Compare commits
35 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| baab1dde1b | |||
| 0f56d967d4 | |||
| fdede30e26 | |||
| 267bf6f7d5 | |||
| 890355c425 | |||
| af0bbb6814 | |||
| 86f89649b3 | |||
| 644491d7cc | |||
| dc4050fe67 | |||
| fb0856c33d | |||
| 4c822291f8 | |||
| 5e0a529f77 | |||
| b981c29dcb | |||
| fe5422490e | |||
| 8df28f71e4 | |||
| 1eba63e985 | |||
| dd8cfc76ef | |||
| 1d995bf294 | |||
| 323f8f7c45 | |||
| cf8e4a842a | |||
| a412680656 | |||
| 12e513aafd | |||
| 2d682ad444 | |||
| 043e645b71 | |||
| 5ae709f712 | |||
| 09900039d8 | |||
| 8bdc03b7b4 | |||
| 84da435103 | |||
| c8280a39b3 | |||
| 6924b85142 | |||
| a811cce773 | |||
| 156dfe7e9d | |||
| c27b0c3b43 | |||
| f39156d2f7 | |||
| c56b5f514a |
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:837185e9041c795187eb0f775af8d0b76869e98376bad7cf5f3249a2c636e794
|
||||
size 1609672
|
||||
@@ -1,7 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iHUEABYKAB0WIQS2TklVsp+j1GPyqQYol/rSt+lEbwUCZtZoygAKCRAol/rSt+lE
|
||||
bx7WAP0SyVg+qUJHACE0IkVAxaBzqVjNFVhdLY5ieF9h4LE0KgEA5Aa2n1k22JMX
|
||||
0774jwpF778ieaNR3L6sf/hKjAXTmwM=
|
||||
=6S7t
|
||||
-----END PGP SIGNATURE-----
|
||||
3
runc-1.4.0.tar.xz
Normal file
3
runc-1.4.0.tar.xz
Normal file
@@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f67c16fe40d078be6bf40006b086068951ab885ad815dfe8fa96c0a546aac57f
|
||||
size 1757532
|
||||
8
runc-1.4.0.tar.xz.asc
Normal file
8
runc-1.4.0.tar.xz.asc
Normal file
@@ -0,0 +1,8 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iJEEABYKADkWIQS2TklVsp+j1GPyqQYol/rSt+lEbwUCaSjfMhsUgAAAAAAEAA5t
|
||||
YW51MiwyLjUrMS4xMSwyLDIACgkQKJf60rfpRG/eqAEAwPxNZ+FK9ZSO7oC6dJZO
|
||||
jc64PTUcqgTFXm27XrYDE50A/3yskKjS6N0e5YK3D7+J0fKTZCrUZIy8Yv02eYPc
|
||||
G5YO
|
||||
=HU7f
|
||||
-----END PGP SIGNATURE-----
|
||||
118
runc.changes
118
runc.changes
@@ -1,9 +1,121 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 28 00:40:42 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Add libpathrs build option to allow builds to switch to libpathrs. In future
|
||||
we will switch to enabling this by default for Tumbleweed and Leap >= 16.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 28 00:20:15 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.4.0. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.4.0>.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 5 10:05:32 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.3.3. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.3.3>. bsc#1252232
|
||||
* CVE-2025-31133
|
||||
* CVE-2025-52565
|
||||
* CVE-2025-52881
|
||||
- Remove upstreamed patches for bsc#1252232:
|
||||
- 2025-11-05-CVEs.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 16 02:16:12 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
[ This update was only released for SLE 12 and 15. ]
|
||||
|
||||
- Backport patches for three CVEs. All three vulnerabilities ultimately allow
|
||||
(through different methods) for full container breakouts by bypassing runc's
|
||||
restrictions for writing to arbitrary /proc files. bsc#1252232
|
||||
* CVE-2025-31133
|
||||
* CVE-2025-52565
|
||||
* CVE-2025-52881
|
||||
+ 2025-11-05-CVEs.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 10 14:10:23 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
[ This update was only released for SLE 12 and 15. ]
|
||||
|
||||
- Update to runc v1.2.7. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.2.7>.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Oct 4 05:01:50 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.3.2. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.3.2> bsc#1252110
|
||||
- Includes an important fix for the CPUSet translation for cgroupv2.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 4 15:29:15 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.3.1. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.3.1>
|
||||
- Fix runc 1.3.x builds on SLE-12 by enabling --std=gnu11.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 29 15:23:32 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.3.0. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.3.0>
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 10 03:52:03 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.2.6. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.2.6>.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 14 01:31:56 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.2.5. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.2.5>.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 7 06:31:57 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.2.4. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.2.4>.
