Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package runc for openSUSE:Factory checked in at 2022-05-14 22:52:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/runc (Old) and /work/SRC/openSUSE:Factory/.runc.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "runc" Sat May 14 22:52:06 2022 rev:46 rq:976495 version:1.1.2 Changes: -------- --- /work/SRC/openSUSE:Factory/runc/runc.changes 2022-04-02 18:20:17.394443912 +0200 +++ /work/SRC/openSUSE:Factory/.runc.new.1538/runc.changes 2022-05-14 22:52:08.866989820 +0200 @@ -1,0 +2,14 @@ +Wed May 11 22:43:51 UTC 2022 - Aleksa Sarai <asa...@suse.com> + +- Update to runc v1.1.2. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.1.2. + CVE-2022-24769 + + * A bug was found in runc where runc exec --cap executed processes with + non-empty inheritable Linux process capabilities, creating an atypical Linux + environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and + CVE-2022-29162. + * `runc spec` no longer sets any inheritable capabilities in the created + example OCI spec (`config.json`) file. + +------------------------------------------------------------------- Old: ---- runc-1.1.1.tar.xz runc-1.1.1.tar.xz.asc New: ---- runc-1.1.2.tar.xz runc-1.1.2.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ runc.spec ++++++ --- /var/tmp/diff_new_pack.kWmiZA/_old 2022-05-14 22:52:10.110991375 +0200 +++ /var/tmp/diff_new_pack.kWmiZA/_new 2022-05-14 22:52:10.114991380 +0200 @@ -18,16 +18,16 @@ # MANUAL: Make sure you update this each time you update runc. -%define git_version 52de29d7e0f8c0899bd7efb8810dd07f0073fa87 -%define git_short 52de29d7e0f8 +%define git_version a916309fff0f838eb94e928713dbc3c0d0ac7aa4 +%define git_short a916309fff0f # Package-wide golang version %define go_version 1.17 %define project github.com/opencontainers/runc Name: runc -Version: 1.1.1 -%define _version 1.1.1 +Version: 1.1.2 +%define _version 1.1.2 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 ++++++ runc-1.1.1.tar.xz -> runc-1.1.2.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.1/CHANGELOG.md new/runc-1.1.2/CHANGELOG.md --- old/runc-1.1.1/CHANGELOG.md 2022-03-28 21:02:47.000000000 +0200 +++ new/runc-1.1.2/CHANGELOG.md 2022-05-05 21:49:49.000000000 +0200 @@ -1,4 +1,4 @@ -# Changelog/ +# Changelog This file documents all notable changes made to this project since runc 1.0. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), @@ -6,6 +6,24 @@ ## [Unreleased] + +## [1.1.2] - 2022-05-06 + +> I should think I???m going to be a perpetual student. + +### Security + * A bug was found in runc where runc exec --cap executed processes with + non-empty inheritable Linux process capabilities, creating an atypical Linux + environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and + CVE-2022-29162. + +### Changed + * `runc spec` no longer sets any inheritable capabilities in the created + example OCI spec (`config.json`) file. + +[GHSA-f3fp-gc8g-vw66]: https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66 + + ## [1.1.1] - 2022-03-28 > Violence is the last refuge of the incompetent. @@ -25,6 +43,7 @@ * libcontainer/cgroups no longer panics in cgroup v1 managers if `stat` of `/sys/fs/cgroup/unified` returns an error other than ENOENT. (#3435) + ## [1.1.0] - 2022-01-14 > A plan depends as much upon execution as it does upon concept. @@ -35,6 +54,7 @@ should avoid folks accidentally creating broken runc binaries (and incorrectly importing our internal libraries into their projects). (#3331) + ## [1.1.0-rc.1] - 2021-12-14 > He who controls the spice controls the universe. @@ -252,7 +272,8 @@ cgroups at all during `runc update`). (#2994) <!-- minor releases --> -[Unreleased]: https://github.com/opencontainers/runc/compare/v1.1.1...HEAD +[Unreleased]: https://github.com/opencontainers/runc/compare/v1.1.2...HEAD +[1.1.2]: https://github.com/opencontainers/runc/compare/v1.1.1...v1.1.2 [1.1.1]: https://github.com/opencontainers/runc/compare/v1.1.0...v1.1.1 [1.1.0]: https://github.com/opencontainers/runc/compare/v1.1.0-rc.1...v1.1.0 [1.0.0]: https://github.com/opencontainers/runc/releases/tag/v1.0.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.1/VERSION new/runc-1.1.2/VERSION --- old/runc-1.1.1/VERSION 2022-03-28 21:02:47.000000000 +0200 +++ new/runc-1.1.2/VERSION 2022-05-05 21:49:49.000000000 +0200 @@ -1 +1 @@ -1.1.1 +1.1.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.1/exec.go new/runc-1.1.2/exec.go --- old/runc-1.1.1/exec.go 2022-03-28 21:02:47.000000000 +0200 +++ new/runc-1.1.2/exec.go 2022-05-05 21:49:49.000000000 +0200 @@ -224,7 +224,6 @@ if caps := context.StringSlice("cap"); len(caps) > 0 { for _, c := range caps { p.Capabilities.Bounding = append(p.Capabilities.Bounding, c) - p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c) p.Capabilities.Effective = append(p.Capabilities.Effective, c) p.Capabilities.Permitted = append(p.Capabilities.Permitted, c) p.Capabilities.Ambient = append(p.Capabilities.Ambient, c) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.1/libcontainer/README.md new/runc-1.1.2/libcontainer/README.md --- old/runc-1.1.1/libcontainer/README.md 2022-03-28 21:02:47.000000000 +0200 +++ new/runc-1.1.2/libcontainer/README.md 2022-05-05 21:49:49.000000000 +0200 @@ -96,22 +96,6 @@ "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Permitted: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.1/libcontainer/integration/exec_test.go new/runc-1.1.2/libcontainer/integration/exec_test.go --- old/runc-1.1.1/libcontainer/integration/exec_test.go 2022-03-28 21:02:47.000000000 +0200 +++ new/runc-1.1.2/libcontainer/integration/exec_test.go 2022-05-05 21:49:49.000000000 +0200 @@ -364,7 +364,6 @@ pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN") pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN") pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN") - pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN") err = container.Run(&pconfig) ok(t, err) @@ -1409,7 +1408,6 @@ pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN") pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN") pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN") - pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN") err = container.Run(pconfig2) _ = stdinR2.Close() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.1/libcontainer/integration/template_test.go new/runc-1.1.2/libcontainer/integration/template_test.go --- old/runc-1.1.1/libcontainer/integration/template_test.go 2022-03-28 21:02:47.000000000 +0200 +++ new/runc-1.1.2/libcontainer/integration/template_test.go 2022-05-05 21:49:49.000000000 +0200 @@ -75,22 +75,6 @@ "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Ambient: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.1/libcontainer/specconv/example.go new/runc-1.1.2/libcontainer/specconv/example.go --- old/runc-1.1.1/libcontainer/specconv/example.go 2022-03-28 21:02:47.000000000 +0200 +++ new/runc-1.1.2/libcontainer/specconv/example.go 2022-05-05 21:49:49.000000000 +0200 @@ -41,11 +41,6 @@ "CAP_KILL", "CAP_NET_BIND_SERVICE", }, - Inheritable: []string{ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - }, Ambient: []string{ "CAP_AUDIT_WRITE", "CAP_KILL",
