diff --git a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch index a2d2645..7c0d265 100644 --- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch +++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch @@ -1,7 +1,7 @@ From a94378d92f7ef523b17aa399ce83b27f7986980f Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 01/13] SECRETS: daemon: allow directory creation in +Subject: [PATCH 01/11] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore @@ -70,5 +70,5 @@ index 290ec59a34a7..b7013fb89c83 100644 return errors.Wrap(err, "error setting ownership for secret") } -- -2.47.0 +2.47.1 diff --git a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch index f108416..637e305 100644 --- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch +++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch @@ -1,7 +1,7 @@ From 009cad241857541779baa2a9fae8291597dc85f8 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 02/10] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 02/11] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. diff --git a/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch b/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch index 4fb3626..a6e7114 100644 --- a/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch +++ b/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch @@ -1,7 +1,7 @@ -From 7824330a0012e6b1d9b00db40a7c58b42d6adbfd Mon Sep 17 00:00:00 2001 +From 3f1bda82f345cc919a70cf747cc8c6f094c9451a Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 22 May 2023 15:44:54 +1000 -Subject: [PATCH 03/13] BUILD: SLE12: revert "graphdriver/btrfs: use kernel +Subject: [PATCH 03/11] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI headers" This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d. @@ -42,5 +42,5 @@ index d88efc4be2bb..4e976aa689cd 100644 static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) { snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value); -- -2.47.0 +2.47.1 diff --git a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch index 37100ce..a67f411 100644 --- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch @@ -1,7 +1,7 @@ -From 5deaa3fad88f7a6d8d5d342e23d3e2027571b9e2 Mon Sep 17 00:00:00 2001 +From ba4df1cb80fa7956c148230193037a2b112a40a5 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 04/13] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 04/11] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, @@ -85,5 +85,5 @@ index 585d85086f8d..6e4c6ad1ac01 100644 } -- -2.47.0 +2.47.1 diff --git a/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch b/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch index ab647d2..de8bce2 100644 --- a/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch +++ b/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch @@ -1,7 +1,7 @@ -From 6e3d78c8d9f569ed7142994a802e2bce988b59bf Mon Sep 17 00:00:00 2001 +From 0ca28257e81eed36ff840bff822ff7add3e2efa2 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 11 Oct 2023 21:19:12 +1100 -Subject: [PATCH 05/13] SLE12: revert "apparmor: remove version-conditionals +Subject: [PATCH 05/11] SLE12: revert "apparmor: remove version-conditionals from template" This reverts the following commits: @@ -237,5 +237,5 @@ index 9f207e2014a8..626e5f6789a3 100644 } ` -- -2.47.0 +2.47.1 diff --git a/0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch b/0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch similarity index 94% rename from 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch rename to 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch index 94433ce..43f15ea 100644 --- a/0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch +++ b/0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch @@ -1,19 +1,21 @@ -From d3d04b94a209b056c30bec37ce9dd42f646ebd54 Mon Sep 17 00:00:00 2001 +From 5cf2e26f5a8b7fefc62db7a75e04939f8db1a742 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Tue, 13 Feb 2024 16:57:32 +0100 -Subject: [PATCH 06/13] CVE-2024-23653: update buildkit to include CVE patches +Subject: [PATCH 06/11] CVE-2024-2365x: update buildkit to include CVE patches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- https://github.com/moby/buildkit/pull/4638 -- https://github.com/moby/buildkit/pull/4639 -- https://github.com/moby/buildkit/pull/4640 + - https://github.com/moby/buildkit/pull/4638 + - https://github.com/moby/buildkit/pull/4639 + - https://github.com/moby/buildkit/pull/4640 + - Backported versions of the various CVE-2024-23650 patches. additionally change the version in builder/builder-next/worker/worker.go and adjust calls to NewGatewayFrontend() in builder/builder-next (Worker is no longer implementing the correct interface). +Fixes: CVE-2024-23650 CVE-2024-23651 CVE-2024-23652 CVE-2024-23653 Signed-off-by: Dan Čermák Signed-off-by: Aleksa Sarai --- @@ -21,29 +23,36 @@ Signed-off-by: Aleksa Sarai builder/builder-next/worker/worker.go | 2 +- vendor.mod | 3 + vendor.sum | 797 +++++++----------- + .../moby/buildkit/control/control.go | 3 + .../moby/buildkit/executor/executor.go | 10 +- - .../moby/buildkit/executor/oci/spec.go | 30 +- + .../moby/buildkit/executor/oci/spec.go | 34 +- .../moby/buildkit/executor/oci/spec_linux.go | 57 ++ .../buildkit/executor/oci/spec_non_linux.go | 18 + .../buildkit/executor/oci/spec_windows.go | 11 + .../moby/buildkit/executor/stubs.go | 18 +- + .../exporter/containerimage/exptypes/parse.go | 14 + + .../exporter/containerimage/writer.go | 16 + .../moby/buildkit/frontend/frontend.go | 3 +- + .../frontend/gateway/client/attestation.go | 6 + .../buildkit/frontend/gateway/container.go | 9 +- .../frontend/gateway/forwarder/forward.go | 9 +- .../frontend/gateway/forwarder/frontend.go | 5 +- - .../moby/buildkit/frontend/gateway/gateway.go | 28 +- + .../moby/buildkit/frontend/gateway/gateway.go | 43 +- .../moby/buildkit/snapshot/localmounter.go | 35 +- .../buildkit/snapshot/localmounter_unix.go | 45 +- .../moby/buildkit/snapshot/snapshotter.go | 7 +- - .../moby/buildkit/solver/llbsolver/bridge.go | 52 ++ + .../moby/buildkit/solver/llbsolver/bridge.go | 60 ++ .../buildkit/solver/llbsolver/provenance.go | 2 +- - .../moby/buildkit/solver/llbsolver/solver.go | 2 +- + .../moby/buildkit/solver/llbsolver/solver.go | 25 +- .../moby/buildkit/solver/llbsolver/vertex.go | 14 +- + .../moby/buildkit/sourcepolicy/matcher.go | 3 + .../util/entitlements/entitlements.go | 20 + + .../util/tracing/transform/attribute.go | 21 +- + .../buildkit/util/tracing/transform/span.go | 23 +- .../github.com/moby/buildkit/worker/worker.go | 2 +- .../moby/buildkit/worker/workercontroller.go | 23 + vendor/modules.txt | 3 +- - 26 files changed, 615 insertions(+), 598 deletions(-) + 33 files changed, 740 insertions(+), 609 deletions(-) create mode 100644 vendor/github.com/moby/buildkit/executor/oci/spec_linux.go create mode 100644 vendor/github.com/moby/buildkit/executor/oci/spec_non_linux.go @@ -74,7 +83,7 @@ index 46fc83eb7402..2693b8fab180 100644 return control.NewController(control.Opt{ diff --git a/builder/builder-next/worker/worker.go b/builder/builder-next/worker/worker.go -index 3773b95c949a..210218bf5a37 100644 +index 3773b95c949a..64d7b9131b16 100644 --- a/builder/builder-next/worker/worker.go +++ b/builder/builder-next/worker/worker.go @@ -50,7 +50,7 @@ import ( @@ -82,26 +91,26 @@ index 3773b95c949a..210218bf5a37 100644 func init() { - version.Version = "v0.11.7+435cb77e369c" -+ version.Version = "v0.11.7+5d3afed3f7b4" ++ version.Version = "v0.11.7+cd804dd86389" } const labelCreatedAt = "buildkit/createdat" diff --git a/vendor.mod b/vendor.mod -index a1f8664e7d75..7946cbb75613 100644 +index a1f8664e7d75..2eb13746cacd 100644 --- a/vendor.mod +++ b/vendor.mod @@ -98,6 +98,9 @@ require ( resenje.org/singleflight v0.3.0 ) -+// github.com/cyphar/buildkit suse-stable-v24.0.9 -+replace github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 ++// github.com/SUSE/buildkit suse-stable-v24.0.9 ++replace github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 + require ( cloud.google.com/go v0.102.1 // indirect github.com/agext/levenshtein v1.2.3 // indirect diff --git a/vendor.sum b/vendor.sum -index 11d3aa6860f2..a426cdb147ce 100644 +index 11d3aa6860f2..716245c80413 100644 --- a/vendor.sum +++ b/vendor.sum @@ -1,19 +1,13 @@ @@ -125,7 +134,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -@@ -69,109 +63,78 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 +@@ -69,138 +63,100 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= code.cloudfoundry.org/clock v1.0.0 h1:kFXWQM4bxYvdBw2X8BbBeXwQNgfoWv1vqAk2ZZyBN2o= code.cloudfoundry.org/clock v1.0.0/go.mod h1:QD9Lzhd/ux6eNQVUDVRJX/RKTigpewimNYBi7ivZKY8= @@ -261,9 +270,11 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -@@ -179,28 +142,19 @@ github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdko + github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91 h1:vX+gnvBc56EbWYrmlhYbFYRaeikAke1GL84N4BEYOFE= github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91/go.mod h1:cDLGBht23g0XQdLjzn6xOGXDkLK182YfINAaZEQLCHQ= ++github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 h1:EKne0CAOXpf1QuZ3+jj7PTpOtSn+q1Yz5H6pAwrOktY= ++github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= -github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= -github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= @@ -292,7 +303,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 h1:7Ip0wMmLHLRJdrloDxZfhMm0xrLXZS8+COSu2bXmEQs= github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= -@@ -209,44 +163,55 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV +@@ -209,44 +165,55 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA= github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= @@ -358,7 +369,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= -@@ -258,31 +223,21 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB +@@ -258,31 +225,21 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA= github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= @@ -391,7 +402,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054 h1:uH66TXeswKn5PW5zdZ39xEwfS9an067BirqA+P4QaLI= -@@ -293,6 +248,7 @@ github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cb +@@ -293,6 +250,7 @@ github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cb github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= @@ -399,7 +410,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -@@ -301,6 +257,7 @@ github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLI +@@ -301,6 +259,7 @@ github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLI github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs= github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= @@ -407,7 +418,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/cilium/ebpf v0.9.1 h1:64sn2K3UKw8NbP/blsixRpF3nXuyhz/VjRlRzvlBRu4= github.com/cilium/ebpf v0.9.1/go.mod h1:+OhNOIXx/Fnu1IE8bJz2dzOA+VSfyTfdNUVdlQnxUFY= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= -@@ -324,8 +281,8 @@ github.com/cockroachdb/errors v1.2.4 h1:Lap807SXTH5tri2TivECb/4abUkMZC9zRoLarvcK +@@ -324,8 +283,8 @@ github.com/cockroachdb/errors v1.2.4 h1:Lap807SXTH5tri2TivECb/4abUkMZC9zRoLarvcK github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f h1:o/kfcElHqOiXqcou5a3rIlMc7oJbMQkeLk0VQJ7zgqY= github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= @@ -417,7 +428,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/container-storage-interface/spec v1.5.0 h1:lvKxe3uLgqQeVQcrnL2CPQKISoKjTJxojEs9cBk+HXo= github.com/container-storage-interface/spec v1.5.0/go.mod h1:8K96oQNkJ7pFcC2R9Z1ynGGBB1I93kcS6PGg3SsOk8s= github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE= -@@ -342,6 +299,7 @@ github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4S +@@ -342,6 +301,7 @@ github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4S github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= @@ -425,7 +436,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA= github.com/containerd/cgroups v1.0.4/go.mod h1:nLNQtsF7Sl2HxNebu77i1R0oDlhiTG+kO4JTrUzo6IA= github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKkymb9L0= -@@ -349,7 +307,6 @@ github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxz +@@ -349,7 +309,6 @@ github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxz github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= @@ -433,7 +444,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw= github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw= -@@ -360,16 +317,20 @@ github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMX +@@ -360,16 +319,20 @@ github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMX github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= @@ -456,7 +467,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/containerd/containerd v1.6.22 h1:rGTIBxPJusM0evF6wKgIzuD+tV70nmx9eEjzHVm1JzI= github.com/containerd/containerd v1.6.22/go.mod