|
||||
- Update runc.keyring to match upstream.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 11 02:01:52 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.2.3. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.2.3>.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Nov 16 01:55:06 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.2.2. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.2.2>.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 1 22:26:11 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.2.1. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.2.1>.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 21 22:42:50 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.2.0. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.2.0>.
|
||||
- Remove upstreamed patches.
|
||||
- 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
|
||||
- 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
|
||||
- 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
|
||||
- 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 3 02:01:16 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.2.0~rc3. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.3>.
|
||||
Includes the patch for CVE-2024-45310.
|
||||
Includes the patch for CVE-2024-45310. bsc#1230092
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 3 01:57:20 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
@@ -12,7 +124,7 @@ Tue Sep 3 01:57:20 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.1.14. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.1.14>.
|
||||
Includes the patch for CVE-2024-45310.
|
||||
Includes the patch for CVE-2024-45310. bsc#1230092
|
||||
|
||||
- Rebase patches:
|
||||
* 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
|
||||
@@ -26,7 +138,7 @@ Mon Jul 22 13:08:06 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
[ This was only ever released for SLES and Leap. ]
|
||||
|
||||
- Update to runc v1.1.13. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.1.12>.
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.1.13>.
|
||||
- Rebase patches:
|
||||
* 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
|
||||
* 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
|
||||
|
||||
32
runc.keyring
32
runc.keyring
@@ -122,10 +122,10 @@ lxxclgJYU604APsFzpoLD0oUlfMn5Fh75ftkKPrwiHpTj4rRU6oIQu1/Bg==
|
||||
=Ab7w
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
pub rsa2048 2020-04-28 [SC] [expires: 2025-04-18]
|
||||
pub rsa2048 2020-04-28 [SC] [expires: 2028-04-18]
|
||||
C2428CD75720FACDCF76B6EA17DE5ECB75A1100E
|
||||
uid [ultimate] Kir Kolyshkin <kolyshkin@gmail.com>
|
||||
