Accepting request 935874 from home:cyphar:docker

- Update to runc v1.0.3. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.3. CVE-2021-43784

  * A potential vulnerability was discovered in runc (related to an internal
    usage of netlink), however upon further investigation we discovered that
    while this bug was exploitable on the master branch of runc, no released
    version of runc could be exploited using this bug. The exploit required
    being able to create a netlink attribute with a length that would overflow a
    uint16 but this was not possible in any released version of runc. For more
    information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.

    Due to an abundance of caution we decided to do an emergency release with
    this fix, but to reiterate we do not believe this vulnerability was
    possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for
    discovering and reporting this vulnerability so quickly.
  * Fixed inability to start a container with read-write bind mount of a
    read-only fuse host mount.
  * Fixed inability to start when read-only /dev in set in spec.
  * Fixed not removing sub-cgroups upon container delete, when rootless cgroup
    v2 is used with older systemd.
  * Fixed returning error from GetStats when hugetlb is unsupported (which
    causes excessive logging for kubernetes).

OBS-URL: https://build.opensuse.org/request/show/935874
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=118

runc-1.0.2.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:740acb49e33eaf4958b5109c85363c1d3900f242d4cab47fbdbefa6f8f3c6909
-size 1414636

runc-1.0.2.tar.xz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmEjV+UQHGFzYXJhaUBz
-dXNlLmNvbQAKCRCeGKomfduNtCm3EACpeyPHWK+/W2neUO0h1OmBwjh5T6MEfFKw
-Jykfcy2hmBOeDA6BrDtmCYm1ehUFAysj3PZ67gg40m9jI9/0EbEs00JVHLMwtM9L
-SiJu+5M3xJUZJxIZ7mC0JdYVWJIWraKHmpsaTdox/gy9vMjGs4GfzrfvTcDCYZcn
-wPTPVQJI1guK8+4C2vjgVPTLKARnpflsXNdlMM0B6r4bJDW/I5vsrTbJpxrEx+e4
-YiBI1mNCElIK8w75oefAovXEotAcDXN/gIdXwFmlL++2sdRYVqSWTbvP1r3axAaD
-XFu0tF1+2kllzurri4DY8ID9TykcI8bNKHnSzmwY9me4NoCOnD8j9QEwm0apKYEw
-ddxopfzlT+WFM4Nq4QqwEN9aY0kHfhGqvEwUAjK5pWd5F4lBF0YDE9M+2SQ/mrqS
-SRnHTbiyEzuuGzfZvVZuaz1KfSldyr1FTV+9H6eBmMHUzIAYjTm4F0QQVAP6/isn
-YcAlogzWoCsZw9V2TmtURCCIoZvnjmgnnDYOqA8zbuhsd8s/RT1A37UhNztOGC+s
-BvEDCn1c0Duo48UUZ5SnGL90xwBnzj0CJniJpnWNk5Rhb2hASevDESt6gugKndvQ
-bwbckX6iFcHMaavHDjQ8DWjFRGePk4QZgURMZOYln5vyLXtaG11ezKFV5lkth7RA
-fce5QrFY7A==
-=3xEL
------END PGP SIGNATURE-----

runc-1.0.3.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e9297b338f3b382cc3a40d4c4a3bfbe8ff8db9761028691a67ea68e612d21ab6
+size 1415820

runc-1.0.3.tar.xz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmGtjaEPHGFzYXJhaUBz
+dXNlLmRlAAoJEJ4YqiZ92420Wv8QALHxw0muAoTPwFNkh3KLbGtiCiniFEJsaWCq
++abTJKOURbRzM2GuTu78cu305PC7KJcy33jgUK7g9AeuJkGj08OqqqIZeQNHThIq
+LQfZOBKjX6PoXSFGSAQzwEehp+Nx8zc09e4u6yspr3GqKgxAlag0aq+qgiwvay/I
+7sfFu54ooEw2zom+EHfYOOuMpmRSP38zw77USpqR6OUQQAm/UX1fGJdEi15qqS2U
+31oUiSRkxwttvJTxXXpcGf71oB8iBLfM4BhFCkHLX0+uQUFh22Nmr8D4d8JE3ur+
+xOJRXfF28o8lNV/ixQ+8c2YvxObF2hqine5ScZ1g8D0/d3oLZDKxuWb7lvSxXnRy
+Ij1Jkw6Lg8RMjvPjjGn+P+l4N74fnPB1oUQIkpBg5YEufUph9NMiURdcbr28w4Is
+alV37DgQno+QxGCou4os7XFlapeLUkc44FN3FNIlCUMew69X8e+QnBo3X4nkm1cl
+rDr+HjmjgZi1vyry/klVfaYy8g8hMmplU0TKRI4wAwElNW0qQZZIvuh+EbLxbVfE
+1Xi1xZM4P2P9vpIYsem9fBQtHexV9j9NnBoZQnF874rUgLFadYHg84IK1lmiEcTr
+0JNUU1l+dLTXGzt9qpOFnVSzQy7fECagEXNLPWBOQzL0esdvZpu+dx3aosKyKDNv
+eJJjGgZy
+=jAoe
+-----END PGP SIGNATURE-----

runc.changes

@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Mon Dec  6 04:38:25 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.3. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.3. CVE-2021-43784
+
+  * A potential vulnerability was discovered in runc (related to an internal
+    usage of netlink), however upon further investigation we discovered that
+    while this bug was exploitable on the master branch of runc, no released
+    version of runc could be exploited using this bug. The exploit required
+    being able to create a netlink attribute with a length that would overflow a
+    uint16 but this was not possible in any released version of runc. For more
+    information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.
+
+    Due to an abundance of caution we decided to do an emergency release with
+    this fix, but to reiterate we do not believe this vulnerability was
+    possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for
+    discovering and reporting this vulnerability so quickly.
+  * Fixed inability to start a container with read-write bind mount of a
+    read-only fuse host mount.
+  * Fixed inability to start when read-only /dev in set in spec.
+  * Fixed not removing sub-cgroups upon container delete, when rootless cgroup
+    v2 is used with older systemd.
+  * Fixed returning error from GetStats when hugetlb is unsupported (which
+    causes excessive logging for kubernetes).
+
 -------------------------------------------------------------------
 Mon Aug 23 09:35:05 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 

runc.spec

@@ -21,12 +21,12 @@
 %define git_version 4144b63817ebcc5b358fc2c8ef95f7cddd709aa7
 
 # Package-wide golang version
-%define go_version 1.13
+%define go_version 1.16
 %define project github.com/opencontainers/runc
 
 Name:           runc
-Version:        1.0.2
-%define _version 1.0.2
+Version:        1.0.3
+%define _version 1.0.3
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0