h1:BQAJdahvGz8xboAvxKg9hsDYIovn79Ea318anowQ1/o= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= -@@ -379,6 +340,7 @@ github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cE +@@ -379,6 +342,7 @@ github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cE github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y= github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ= github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM= @@ -464,7 +475,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg= github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM= github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= -@@ -389,8 +351,11 @@ github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1S +@@ -389,8 +353,11 @@ github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1S github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY= github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o= @@ -476,7 +487,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/containerd/go-cni v1.1.6 h1:el5WPymG5nRRLQF1EfB97FWob4Tdc8INg8RZMaXWZlo= github.com/containerd/go-cni v1.1.6/go.mod h1:BWtoWl5ghVymxu6MBjg79W9NZrCRyHIdUtk4cauMe34= github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= -@@ -404,13 +369,16 @@ github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak +@@ -404,13 +371,16 @@ github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak github.com/containerd/imgcrypt v1.0.4-0.20210301171431-0ae5c75f59ba/go.mod h1:6TNsg0ctmizkrOgXRNQjAPFWpMYRWuiB6dSF4Pfa5SA= github.com/containerd/imgcrypt v1.1.1-0.20210312161619-7ed62a527887/go.mod h1:5AZJNI6sLHJljKuI9IHnw1pWqo/F0nGDOuR9zgTs7ow= github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJrXQb0Dpc4ms= @@ -494,7 +505,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/containerd/stargz-snapshotter/estargz v0.13.0 h1:fD7AwuVV+B40p0d9qVkH/Au1qhp8hn/HWJHIYjpEcfw= github.com/containerd/stargz-snapshotter/estargz v0.13.0/go.mod h1:m+9VaGJGlhCnrcEUod8mYumTmRgblwd3rC5UCEh2Yp0= github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= -@@ -419,6 +387,7 @@ github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0x +@@ -419,6 +389,7 @@ github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0x github.com/containerd/ttrpc v1.0.1/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y= github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y= github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ= @@ -502,7 +513,7 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/containerd/ttrpc v1.1.2 h1:4jH6OQDQqjfVD2b5TJS5TxmGuLGmp5WW7KtW2TWOP7c= github.com/containerd/ttrpc v1.1.2/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ= github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc= -@@ -436,36 +405,39 @@ github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNR +@@ -436,36 +407,39 @@ github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNR github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= @@ -546,12 +557,9 @@ index 11d3aa6860f2..a426cdb147ce 100644 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -@@ -474,44 +446,48 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 - github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +@@ -475,43 +449,45 @@ github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= -+github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 h1:e2A5JTqDADxy9xYHM0KxRXfYl9wCISpo5TitiaUmfGw= -+github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= +github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= @@ -2249,6 +2257,20 @@ index 11d3aa6860f2..a426cdb147ce 100644 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= -sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0= -sourcegraph.com/sqs/pbtypes v1.0.0/go.mod h1:3AciMUv4qUuRHRHhOG4TZOB+72GdPVz5k+c648qsFS4= +diff --git a/vendor/github.com/moby/buildkit/control/control.go b/vendor/github.com/moby/buildkit/control/control.go +index 2bd06db2576b..f81b176d11be 100644 +--- a/vendor/github.com/moby/buildkit/control/control.go ++++ b/vendor/github.com/moby/buildkit/control/control.go +@@ -394,6 +394,9 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (* + + var cacheImports []frontend.CacheOptionsEntry + for _, im := range req.Cache.Imports { ++ if im == nil { ++ continue ++ } + cacheImports = append(cacheImports, frontend.CacheOptionsEntry{ + Type: im.Type, + Attrs: im.Attrs, diff --git a/vendor/github.com/moby/buildkit/executor/executor.go b/vendor/github.com/moby/buildkit/executor/executor.go index a323bcc9cc94..61da4c9dd7c3 100644 --- a/vendor/github.com/moby/buildkit/executor/executor.go @@ -2279,7 +2301,7 @@ index a323bcc9cc94..61da4c9dd7c3 100644 type Mount struct { diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec.go b/vendor/github.com/moby/buildkit/executor/oci/spec.go -index f825b1dce7ef..2c0e81b7b5b2 100644 +index f825b1dce7ef..d8bdf898953b 100644 --- a/vendor/github.com/moby/buildkit/executor/oci/spec.go +++ b/vendor/github.com/moby/buildkit/executor/oci/spec.go @@ -12,7 +12,6 @@ import ( @@ -2298,8 +2320,12 @@ index f825b1dce7ef..2c0e81b7b5b2 100644 } type submounts struct { -@@ -226,10 +226,17 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error) - return mount.Mount{}, nil +@@ -223,12 +223,19 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error) + } + h, err := hashstructure.Hash(m, hashstructure.FormatV2, nil) + if err != nil { +- return mount.Mount{}, nil ++ return mount.Mount{}, err } if mr, ok := s.m[h]; ok { - sm, err := sub(mr.mount, subPath) @@ -2308,15 +2334,15 @@ index f825b1dce7ef..2c0e81b7b5b2 100644 + } + sm, unmount, err := sub(mr.mount, subPath) if err != nil { - return mount.Mount{}, nil - } +- return mount.Mount{}, nil ++ return mount.Mount{}, err ++ } + mr.subRefs[subPath] = mountRef{ + mount: sm, + unmount: unmount, -+ } + } return sm, nil } - @@ -254,12 +261,17 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error) Options: opts, }, @@ -2533,6 +2559,70 @@ index 22a8ac1310c4..09e26581a68c 100644 logrus.WithError(err).Warnf("Failed to restore time time mount stub timestamp (os.Chtimes(%q, %v, %v))", dir, atime, mtime) } } +diff --git a/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go b/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go +index f77cd3f52565..6d01dc0f6e33 100644 +--- a/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go ++++ b/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go +@@ -17,6 +17,18 @@ func ParsePlatforms(meta