # UPSTREAM: Backport of <https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq>
 #           fix. CVE-2024-41110
 Patch206:       0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
+# UPSTREAM: Backport of <https://github.com/moby/moby/pull/46609>. CVE-2024-29018
+Patch207:       0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
 # UPSTREAM: Backport of <https://github.com/moby/moby/pull/46307> and
 #                       <https://github.com/moby/moby/pull/49061>.
-Patch299:       0010-TESTS-backport-fixes-for-integration-tests.patch
+Patch299:       0011-TESTS-backport-fixes-for-integration-tests.patch
 # UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
 Patch900:       cli-0001-docs-include-required-tools-in-source-tree.patch
 BuildRequires:  audit
@@ -394,6 +397,8 @@ cp %{SOURCE130} .
 %patch -P205 -p1
 # CVE-2024-41110
 %patch -P206 -p1
+# CVE-2024-29018
+%patch -P207 -p1
 %if %{with integration_tests}
 # integration-tests patches
 %patch -P299 -p1