From 1eaf2f6f5b07d37aebbb6f059b709a3a01605a2a948af2fb1c45840a79a3fe22 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.com>
Date: Mon, 6 Dec 2021 04:44:55 +0000
Subject: [PATCH] Accepting request 935874 from home:cyphar:docker

- Update to runc v1.0.3. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.3. CVE-2021-43784

  * A potential vulnerability was discovered in runc (related to an internal
    usage of netlink), however upon further investigation we discovered that
    while this bug was exploitable on the master branch of runc, no released
    version of runc could be exploited using this bug. The exploit required
    being able to create a netlink attribute with a length that would overflow a
    uint16 but this was not possible in any released version of runc. For more
    information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.

    Due to an abundance of caution we decided to do an emergency release with
    this fix, but to reiterate we do not believe this vulnerability was
    possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for
    discovering and reporting this vulnerability so quickly.
  * Fixed inability to start a container with read-write bind mount of a
    read-only fuse host mount.
  * Fixed inability to start when read-only /dev in set in spec.
  * Fixed not removing sub-cgroups upon container delete, when rootless cgroup
    v2 is used with older systemd.
  * Fixed returning error from GetStats when hugetlb is unsupported (which
    causes excessive logging for kubernetes).

OBS-URL: https://build.opensuse.org/request/show/935874
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=118
---
 runc-1.0.2.tar.xz     |  3 ---
 runc-1.0.2.tar.xz.asc | 17 -----------------
 runc-1.0.3.tar.xz     |  3 +++
 runc-1.0.3.tar.xz.asc | 17 +++++++++++++++++
 runc.changes          | 26 ++++++++++++++++++++++++++
 runc.spec             |  6 +++---
 6 files changed, 49 insertions(+), 23 deletions(-)
 delete mode 100644 runc-1.0.2.tar.xz
 delete mode 100644 runc-1.0.2.tar.xz.asc
 create mode 100644 runc-1.0.3.tar.xz
 create mode 100644 runc-1.0.3.tar.xz.asc