map[string][]byte) (Platforms, error) { + return Platforms{}, errors.Wrapf(err, "failed to parse platforms passed to provenance processor") + } + } ++ if len(ps.Platforms) == 0 { ++ return Platforms{}, errors.Errorf("invalid empty platforms index for exporter") ++ } ++ for i, p := range ps.Platforms { ++ if p.ID == "" { ++ return Platforms{}, errors.Errorf("invalid empty platform key for exporter") ++ } ++ if p.Platform.OS == "" || p.Platform.Architecture == "" { ++ return Platforms{}, errors.Errorf("invalid platform value %v for exporter", p.Platform) ++ } ++ ps.Platforms[i].Platform = platforms.Normalize(p.Platform) ++ } + return ps, nil + } + +@@ -36,6 +48,8 @@ func ParsePlatforms(meta map[string][]byte) (Platforms, error) { + OSFeatures: img.OSFeatures, + Variant: img.Variant, + } ++ } else if img.OS != "" || img.Architecture != "" { ++ return Platforms{}, errors.Errorf("invalid image config: os and architecture must be specified together") + } + } + p = platforms.Normalize(p) +diff --git a/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go b/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go +index 4cccd9db5128..cf61e0c8e6f4 100644 +--- a/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go ++++ b/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go +@@ -611,11 +611,27 @@ func parseHistoryFromConfig(dt []byte) ([]ocispecs.History, error) { + } + + func patchImageConfig(dt []byte, descs []ocispecs.Descriptor, history []ocispecs.History, cache []byte, buildInfo []byte, epoch *time.Time) ([]byte, error) { ++ var img ocispecs.Image ++ if err := json.Unmarshal(dt, &img); err != nil { ++ return nil, errors.Wrap(err, "invalid image config for export") ++ } ++ + m := map[string]json.RawMessage{} + if err := json.Unmarshal(dt, &m); err != nil { + return nil, errors.Wrap(err, "failed to parse image config for patch") + } + ++ if m == nil { ++ return nil, errors.Errorf("invalid null image config for export") ++ } ++ ++ if img.OS == "" { ++ return nil, errors.Errorf("invalid image config for export: missing os") ++ } ++ if img.Architecture == "" { ++ return nil, errors.Errorf("invalid image config for export: missing architecture") ++ } ++ + var rootFS ocispecs.RootFS + rootFS.Type = "layers" + for _, desc := range descs { diff --git a/vendor/github.com/moby/buildkit/frontend/frontend.go b/vendor/github.com/moby/buildkit/frontend/frontend.go index 024ac802045c..4a068d17d41f 100644 --- a/vendor/github.com/moby/buildkit/frontend/frontend.go @@ -2554,6 +2644,25 @@ index 024ac802045c..4a068d17d41f 100644 } type FrontendLLBBridge interface { +diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go b/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go +index 5ffe67233c50..c5112db9db64 100644 +--- a/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go ++++ b/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go +@@ -30,8 +30,14 @@ func AttestationToPB[T any](a *result.Attestation[T]) (*pb.Attestation, error) { + } + + func AttestationFromPB[T any](a *pb.Attestation) (*result.Attestation[T], error) { ++ if a == nil { ++ return nil, errors.Errorf("invalid nil attestation") ++ } + subjects := make([]result.InTotoSubject, len(a.InTotoSubjects)) + for i, subject := range a.InTotoSubjects { ++ if subject == nil { ++ return nil, errors.Errorf("invalid nil attestation subject") ++ } + subjects[i] = result.InTotoSubject{ + Kind: subject.Kind, + Name: subject.Name, diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/container.go b/vendor/github.com/moby/buildkit/frontend/gateway/container.go index d6161d1def93..9fb4d928d66d 100644 --- a/vendor/github.com/moby/buildkit/frontend/gateway/container.go @@ -2665,7 +2774,7 @@ index 7cd25a0e8ea0..331559a39057 100644 return nil, err } diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go b/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go -index 79825d0b651a..8f2af4d34101 100644 +index 79825d0b651a..32971aabab57 100644 --- a/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go +++ b/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go @@ -82,7 +82,7 @@ func filterPrefix(opts map[string]string, pfx string) map[string]string { @@ -2747,7 +2856,29 @@ index 79825d0b651a..8f2af4d34101 100644 *pipe ctrs map[string]gwclient.Container ctrsMu sync.Mutex -@@ -1001,7 +997,7 @@ func (lbf *llbBridgeForwarder) NewContainer(ctx context.Context, in *pb.NewConta +@@ -615,12 +611,21 @@ func (lbf *llbBridgeForwarder) registerResultIDs(results ...solver.Result) (ids + func (lbf *llbBridgeForwarder) Solve(ctx context.Context, req *pb.SolveRequest) (*pb.SolveResponse, error) { + var cacheImports []frontend.CacheOptionsEntry + for _, e := range req.CacheImports { ++ if e == nil { ++ return nil, errors.Errorf("invalid nil cache import") ++ } + cacheImports = append(cacheImports, frontend.CacheOptionsEntry{ + Type: e.Type, + Attrs: e.Attrs, + }) + } + ++ for _, p := range req.SourcePolicies { ++ if p == nil { ++ return nil, errors.Errorf("invalid nil source policy") ++ } ++ } ++ + ctx = tracing.ContextWithSpanFromContext(ctx, lbf.callCtx) + res, err := lbf.llbBridge.Solve(ctx, frontend.SolveRequest{ + Evaluate: req.Evaluate, +@@ -1001,7 +1006,7 @@ func (lbf *llbBridgeForwarder) NewContainer(ctx context.Context, in *pb.NewConta // and we want the context to live for the duration of the container. group := session.NewGroup(lbf.sid) @@ -2756,7 +2887,7 @@ index 79825d0b651a..8f2af4d34101 100644 if err != nil { return nil, stack.Enable(err) } -@@ -1011,7 +1007,7 @@ func (lbf *llbBridgeForwarder) NewContainer(ctx context.Context, in *pb.NewConta +@@ -1011,7 +1016,7 @@ func (lbf *llbBridgeForwarder) NewContainer(ctx context.Context, in *pb.NewConta return nil, stack.Enable(err) } @@ -2765,6 +2896,19 @@ index 79825d0b651a..8f2af4d34101 100644 if err != nil { return nil, stack.Enable(err) } +@@ -1045,6 +1050,12 @@ func (lbf *llbBridgeForwarder) ReleaseContainer(ctx context.Context, in *pb.Rele + } + + func (lbf *llbBridgeForwarder) Warn(ctx context.Context, in *pb.WarnRequest) (*pb.WarnResponse, error) { ++ // validate ranges are valid ++ for _, r := range in.Ranges { ++ if r == nil { ++ return nil, status.Errorf(codes.InvalidArgument, "invalid source range") ++ } ++ } + err := lbf.llbBridge.Warn(ctx, in.Digest, string(in.Short), frontend.WarnOpts{ + Level: int(in.Level), + SourceInfo: in.Info, diff --git a/vendor/github.com/moby/buildkit/snapshot/localmounter.go b/vendor/github.com/moby/buildkit/snapshot/localmounter.go index 9ddb7c1af642..304eebc9e02d 