sub rsa2048 2020-04-28 [E] [expires: 2025-04-18]
|
||||
sub rsa2048 2020-04-28 [E] [expires: 2028-04-18]
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Comment: github=kolyshkin
|
||||
@@ -137,26 +137,26 @@ ppTSiCl8/x/gKoXiJ+7MyvOZozUavkVHdim1NKCzwD014VOB8RXz+heUjS+HDXY9
|
||||
SbTL4jCsN/x0bq+ZNp4lunihVY5WqX+BGLcx7xPnJ0Rp9Ju1mAhKrbKUmOG3rkWu
|
||||
DIJuVP8HQfCoffsBLUKQ0V4fh18kfq1bo3JvABEBAAG0I0tpciBLb2x5c2hraW4g
|
||||
PGtvbHlzaGtpbkBnbWFpbC5jb20+iQFUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQW
|
||||
AgMBAh4BAheAFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmRAbOgFCQlaGGoACgkQ
|
||||
F95ey3WhEA6dRQf+P+OHI3QiZu3TnrNBTsf+V8HhFBWKqafrjKbIE1A5HOHzcK2F
|
||||
t2afYG+MZQILwSuCQOObgr3o7hGlqkwMwGtHt5nqG6/Z0bmkowG4JJmYIg9FhvQW
|
||||
JEm/7lSBtxvFkw05H90UlzCM7AigD+PrLs96Zb0+FqdzEDWTMJeU7yYUFRNbXEu3
|
||||
wqpOZpHlYCJGKzFJBbGxYphlmljexRlWdZPwACKg7lBsVkM8JDPGxmmEe7/5tXPt
|
||||
Oa1yS13SleLv4muHH3KO3cgJGqBfY/XIExZUQUF0GdL0yppBDbn0oZ/wvRuibCR0
|
||||
1P7rW88csSjAjhNjja4v/zWleSIpyWVi8IvYLLkBDQReqLt+AQgAtKUDLyUFxQ9k
|
||||
AgMBAh4BAheAFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmdcs+gFCQ7+0bIACgkQ
|
||||
F95ey3WhEA6rRwf8CxnbLB/uqPZfmmiTzTk7luWaIo6YxtnNz3bn2rTByEo+rBgO
|
||||
gbgtKaV4REYeKhtbdstkMTX3zr+zlqwuqaPaag/Cz20HLkD04bI+JCPoRH/dPadd
|
||||
3nOdbdRfdWZeDDSFKjVunVpXlLxwvZ1WaaYKCfF06U3F7/z7MTAuKHrHTG9SrNPJ
|
||||
UPJTy63dNnuiPpVNNtOyftLGEGgD1JH2tcosVEwEpAlXpIpJy4Lad9ajaRVoYNtT
|
||||
qZr26sRFYNOQqWgl25QM8LyLFyYry9HfEXkbilW0OpkAkUvv0yAe97UPZ0beP8D+
|
||||
d5rMbZps6Ph1TtosdE/Gx8xWs7ALNDmXyCI/F7kBDQReqLt+AQgAtKUDLyUFxQ9k
|
||||
p8OwI/MsPTLLoYfjilJaXnmtzQjGYFrEuU3lt7omRUBldNChkjGghEukGTq0RD7Z
|
||||
s6Qv5PM5dtOypPJM0lmz2j7seun3AfDV44h/bjOFwTUjab3Nr9fQ52qESmRS03ik
|
||||
6+5YNwq2D/+2kHVJ2vkUoo6KvioA1vPU311oW/Yfky8dLS5NguikE3to6YElWW38
|
||||
oqFUVdMScCbf9a6CPXSQEz/rH4TgAhwyTo6oegv+8L/szGFy5ToNGiA0D45HcFDc
|
||||
yXs1d+b3bYRuGfC1l/z+WZWwbeHt1fKEQ8pCLDLRre5y0hPRHeN2CG4U7iyI5B5h
|
||||
8LITPcZ66wARAQABiQE8BBgBCAAmAhsMFiEEwkKM11cg+s3PdrbqF95ey3WhEA4F
|
||||
AmRAbRQFCQlaGJYACgkQF95ey3WhEA7vywf9FFTeRgNji8ZIPMM2vIlns+CMkP5R
|
||||
uXakU6Q0O6Wmbb/ULOkobTqJ/Jcze8OuembuU3V6MiOQKgUIDrN7itjnJPQBneKT
|
||||
iqJdPK8KOiGIzqa0aRekvOu2nCz9n87Bf48pviH922yfs8gXYRCUnSV/i7/p+N8r
|
||||
5Fy7dJen5SXksN2/rUCEgU9FD17l2uMAoQbRqZg74/GwSDLnhrZ9eMrbPnguSQF4
|
||||
S1NPMeS7+G/gPN9Ze9qFmOF2p57cmEa+8mriZCYY3BcUBOiMOV5HSBKJwqA2M8au
|
||||
2dAKmFWb/G+K/dgBdkAulQ/BfCpwgFmmgJ5dAeaS3y8Xd86aBE0/eLCrhQ==
|
||||
=GkpD
|
||||
AmdctAIFCQ7+0bIACgkQF95ey3WhEA7PDggAlZxK7mCYThh7Z75mWftIaT3ms5jR
|
||||
cuQcCQYy2Z7qCaNxJtRklhsaAwpO0NQdNdQEfVXlNYLXRuFDq+hemhZKMu4lzQbZ
|
||||
3atm5swWcB8+9q+aCMP5nppwUXxCxHdhp4VxIYEv+wNjTF/6Fxu66fYPQPDKVacS
|