diff --git a/runc-1.0.2.tar.xz b/runc-1.0.2.tar.xz
deleted file mode 100644
index aa1269c..0000000
--- a/runc-1.0.2.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:740acb49e33eaf4958b5109c85363c1d3900f242d4cab47fbdbefa6f8f3c6909
-size 1414636
diff --git a/runc-1.0.2.tar.xz.asc b/runc-1.0.2.tar.xz.asc
deleted file mode 100644
index a4c9b35..0000000
--- a/runc-1.0.2.tar.xz.asc
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmEjV+UQHGFzYXJhaUBz
-dXNlLmNvbQAKCRCeGKomfduNtCm3EACpeyPHWK+/W2neUO0h1OmBwjh5T6MEfFKw
-Jykfcy2hmBOeDA6BrDtmCYm1ehUFAysj3PZ67gg40m9jI9/0EbEs00JVHLMwtM9L
-SiJu+5M3xJUZJxIZ7mC0JdYVWJIWraKHmpsaTdox/gy9vMjGs4GfzrfvTcDCYZcn
-wPTPVQJI1guK8+4C2vjgVPTLKARnpflsXNdlMM0B6r4bJDW/I5vsrTbJpxrEx+e4
-YiBI1mNCElIK8w75oefAovXEotAcDXN/gIdXwFmlL++2sdRYVqSWTbvP1r3axAaD
-XFu0tF1+2kllzurri4DY8ID9TykcI8bNKHnSzmwY9me4NoCOnD8j9QEwm0apKYEw
-ddxopfzlT+WFM4Nq4QqwEN9aY0kHfhGqvEwUAjK5pWd5F4lBF0YDE9M+2SQ/mrqS
-SRnHTbiyEzuuGzfZvVZuaz1KfSldyr1FTV+9H6eBmMHUzIAYjTm4F0QQVAP6/isn
-YcAlogzWoCsZw9V2TmtURCCIoZvnjmgnnDYOqA8zbuhsd8s/RT1A37UhNztOGC+s
-BvEDCn1c0Duo48UUZ5SnGL90xwBnzj0CJniJpnWNk5Rhb2hASevDESt6gugKndvQ
-bwbckX6iFcHMaavHDjQ8DWjFRGePk4QZgURMZOYln5vyLXtaG11ezKFV5lkth7RA
-fce5QrFY7A==
-=3xEL
------END PGP SIGNATURE-----
diff --git a/runc-1.0.3.tar.xz b/runc-1.0.3.tar.xz
new file mode 100644
index 0000000..2850dd8
--- /dev/null
+++ b/runc-1.0.3.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e9297b338f3b382cc3a40d4c4a3bfbe8ff8db9761028691a67ea68e612d21ab6
+size 1415820
diff --git a/runc-1.0.3.tar.xz.asc b/runc-1.0.3.tar.xz.asc
new file mode 100644
index 0000000..0488024
--- /dev/null
+++ b/runc-1.0.3.tar.xz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmGtjaEPHGFzYXJhaUBz
+dXNlLmRlAAoJEJ4YqiZ92420Wv8QALHxw0muAoTPwFNkh3KLbGtiCiniFEJsaWCq
++abTJKOURbRzM2GuTu78cu305PC7KJcy33jgUK7g9AeuJkGj08OqqqIZeQNHThIq
+LQfZOBKjX6PoXSFGSAQzwEehp+Nx8zc09e4u6yspr3GqKgxAlag0aq+qgiwvay/I
+7sfFu54ooEw2zom+EHfYOOuMpmRSP38zw77USpqR6OUQQAm/UX1fGJdEi15qqS2U
+31oUiSRkxwttvJTxXXpcGf71oB8iBLfM4BhFCkHLX0+uQUFh22Nmr8D4d8JE3ur+
+xOJRXfF28o8lNV/ixQ+8c2YvxObF2hqine5ScZ1g8D0/d3oLZDKxuWb7lvSxXnRy
+Ij1Jkw6Lg8RMjvPjjGn+P+l4N74fnPB1oUQIkpBg5YEufUph9NMiURdcbr28w4Is
+alV37DgQno+QxGCou4os7XFlapeLUkc44FN3FNIlCUMew69X8e+QnBo3X4nkm1cl
+rDr+HjmjgZi1vyry/klVfaYy8g8hMmplU0TKRI4wAwElNW0qQZZIvuh+EbLxbVfE
+1Xi1xZM4P2P9vpIYsem9fBQtHexV9j9NnBoZQnF874rUgLFadYHg84IK1lmiEcTr
+0JNUU1l+dLTXGzt9qpOFnVSzQy7fECagEXNLPWBOQzL0esdvZpu+dx3aosKyKDNv
+eJJjGgZy
+=jAoe
+-----END PGP SIGNATURE-----
diff --git a/runc.changes b/runc.changes
index 1b8142a..40fdd75 100644
--- a/runc.changes
+++ b/runc.changes
@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Mon Dec  6 04:38:25 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.3. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.3. CVE-2021-43784
+
+  * A potential vulnerability was discovered in runc (related to an internal
+    usage of netlink), however upon further investigation we discovered that
+    while this bug was exploitable on the master branch of runc, no released
+    version of runc could be exploited using this bug. The exploit required
+    being able to create a netlink attribute with a length that would overflow a
+    uint16 but this was not possible in any released version of runc. For more
+    information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.
+
+    Due to an abundance of caution we decided to do an emergency release with
+    this fix, but to reiterate we do not believe this vulnerability was
+    possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for
+    discovering and reporting this vulnerability so quickly.
+  * Fixed inability to start a container with read-write bind mount of a
+    read-only fuse host mount.
+  * Fixed inability to start when read-only /dev in set in spec.
+  * Fixed not removing sub-cgroups upon container delete, when rootless cgroup
+    v2 is used with older systemd.
+  * Fixed returning error from GetStats when hugetlb is unsupported (which
+    causes excessive logging for kubernetes).
+
 -------------------------------------------------------------------
 Mon Aug 23 09:35:05 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 
diff --git a/runc.spec b/runc.spec
index 7d1d342..3506213 100644
--- a/runc.spec
+++ b/runc.spec
@@ -21,12 +21,12 @@
 %define git_version 4144b63817ebcc5b358fc2c8ef95f7cddd709aa7
 
 # Package-wide golang version
-%define go_version 1.13
+%define go_version 1.16
 %define project github.com/opencontainers/runc
 
 Name:           runc
-Version:        1.0.2
-%define _version 1.0.2
+Version:        1.0.3
+%define _version 1.0.3
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0