100644 --- a/vendor/github.com/moby/buildkit/snapshot/localmounter.go @@ -2914,7 +3058,7 @@ index edf95cee70cd..3150815bb3bc 100644 // Snapshotter defines interface that any snapshot implementation should satisfy type Snapshotter interface { diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go b/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go -index 185fe81f0649..5c95a3e7e958 100644 +index 185fe81f0649..64cdf4cc916c 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go @@ -11,6 +11,7 @@ import ( @@ -2944,7 +3088,22 @@ index 185fe81f0649..5c95a3e7e958 100644 } func (b *llbBridge) Warn(ctx context.Context, dgst digest.Digest, msg string, opts frontend.WarnOpts) error { -@@ -151,6 +157,52 @@ func (b *llbBridge) loadResult(ctx context.Context, def *pb.Definition, cacheImp +@@ -79,6 +85,14 @@ func (b *llbBridge) loadResult(ctx context.Context, def *pb.Definition, cacheImp + } + var polEngine SourcePolicyEvaluator + if srcPol != nil || len(pol) > 0 { ++ for _, p := range pol { ++ if p == nil { ++ return nil, errors.Errorf("invalid nil policy") ++ } ++ if err := validateSourcePolicy(*p); err != nil { ++ return nil, err ++ } ++ } + if srcPol != nil { + pol = append([]*spb.Policy{srcPol}, pol...) + } +@@ -151,6 +165,52 @@ func (b *llbBridge) loadResult(ctx context.Context, def *pb.Definition, cacheImp return res, nil } @@ -3011,10 +3170,20 @@ index b30581c852d9..8b60f5e885fb 100644 return nil, err } diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go b/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go -index 94d25ce5b7b2..c9921085337c 100644 +index 94d25ce5b7b2..16015244aa4b 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go -@@ -440,7 +440,7 @@ func (s *Solver) Solve(ctx context.Context, id string, sessionID string, req fro +@@ -432,6 +432,9 @@ func (s *Solver) Solve(ctx context.Context, id string, sessionID string, req fro + j.SetValue(keyEntitlements, set) + + if srcPol != nil { ++ if err := validateSourcePolicy(*srcPol); err != nil { ++ return nil, err ++ } + j.SetValue(keySourcePolicy, *srcPol) + } + +@@ -440,7 +443,7 @@ func (s *Solver) Solve(ctx context.Context, id string, sessionID string, req fro br := s.bridge(j) var fwd gateway.LLBBridgeForwarder if s.gatewayForwarder != nil && req.Definition == nil && req.Frontend == "" { @@ -3023,6 +3192,40 @@ index 94d25ce5b7b2..c9921085337c 100644 defer fwd.Discard() // Register build before calling s.recordBuildHistory, because // s.recordBuildHistory can block for several seconds on +@@ -583,6 +586,23 @@ func (s *Solver) Solve(ctx context.Context, id string, sessionID string, req fro + }, nil + } + ++func validateSourcePolicy(pol spb.Policy) error { ++ for _, r := range pol.Rules { ++ if r == nil { ++ return errors.New("invalid nil rule in policy") ++ } ++ if r.Selector == nil { ++ return errors.New("invalid nil selector in policy") ++ } ++ for _, c := range r.Selector.Constraints { ++ if c == nil { ++ return errors.New("invalid nil constraint in policy") ++ } ++ } ++ } ++ return nil ++} ++ + func runCacheExporters(ctx context.Context, exporters []RemoteCacheExporter, j *solver.Job, cached *result.Result[solver.CachedResult], inp *result.Result[cache.ImmutableRef]) (map[string]string, error) { + eg, ctx := errgroup.WithContext(ctx) + g := session.NewGroup(j.SessionID) +@@ -984,6 +1004,9 @@ func loadSourcePolicy(b solver.Builder) (*spb.Policy, error) { + return errors.Errorf("invalid source policy %T", v) + } + for _, f := range x.Rules { ++ if f == nil { ++ return errors.Errorf("invalid nil policy rule") ++ } + r := *f + srcPol.Rules = append(srcPol.Rules, &r) + } diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go b/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go index 41a31bb9bbba..d57f2a053db1 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go @@ -3049,6 +3252,20 @@ index 41a31bb9bbba..d57f2a053db1 100644 } } return nil +diff --git a/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go b/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go +index 79ab4032a5ae..2abe1039071f 100644 +--- a/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go ++++ b/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go +@@ -10,6 +10,9 @@ import ( + + func match(ctx context.Context, src *selectorCache, ref string, attrs map[string]string) (bool, error) { + for _, c := range src.Constraints { ++ if c == nil { ++ return false, errors.Errorf("invalid nil constraint for %v", src) ++ } + switch c.Condition { + case spb.AttrMatch_EQUAL: + if attrs[c.Key] != c.Value { diff --git a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go b/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go index f65b426bb201..328580c326df 100644 --- a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go @@ -3077,6 +3294,130 @@ index f65b426bb201..328580c326df 100644 + NetworkHost bool + SecurityInsecure bool +} +diff --git a/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go b/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go +index 2debe8835924..bc0df048d0a2 100644 +--- a/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go ++++ b/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go +@@ -13,6 +13,9 @@ func Attributes(attrs []*commonpb.KeyValue) []attribute.KeyValue { + + out := make([]attribute.KeyValue, 0, len(attrs)) + for _, a := range attrs { ++ if a == nil { ++ continue ++ } + kv := attribute.KeyValue{ + Key: attribute.Key(a.Key), + Value: toValue(a.Value), +@@ -42,7 +45,9 @@ func toValue(v *commonpb.AnyValue) attribute.Value { + func boolArray(kv []*commonpb.AnyValue) attribute.Value { + arr := make([]bool, len(kv)) + for i, v := range kv { +- arr[i] = v.GetBoolValue() ++ if v != nil { ++ arr[i] = v.GetBoolValue() ++ } + } + return attribute.BoolSliceValue(arr) + } +@@ -50,7 +55,9 @@ func boolArray(kv []*commonpb.AnyValue) attribute.Value { + func intArray(kv []*commonpb.AnyValue) attribute.Value { + arr := make([]int64, len(kv)) + for i, v := range kv { +- arr[i] = v.GetIntValue() ++ if v != nil { ++ arr[i] = v.GetIntValue() ++ } + } + return attribute.Int64SliceValue(arr) + } +@@ -58,7 +65,9 @@ func intArray(kv []*commonpb.AnyValue) attribute.Value { + func doubleArray(kv []*commonpb.AnyValue) attribute.Value { + arr := make([]float64, len(kv)) + for i, v := range kv { +- arr[i] = v.GetDoubleValue() ++ if v != nil { ++ arr[i] = v.GetDoubleValue() ++ } + } + return attribute.Float64SliceValue(arr) + } +@@ -66,13 +75,15 @@ func doubleArray(kv []*commonpb.AnyValue) attribute.Value { + func stringArray(kv []*commonpb.AnyValue) attribute.Value { + arr := make([]string, len(kv)) + for i, v := range kv { +- arr[i] = v.GetStringValue() ++ if v != nil { ++ arr[i] = v.GetStringValue() ++ } + } + return attribute.StringSliceValue(arr) + } + + func arrayValues(kv []*commonpb.AnyValue) attribute.Value { +- if len(kv) == 0 { ++ if len(kv) == 0 || kv[0] == nil { + return attribute.StringSliceValue([]string{}) + } + +diff --git a/vendor/github.com/moby/buildkit/util/tracing/transform/span.go b/vendor/github.com/moby/buildkit/util/tracing/transform/span.go +index f07d0c98e974..21137e704139 100644 +--- a/vendor/github.com/moby/buildkit/util/tracing/transform/span.go ++++ b/vendor/github.com/moby/buildkit/util/tracing/transform/span.go +@@ -32,14 +32,20 @@ func Spans(sdl []*tracepb.ResourceSpans) []tracesdk.ReadOnlySpan { + } + + for _, sdi := range sd.InstrumentationLibrarySpans { +- sda := make([]tracesdk.ReadOnlySpan, len(sdi.Spans)) +- for i, s := range sdi.Spans { +- sda[i] = &readOnlySpan{ ++ if sdi == nil { ++ continue ++ } ++ sda := make([]tracesdk.ReadOnlySpan, 0, len(sdi.Spans)) ++ for _, s := range sdi.Spans { ++ if s == nil { ++ continue ++ } ++ sda = append(sda, &readOnlySpan{ + pb: s, + il: sdi.InstrumentationLibrary, + resource: sd.Resource, + schemaURL: sd.SchemaUrl, +- } ++ }) + } + out = append(out, sda...) + } +@@ -165,6 +171,9 @@ var _ tracesdk.ReadOnlySpan = &readOnlySpan{} + + // status transform a OTLP span status into span code. + func statusCode(st *tracepb.Status) codes.Code { ++ if st == nil { ++ return codes.Unset ++ } + switch st.Code { + case tracepb.Status_STATUS_CODE_ERROR: + return codes.Error +@@ -181,6 +190,9 @@ func links(links []*tracepb.Span_Link) []tracesdk.Link { + + sl := make([]tracesdk.Link, 0, len(links)) + for _, otLink := range links { ++ if otLink == nil { ++ continue ++ } + // This redefinition is necessary to prevent otLink.*ID[:] copies + // being reused -- in short we need a new otLink per iteration. + otLink := otLink +@@ -221,6 +233,9 @@ func spanEvents(es []*tracepb.Span_Event) []tracesdk.Event { + if messageEvents >= maxMessageEventsPerSpan { + break + } ++ if e == nil { ++ continue ++ } + messageEvents++ + events = append(events, + tracesdk.Event{ diff --git a/vendor/github.com/moby/buildkit/worker/worker.go b/vendor/github.com/moby/buildkit/worker/worker.go index 2f426e9ead40..0a708227204b 100644 --- a/vendor/github.com/moby/buildkit/worker/worker.go @@ -3128,7 +3469,7 @@ index e175b4002b4a..150eed352a3a 100644 + return c.c.WorkerInfos() +} diff --git a/vendor/modules.txt b/vendor/modules.txt -index dd3fb54fefd2..2a3b597c5858 100644 +index dd3fb54fefd2..9adbc22b99fc 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -577,7 +577,7 @@ github.com/mistifyio/go-zfs/v3 @@ -3136,7 +3477,7 @@ index dd3fb54fefd2..2a3b597c5858 100644 ## explicit; go 1.14 github.com/mitchellh/hashstructure/v2 -# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c -+# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 ++# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 ## explicit; go 1.18 github.com/moby/buildkit/api/services/control github.com/moby/buildkit/api/types @@ -3144,7 +3485,7 @@ index dd3fb54fefd2..2a3b597c5858 100644 # resenje.org/singleflight v0.3.0 ## explicit; go 1.18 resenje.org/singleflight -+# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 ++# github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 -- -2.47.0 +2.47.1 diff --git a/0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch b/0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch index ad22444..41489ab 100644 --- a/0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch +++ b/0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch @@ -1,7 +1,7 @@ -From 7719675180f785c4e92df7efc25df9adc882b289 Mon Sep 17 00:00:00 2001 +From b760758157cd0d00f46f37f86a9cbee7810cb666 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 2 May 2024 22:50:23 +1000 -Subject: [PATCH 07/13] bsc1221916: update to patched buildkit version to fix +Subject: [PATCH 07/11] bsc1221916: update to patched buildkit version to fix symlink resolution SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1221916 @@ -16,46 +16,46 @@ Signed-off-by: Aleksa Sarai 6 files changed, 314 insertions(+), 252 deletions(-) diff --git a/builder/builder-next/worker/worker.go b/builder/builder-next/worker/worker.go -index 210218bf5a37..e36517da2914 100644 +index 64d7b9131b16..7b40ac63ce7f 100644 --- a/builder/builder-next/worker/worker.go +++ b/builder/builder-next/worker/worker.go @@ -50,7 +50,7 @@ import ( ) func init() { -- version.Version = "v0.11.7+5d3afed3f7b4" -+ version.Version = "v0.11.7+ea1ca9670261" +- version.Version = "v0.11.7+cd804dd86389" ++ version.Version = "v0.11.7+6b814972ef19" } const labelCreatedAt = "buildkit/createdat" diff --git a/vendor.mod b/vendor.mod -index 7946cbb75613..878ec24cee4b 100644 +index 2eb13746cacd..021d62b21d19 100644 --- a/vendor.mod +++ b/vendor.mod @@ -99,7 +99,7 @@ require ( ) - // github.com/cyphar/buildkit suse-stable-v24.0.9 --replace github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 -+replace github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261 + // github.com/SUSE/buildkit suse-stable-v24.0.9 +-replace github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 ++replace github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19 require ( cloud.google.com/go v0.102.1 // indirect diff --git a/vendor.sum b/vendor.sum -index a426cdb147ce..187a4138d110 100644 +index 716245c80413..4bdbbeb3f073 100644 --- a/vendor.sum +++ b/vendor.sum -@@ -446,8 +446,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 - github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= - github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= - github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= --github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 h1:e2A5JTqDADxy9xYHM0KxRXfYl9wCISpo5TitiaUmfGw= --github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM= -+github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261 h1:xcmjjOjBMdaa2Z3Blblc3J2FraOISKtT6I/cjGG/244= -+github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM= - github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= - github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= - github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +@@ -141,8 +141,8 @@ github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdko + github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= + github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91 h1:vX+gnvBc56EbWYrmlhYbFYRaeikAke1GL84N4BEYOFE= + github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91/go.mod h1:cDLGBht23g0XQdLjzn6xOGXDkLK182YfINAaZEQLCHQ= +-github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 h1:EKne0CAOXpf1QuZ3+jj7PTpOtSn+q1Yz5H6pAwrOktY= +-github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM= ++github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19 h1:3gfqJcXxLASvlAfgd+TFPrrhNrM+O26HplOhi3BNT+A= ++github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19/go.mod h1:bMQDryngJKGvJ/ZuRFhrejurbvYSv3NkGCheQ59X4AM= + github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= + github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= + github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= diff --git a/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go b/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go index dcf424a6b4fc..13a74be24c4e 100644 --- a/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go @@ -875,15 +875,15 @@ index 42b7fd8349c7..ae950f713241 100644 + return filepath.Join(root, finalPath), nil } diff --git a/vendor/modules.txt b/vendor/modules.txt -index 2a3b597c5858..335c85392288 100644 +index 9adbc22b99fc..27bc31dfd397 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -577,7 +577,7 @@ github.com/mistifyio/go-zfs/v3 # github.com/mitchellh/hashstructure/v2 v2.0.2 ## explicit; go 1.14 github.com/mitchellh/hashstructure/v2 --# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 -+# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261 +-# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 ++# github.com/moby/buildkit v0.11.7-0.20240124010513-435cb77e369c => github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19 ## explicit; go 1.18 github.com/moby/buildkit/api/services/control github.com/moby/buildkit/api/types @@ -891,8 +891,8 @@ index 2a3b597c5858..335c85392288 100644 # resenje.org/singleflight v0.3.0 ## explicit; go 1.18 resenje.org/singleflight --# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 -+# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261 +-# github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 ++# github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19 -- -2.47.0 +2.47.1 diff --git a/0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch b/0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch index 4ee4b9c..8bac3ec 100644 --- a/0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch +++ b/0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch @@ -1,7 +1,7 @@ -From b6213c77313f15ac74a551b9a03670fce06280fb Mon Sep 17 00:00:00 2001 +From 12c8b7a22f7140b5b4d2c87a7e5d70da082fe558 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 19 Jun 2024 16:30:49 +1000 -Subject: [PATCH 08/13] bsc1214855: volume: use AtomicWriteFile to save volume +Subject: [PATCH 08/11] bsc1214855: volume: use AtomicWriteFile to save volume options If the system (or Docker) crashes while saivng the volume options, on @@ -22,6 +22,7 @@ that has the wrong config is better than Docker not being able to start. [1]: commit b05b2370757d ("Support mount opts for `local` volume driver") SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1214855 +(Cherry-picked from commit b4c20da143502e5fc21cc4996b63e83691c515bf.) Signed-off-by: Aleksa Sarai --- volume/local/local.go | 3 ++- @@ -49,5 +50,5 @@ index b4f3a3669a84..077b26f1b813 100644 return errdefs.System(errors.Wrap(err, "error while persisting volume options")) } -- -2.47.0 +2.47.1 diff --git a/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch b/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch index 9fd13be..a0ddf2f 100644 --- a/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch +++ b/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch @@ -1,7 +1,7 @@ -From 989f5ae4dea1619b7e1d7ec7f9cac8d64b3a2209 Mon Sep 17 00:00:00 2001 +From 49605be604df94e216168288cdbcae0fda04d641 Mon Sep 17 00:00:00 2001 From: Jameson Hyde Date: Mon, 26 Nov 2018 14:15:22 -0500 -Subject: [PATCH 09/13] CVE-2024-41110: AuthZ plugin securty fixes +Subject: [PATCH 09/11] CVE-2024-41110: AuthZ plugin securty fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -205,5 +205,5 @@ index 835cb703839b..8bfe44e1a840 100644 } } -- -2.47.0 +2.47.1 diff --git a/0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch b/0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch new file mode 100644 index 0000000..6c42fe8 --- /dev/null +++ b/0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch @@ -0,0 +1,139 @@ +From 60abff4c864c08b4ea05d96a304f6cf3f0cca787 Mon Sep 17 00:00:00 2001 +From: Albin Kerouanton +Date: Tue, 10 Oct 2023 01:13:25 +0200 +Subject: [PATCH 10/11] CVE-2024-29018: libnet: Don't forward to upstream + resolvers on internal nw + +Commit cbc2a71c2 makes `connect` syscall fail fast when a container is +only attached to an internal network. Thanks to that, if such a +container tries to resolve an "external" domain, the embedded resolver +returns an error immediately instead of waiting for a timeout. + +This commit makes sure the embedded resolver doesn't even try to forward +to upstream servers. + +Co-authored-by: Albin Kerouanton +Signed-off-by: Rob Murray +(Cherry-picked from commit 790c3039d0ca5ed86ecd099b4b571496607628bc.) +[Drop test additions and test-related patches.] +Signed-off-by: Aleksa Sarai +--- + libnetwork/endpoint.go | 12 +++++++++++- + libnetwork/resolver.go | 17 +++++++++++++---- + libnetwork/sandbox_dns_unix.go | 6 +++++- + 3 files changed, 29 insertions(+), 6 deletions(-) + +diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go +index b9903bb90188..b90500ce97a1 100644 +--- a/libnetwork/endpoint.go ++++ b/libnetwork/endpoint.go +@@ -520,8 +520,13 @@ func (ep *Endpoint) sbJoin(sb *Sandbox, options ...EndpointOption) (err error) { + return sb.setupDefaultGW() + } + +- moveExtConn := sb.getGatewayEndpoint() != extEp ++ currentExtEp := sb.getGatewayEndpoint() ++ // Enable upstream forwarding if the sandbox gained external connectivity. ++ if sb.resolver != nil { ++ sb.resolver.SetForwardingPolicy(currentExtEp != nil) ++ } + ++ moveExtConn := currentExtEp != extEp + if moveExtConn { + if extEp != nil { + logrus.Debugf("Revoking external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) +@@ -751,6 +756,11 @@ func (ep *Endpoint) sbLeave(sb *Sandbox, force bool, options ...EndpointOption) + + // New endpoint providing external connectivity for the sandbox + extEp = sb.getGatewayEndpoint() ++ // Disable upstream forwarding if the sandbox lost external connectivity. ++ if sb.resolver != nil { ++ sb.resolver.SetForwardingPolicy(extEp != nil) ++ } ++ + if moveExtConn && extEp != nil { + logrus.Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) + extN, err := extEp.getNetworkFromStore() +diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go +index ab19b7b08fc0..70ca33b53590 100644 +--- a/libnetwork/resolver.go ++++ b/libnetwork/resolver.go +@@ -7,6 +7,7 @@ import ( + "net" + "strings" + "sync" ++ "sync/atomic" + "time" + + "github.com/docker/docker/libnetwork/types" +@@ -69,7 +70,7 @@ type Resolver struct { + tcpListen *net.TCPListener + err error + listenAddress string +- proxyDNS bool ++ proxyDNS atomic.Bool + startCh chan struct{} + logger *logrus.Logger + +@@ -79,15 +80,17 @@ type Resolver struct { + + // NewResolver creates a new instance of the Resolver + func NewResolver(address string, proxyDNS bool, backend DNSBackend) *Resolver { +- return &Resolver{ ++ r := &Resolver{ + backend: backend, +- proxyDNS: proxyDNS, + listenAddress: address, + err: fmt.Errorf("setup not done yet"), + startCh: make(chan struct{}, 1), + fwdSem: semaphore.NewWeighted(maxConcurrent), + logInverval: rate.Sometimes{Interval: logInterval}, + } ++ r.proxyDNS.Store(proxyDNS) ++ ++ return r + } + + func (r *Resolver) log() *logrus.Logger { +@@ -192,6 +195,12 @@ func (r *Resolver) SetExtServers(extDNS []extDNSEntry) { + } + } + ++// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to ++// external servers. ++func (r *Resolver) SetForwardingPolicy(policy bool) { ++ r.proxyDNS.Store(policy) ++} ++ + // NameServer returns the IP of the DNS resolver for the containers. + func (r *Resolver) NameServer() string { + return r.listenAddress +@@ -407,7 +416,7 @@ func (r *Resolver) serveDNS(w dns.ResponseWriter, query *dns.Msg) { + return + } + +- if r.proxyDNS { ++ if r.proxyDNS.Load() { + // If the user sets ndots > 0 explicitly and the query is + // in the root domain don't forward it out. We will return + // failure and let the client retry with the search domain +diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go +index 2218c6960e45..e3bb9abce93b 100644 +--- a/libnetwork/sandbox_dns_unix.go ++++ b/libnetwork/sandbox_dns_unix.go +@@ -28,7 +28,11 @@ const ( + func (sb *Sandbox) startResolver(restore bool) { + sb.resolverOnce.Do(func() { + var err error +- sb.resolver = NewResolver(resolverIPSandbox, true, sb) ++ // The resolver is started with proxyDNS=false if the sandbox does not currently ++ // have a gateway. So, if the Sandbox is only connected to an 'internal' network, ++ // it will not forward DNS requests to external resolvers. The resolver's ++ // proxyDNS setting is then updated as network Endpoints are added/removed. ++ sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb) + defer func() { + if err != nil { + sb.resolver = nil +-- +2.47.1 + diff --git a/0010-TESTS-backport-fixes-for-integration-tests.patch b/0011-TESTS-backport-fixes-for-integration-tests.patch similarity index 94% rename from 0010-TESTS-backport-fixes-for-integration-tests.patch rename to 0011-TESTS-backport-fixes-for-integration-tests.patch index 601888f..8e0023d 100644 --- a/0010-TESTS-backport-fixes-for-integration-tests.patch +++ b/0011-TESTS-backport-fixes-for-integration-tests.patch @@ -1,7 +1,7 @@ -From 971d5a3b8431c9263060b12c6b131ebb8158a389 Mon Sep 17 00:00:00 2001 +From 0392c617b8e75f0b59a922f95c691fdd05eaf99f Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 21 Nov 2024 20:00:07 +1100 -Subject: [PATCH 10/10] TESTS: backport fixes for integration tests +Subject: [PATCH 11/11] TESTS: backport fixes for integration tests We need a couple of patches to make the tests work on SLES: diff --git a/docker-stable.changes b/docker-stable.changes index 2a68825..154bf29 100644 --- a/docker-stable.changes +++ b/docker-stable.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Wed Dec 18 05:53:11 UTC 2024 - Aleksa Sarai + +- Add backport for CVE-2024-29018 fix. bsc#1234089 + + 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch +- Add backport for CVE-2024-23650 fix. bsc#1219437 + - 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch + + 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch +- Reorder and rebase patches: + * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch + * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch + * 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch + * 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch + * 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch + - 0010-TESTS-backport-fixes-for-integration-tests.patch + + 0011-TESTS-backport-fixes-for-integration-tests.patch + ------------------------------------------------------------------- Tue Dec 17 13:20:39 UTC 2024 - Aleksa Sarai diff --git a/docker-stable.spec b/docker-stable.spec index 9c1c226..182b320 100644 --- a/docker-stable.spec +++ b/docker-stable.spec @@ -113,10 +113,11 @@ Patch201: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch # UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12. Patch202: 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch # UPSTREAM: Backport of several BuildKit patches: +# (Various patches.) CVE-2024-23650 # CVE-2024-23651 # CVE-2024-23652 # CVE-2024-23653 -Patch203: 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch +Patch203: 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch # UPSTREAM: Backport of and # . bsc#1221916 Patch204: 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch @@ -125,9 +126,11 @@ Patch205: 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch # UPSTREAM: Backport of # fix. CVE-2024-41110 Patch206: 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch +# UPSTREAM: Backport of . CVE-2024-29018 +Patch207: 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch # UPSTREAM: Backport of and # . -Patch299: 0010-TESTS-backport-fixes-for-integration-tests.patch +Patch299: 0011-TESTS-backport-fixes-for-integration-tests.patch # UPSTREAM: Backport of . Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch BuildRequires: audit @@ -394,6 +397,8 @@ cp %{SOURCE130} . %patch -P205 -p1 # CVE-2024-41110 %patch -P206 -p1 +# CVE-2024-29018 +%patch -P207 -p1 %if %{with integration_tests} # integration-tests patches %patch -P299 -p1