||||
H9NLjHsVoDFSi9rvtAy/Bs2aVn0hZkwpxzHJNVPnNcMAEnYXfM+kXu3761J61FAr
|
||||
o8zT9XXXnUYRuxHRAsrpa3atQj7jDHvFlcc3VfPmUFPs0aLRy19/44xRE1FZOSur
|
||||
f7jJ1HOKSJA9zx0xWaURRTRkMTIVuMnQKZofxC96GavBDVTtZlgLzeWVnQ==
|
||||
=eHgH
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
pub rsa3072 2019-07-25 [SC] [expires: 2025-07-27]
|
||||
|
||||
32
runc.spec
32
runc.spec
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package runc
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2025 SUSE LLC and contributors
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -17,17 +17,17 @@
|
||||
# nodebuginfo
|
||||
|
||||
|
||||
%bcond_with libpathrs
|
||||
|
||||
# MANUAL: Make sure you update this each time you update runc.
|
||||
%define git_version 45471bc945571d57acef05e0795008d7f1d9baf5
|
||||
%define git_short 45471bc94557
|
||||
%define git_version 8bd78a9977e604c4d5f67a7415d7b8b8c109cdc4
|
||||
%define git_short 8bd78a9977e6
|
||||
|
||||
%define project github.com/opencontainers/runc
|
||||
|
||||
Name: runc
|
||||
# RPM doesn't handle semver rc releases nicely, so for rc releases we need to
|
||||
# do something different.
|
||||
%define upstream_version 1.2.0-rc.3
|
||||
Version: 1.2.0~rc3
|
||||
Version: 1.4.0
|
||||
%define upstream_version %{version}
|
||||
Release: 0
|
||||
Summary: Tool for spawning and running OCI containers
|
||||
License: Apache-2.0
|
||||
@@ -38,10 +38,13 @@ Source1: https://github.com/opencontainers/runc/releases/download/v%{upst
|
||||
Source2: runc.keyring
|
||||
BuildRequires: diffutils
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: go >= 1.22.4
|
||||
BuildRequires: go >= 1.23
|
||||
BuildRequires: go-go-md2man
|
||||
BuildRequires: libseccomp-devel
|
||||
BuildRequires: libselinux-devel
|
||||
%if 0%{with libpathrs}
|
||||
BuildRequires: libpathrs-devel
|
||||
%endif
|
||||
Recommends: criu
|
||||
# There used to be a docker-runc package which was specifically for Docker.
|
||||
# Since Docker now tracks upstream more consistently, we use the same package
|
||||
@@ -70,8 +73,19 @@ and has grown to become a separate project entirely.
|
||||
%autopatch -p1
|
||||
|
||||
%build
|
||||
%if 0%{?sle_version} == 120000
|
||||
# Fix nsenter builds on SLE12.
|
||||
export CGO_CFLAGS="--std=gnu11"
|
||||
%endif
|
||||
|
||||
BUILDTAGS="seccomp"
|
||||
%if 0%{with libpathrs}
|
||||
BUILDTAGS+=" libpathrs"
|
||||
%endif
|
||||
|
||||
# build runc
|
||||
make BUILDTAGS="seccomp" COMMIT="%{git_describe}" runc
|
||||
make BUILDTAGS="$BUILDTAGS" COMMIT="%{git_describe}" runc
|
||||
|
||||
# build man pages
|
||||
man/md2man-all.sh
|
||||
|
||||
|
||||
Reference in New Issue
Block a user