Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2024-02-21 17:52:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new.1706 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Wed Feb 21 17:52:04 2024 rev:143 rq:1147713 version:25.0.3_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2024-02-16 21:41:36.348076961 +0100 +++ /work/SRC/openSUSE:Factory/.docker.new.1706/docker.changes 2024-02-21 17:52:15.490273872 +0100 @@ -1,0 +2,19 @@ +Wed Feb 17 12:56:22 UTC 2024 - Danish Prakash <danish.prak...@suse.com> + +- Update to Docker 25.0.3-ce. See upstream changelong online at + <https://docs.docker.com/engine/release-notes/25.0/#2503> +- Fixes: + * bsc#1219267 - CVE-2024-23651 + * bsc#1219268 - CVE-2024-23652 + * bsc#1219438 - CVE-2024-23653 +- Rebase patches: + * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch + * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch + * cli-0001-docs-include-required-tools-in-source-tree.patch +- Remove upstreamed patches: + - 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch + +------------------------------------------------------------------- Old: ---- 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch docker-24.0.7_ce_311b9ff0aa93.tar.xz docker-cli-24.0.7_ce.tar.xz New: ---- docker-25.0.3_ce_f417435e5.tar.xz docker-cli-25.0.3_ce.tar.xz BETA DEBUG BEGIN: Old:- Remove upstreamed patches: - 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.POIWxz/_old 2024-02-21 17:52:16.170298485 +0100 +++ /var/tmp/diff_new_pack.POIWxz/_new 2024-02-21 17:52:16.174298630 +0100 @@ -31,9 +31,9 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define real_version 24.0.7 -%define git_version 311b9ff0aa93 -%define git_commit_epoch 1698306665 +%define real_version 25.0.3 +%define git_version f417435e5 +%define git_commit_epoch 1706746344 Name: docker Version: %{real_version}_ce @@ -72,11 +72,6 @@ Patch202: 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch # UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>. Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch -# bugfix for: -# bsc#1219438: CVE-2024-23653 -# bsc#1219268: CVE-2024-23652 -# bsc#1219267: CVE-2024-23651 -Patch901: 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -225,8 +220,6 @@ %patch -P201 -p1 # Solves apparmor issues on SLE-12, but okay for newer SLE versions too. %patch -P202 -p1 -# temporary buildkit bugfixes -%patch -P901 -p1 %build %sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf ++++++ 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch ++++++ --- /var/tmp/diff_new_pack.POIWxz/_old 2024-02-21 17:52:16.194299354 +0100 +++ /var/tmp/diff_new_pack.POIWxz/_new 2024-02-21 17:52:16.194299354 +0100 @@ -1,7 +1,7 @@ -From 678e0f470c01dcf849d42d4f3f38e97b8d7ba841 Mon Sep 17 00:00:00 2001 +From 4a5c4ff94d466dcd5d7c986478ee3c12d056208a Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets +Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is @@ -14,18 +14,18 @@ 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go -index 290ec59a34..b7013fb89c 100644 +index 6a23a4ca92..4f2a611bbc 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go -@@ -4,6 +4,7 @@ +@@ -3,6 +3,7 @@ package daemon // import "github.com/docker/docker/daemon" import ( + "bytes" + "context" "fmt" "os" - "path/filepath" -@@ -14,6 +15,7 @@ import ( +@@ -16,6 +17,7 @@ import ( "github.com/docker/docker/daemon/links" "github.com/docker/docker/errdefs" "github.com/docker/docker/libnetwork" @@ -33,7 +33,7 @@ "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/process" "github.com/docker/docker/pkg/stringid" -@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -201,9 +203,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { if err != nil { return errors.Wrap(err, "unable to get secret from secret store") } @@ -43,7 +43,7 @@ uid, err := strconv.Atoi(s.File.UID) if err != nil { -@@ -219,6 +218,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -214,6 +213,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { return err } @@ -69,6 +69,6 @@ return errors.Wrap(err, "error setting ownership for secret") } -- -2.43.0 +2.39.0 ++++++ 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch ++++++ --- /var/tmp/diff_new_pack.POIWxz/_old 2024-02-21 17:52:16.206299789 +0100 +++ /var/tmp/diff_new_pack.POIWxz/_new 2024-02-21 17:52:16.210299933 +0100 @@ -1,7 +1,7 @@ -From 4f2462c67f8aa24d08648c2494a83a10e1578079 Mon Sep 17 00:00:00 2001 +From 0b91e46d6f1515461d28d768557b63eacbcc68af Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. @@ -19,10 +19,10 @@ create mode 100644 daemon/suse_secrets.go diff --git a/daemon/start.go b/daemon/start.go -index 2e0b9e6be8..dca0448688 100644 +index 24e72e2248..9bce0c6dff 100644 --- a/daemon/start.go +++ b/daemon/start.go -@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C +@@ -159,6 +159,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore return err } @@ -31,9 +31,9 @@ + return errdefs.System(err) + } + - spec, err := daemon.createSpec(ctx, container) + spec, err := daemon.createSpec(ctx, daemonCfg, container) if err != nil { - return errdefs.System(err) + // Any error that occurs while creating the spec, even if it's the diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go new file mode 100644 index 0000000000..32b0ece91b @@ -456,6 +456,6 @@ + return nil +} -- -2.43.0 +2.39.0 ++++++ 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch ++++++ --- /var/tmp/diff_new_pack.POIWxz/_old 2024-02-21 17:52:16.222300367 +0100 +++ /var/tmp/diff_new_pack.POIWxz/_new 2024-02-21 17:52:16.226300512 +0100 @@ -1,7 +1,7 @@ -From 4b6edb887a878a9637e9b3f434fa3f905543e1d1 Mon Sep 17 00:00:00 2001 +From cee586793de12fc029897e897aacdf18933f8ba6 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Mon, 22 May 2023 15:44:54 +1000 -Subject: [PATCH 3/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI +Subject: [PATCH 3/5] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI headers" This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d. @@ -16,10 +16,10 @@ 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go -index d88efc4be2..4e976aa689 100644 +index 6aaa33cf76..7264d40364 100644 --- a/daemon/graphdriver/btrfs/btrfs.go +++ b/daemon/graphdriver/btrfs/btrfs.go -@@ -5,17 +5,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs" +@@ -4,17 +4,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs" /* #include <stdlib.h> @@ -42,6 +42,6 @@ static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) { snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value); -- -2.43.0 +2.39.0 ++++++ 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch ++++++ --- /var/tmp/diff_new_pack.POIWxz/_old 2024-02-21 17:52:16.234300801 +0100 +++ /var/tmp/diff_new_pack.POIWxz/_new 2024-02-21 17:52:16.238300947 +0100 @@ -1,7 +1,7 @@ -From a309d7e57c351a5f81a0cf9a342205ab790f60ba Mon Sep 17 00:00:00 2001 +From 99fb19fd177d211063394a56348ecd9987fd17aa Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, @@ -22,10 +22,10 @@ 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go -index 6376001613..5fde21a4af 100644 +index 81e10b6cbe..e695667a19 100644 --- a/daemon/apparmor_default.go +++ b/daemon/apparmor_default.go -@@ -24,6 +24,15 @@ func DefaultApparmorProfile() string { +@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string { return "" } @@ -41,7 +41,7 @@ func ensureDefaultAppArmorProfile() error { if apparmor.HostSupports() { loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile) -@@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error { +@@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error { } // Load the profile. @@ -54,10 +54,10 @@ return nil } diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go -index e3dc18b32b..9c77230562 100644 +index be4938f5b6..2b326fea58 100644 --- a/daemon/apparmor_default_unsupported.go +++ b/daemon/apparmor_default_unsupported.go -@@ -3,6 +3,10 @@ +@@ -2,6 +2,10 @@ package daemon // import "github.com/docker/docker/daemon" @@ -69,11 +69,11 @@ return nil } diff --git a/daemon/daemon.go b/daemon/daemon.go -index 4d76c57988..15c95b50c4 100644 +index 05b933ca86..cced9c9a8d 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go -@@ -839,8 +839,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S - logrus.Warnf("Failed to configure golang's threads limit: %v", err) +@@ -900,8 +900,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S + log.G(ctx).Warnf("Failed to configure golang's threads limit: %v", err) } - // ensureDefaultAppArmorProfile does nothing if apparmor is disabled @@ -81,10 +81,10 @@ + // Make sure we clobber any pre-existing docker-default profile to ensure + // that upgrades to the profile actually work smoothly. + if err := clobberDefaultAppArmorProfile(); err != nil { - logrus.Errorf(err.Error()) + log.G(ctx).Errorf(err.Error()) } -- -2.43.0 +2.39.0 ++++++ 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch ++++++ --- /var/tmp/diff_new_pack.POIWxz/_old 2024-02-21 17:52:16.250301381 +0100 +++ /var/tmp/diff_new_pack.POIWxz/_new 2024-02-21 17:52:16.254301525 +0100 @@ -1,7 +1,7 @@ -From e4c2b3e6b168e815ec7248aea696afe807153cb6 Mon Sep 17 00:00:00 2001 +From 079e8a9eefc639772d8849cea26727ea0918a74b Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 11 Oct 2023 21:19:12 +1100 -Subject: [PATCH 5/6] SLE12: revert "apparmor: remove version-conditionals from +Subject: [PATCH 5/5] SLE12: revert "apparmor: remove version-conditionals from template" This reverts the following commits: @@ -17,15 +17,16 @@ Signed-off-by: Aleksa Sarai <cyp...@cyphar.com> --- - contrib/apparmor/main.go | 16 ++++++++++++++-- - contrib/apparmor/template.go | 16 ++++++++++++++++ - pkg/aaparser/aaparser.go | 2 -- - profiles/apparmor/apparmor.go | 14 ++++++++++++-- - profiles/apparmor/template.go | 4 ++++ - 5 files changed, 46 insertions(+), 6 deletions(-) + contrib/apparmor/main.go | 16 ++++++- + contrib/apparmor/template.go | 16 +++++++ + pkg/aaparser/aaparser.go | 86 +++++++++++++++++++++++++++++++++++ + profiles/apparmor/apparmor.go | 16 ++++++- + profiles/apparmor/template.go | 4 ++ + 5 files changed, 134 insertions(+), 4 deletions(-) + create mode 100644 pkg/aaparser/aaparser.go diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go -index d67890d265..f4a2978b86 100644 +index 899d8378ed..93f98cbd20 100644 --- a/contrib/apparmor/main.go +++ b/contrib/apparmor/main.go @@ -6,9 +6,13 @@ import ( @@ -156,24 +157,107 @@ /lib/** rm, /usr/bin/xz rm, diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go -index 3d7c2c5a97..2b5a2605f9 100644 ---- a/pkg/aaparser/aaparser.go +new file mode 100644 +index 0000000000..89b48b2dba +--- /dev/null +++ b/pkg/aaparser/aaparser.go -@@ -13,8 +13,6 @@ const ( - ) - - // GetVersion returns the major and minor version of apparmor_parser. --// --// Deprecated: no longer used, and will be removed in the next release. - func GetVersion() (int, error) { - output, err := cmd("", "--version") - if err != nil { +@@ -0,0 +1,86 @@ ++// Package aaparser is a convenience package interacting with `apparmor_parser`. ++package aaparser // import "github.com/docker/docker/pkg/aaparser" ++ ++import ( ++ "fmt" ++ "os/exec" ++ "strconv" ++ "strings" ++) ++ ++const ( ++ binary = "apparmor_parser" ++) ++ ++// GetVersion returns the major and minor version of apparmor_parser. ++func GetVersion() (int, error) { ++ output, err := cmd("", "--version") ++ if err != nil { ++ return -1, err ++ } ++ ++ return parseVersion(output) ++} ++ ++// cmd runs `apparmor_parser` with the passed arguments. ++func cmd(dir string, arg ...string) (string, error) { ++ c := exec.Command(binary, arg...) ++ c.Dir = dir ++ ++ output, err := c.CombinedOutput() ++ if err != nil { ++ return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err) ++ } ++ ++ return string(output), nil ++} ++ ++// parseVersion takes the output from `apparmor_parser --version` and returns ++// a representation of the {major, minor, patch} version as a single number of ++// the form MMmmPPP {major, minor, patch}. ++func parseVersion(output string) (int, error) { ++ // output is in the form of the following: ++ // AppArmor parser version 2.9.1 ++ // Copyright (C) 1999-2008 Novell Inc. ++ // Copyright 2009-2012 Canonical Ltd. ++ ++ lines := strings.SplitN(output, "\n", 2) ++ words := strings.Split(lines[0], " ") ++ version := words[len(words)-1] ++ ++ // trim "-beta1" suffix from version="3.0.0-beta1" if exists ++ version = strings.SplitN(version, "-", 2)[0] ++ // also trim "~..." suffix used historically (https://gitlab.com/apparmor/apparmor/-/commit/bca67d3d27d219d11ce8c9cc70612bd637f88c10) ++ version = strings.SplitN(version, "~", 2)[0] ++ ++ // split by major minor version ++ v := strings.Split(version, ".") ++ if len(v) == 0 || len(v) > 3 { ++ return -1, fmt.Errorf("parsing version failed for output: `%s`", output) ++ } ++ ++ // Default the versions to 0. ++ var majorVersion, minorVersion, patchLevel int ++ ++ majorVersion, err := strconv.Atoi(v[0]) ++ if err != nil { ++ return -1, err ++ } ++ ++ if len(v) > 1 { ++ minorVersion, err = strconv.Atoi(v[1]) ++ if err != nil { ++ return -1, err ++ } ++ } ++ if len(v) > 2 { ++ patchLevel, err = strconv.Atoi(v[2]) ++ if err != nil { ++ return -1, err ++ } ++ } ++ ++ // major*10^5 + minor*10^3 + patch*10^0 ++ numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel ++ return numericVersion, nil ++} diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go -index d0f2361605..b3566b2f73 100644 +index 1edfc53002..0d23b940bd 100644 --- a/profiles/apparmor/apparmor.go +++ b/profiles/apparmor/apparmor.go -@@ -14,8 +14,10 @@ import ( - "github.com/docker/docker/pkg/aaparser" +@@ -11,10 +11,14 @@ import ( + "path" + "strings" + "text/template" ++ ++ "github.com/docker/docker/pkg/aaparser" ) -// profileDirectory is the file store for apparmor profiles and macros. @@ -185,7 +269,7 @@ // profileData holds information about the given profile for generation. type profileData struct { -@@ -27,6 +29,8 @@ type profileData struct { +@@ -26,6 +30,8 @@ type profileData struct { Imports []string // InnerImports defines the apparmor functions to import in the profile. InnerImports []string @@ -194,7 +278,7 @@ } // generateDefault creates an apparmor profile from ProfileData. -@@ -46,6 +50,12 @@ func (p *profileData) generateDefault(out io.Writer) error { +@@ -45,6 +51,12 @@ func (p *profileData) generateDefault(out io.Writer) error { p.InnerImports = append(p.InnerImports, "#include <abstractions/base>") } @@ -208,10 +292,10 @@ } diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go -index 9f207e2014..626e5f6789 100644 +index cf8c34ce8a..4ebd647e14 100644 --- a/profiles/apparmor/template.go +++ b/profiles/apparmor/template.go -@@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { +@@ -23,12 +23,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { capability, file, umount, @@ -226,7 +310,7 @@ deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc/<number>/** or /proc/sys/** -@@ -50,7 +52,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { +@@ -49,7 +51,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { deny /sys/devices/virtual/powercap/** rwklx, deny /sys/kernel/security/** rwklx, @@ -237,6 +321,6 @@ } ` -- -2.43.0 +2.39.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.POIWxz/_old 2024-02-21 17:52:16.298303118 +0100 +++ /var/tmp/diff_new_pack.POIWxz/_new 2024-02-21 17:52:16.302303263 +0100 @@ -3,16 +3,16 @@ <param name="url">https://github.com/moby/moby.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">24.0.7_ce_%h</param> - <param name="revision">v24.0.7</param> + <param name="versionformat">25.0.3_ce_%h</param> + <param name="revision">v25.0.3</param> <param name="filename">docker</param> </service> <service name="tar_scm" mode="manual"> <param name="url">https://github.com/docker/cli.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">24.0.7_ce</param> - <param name="revision">v24.0.7</param> + <param name="versionformat">25.0.3_ce</param> + <param name="revision">v25.0.3</param> <param name="filename">docker-cli</param> </service> <service name="recompress" mode="manual"> ++++++ cli-0001-docs-include-required-tools-in-source-tree.patch ++++++ ++++ 9483 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/docker/cli-0001-docs-include-required-tools-in-source-tree.patch ++++ and /work/SRC/openSUSE:Factory/.docker.new.1706/cli-0001-docs-include-required-tools-in-source-tree.patch ++++++ docker-24.0.7_ce_311b9ff0aa93.tar.xz -> docker-25.0.3_ce_f417435e5.tar.xz ++++++ /work/SRC/openSUSE:Factory/docker/docker-24.0.7_ce_311b9ff0aa93.tar.xz /work/SRC/openSUSE:Factory/.docker.new.1706/docker-25.0.3_ce_f417435e5.tar.xz differ: char 15, line 1 ++++++ docker-cli-24.0.7_ce.tar.xz -> docker-cli-25.0.3_ce.tar.xz ++++++ ++++ 148417 lines of diff (skipped)
