On Wed, Feb 22, 2023, 5:43 AM Hugo Simeliere via lists.yoctoproject.org <[email protected]> wrote:
> Fixes below CVEs: > * CVE-2020-15257 > * CVE-2021-21334 > * CVE-2021-32760 > * CVE-2021-41103 > * CVE-2022-23648 > > Based on commit cd6feb72b84aab9655af6c8c0774a180ea2a4f60 > > Signed-off-by: Hugo SIMELIERE <[email protected]> > --- > .../containerd/containerd-docker_git.bb | 10 ++- > .../0001-Add-build-option-GODEBUG-1.patch | 28 +++----- > ...1-build-use-oe-provided-GO-and-flags.patch | 42 ----------- > .../containerd-opencontainers_git.bb | 20 ++---- > recipes-containers/containerd/containerd.inc | 9 ++- > ...1-build-use-oe-provided-GO-and-flags.patch | 70 +++++++++++++++++++ > 6 files changed, 100 insertions(+), 79 deletions(-) > delete mode 100644 > recipes-containers/containerd/containerd-opencontainers/0001-build-use-oe-provided-GO-and-flags.patch > create mode 100644 > recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch > > diff --git a/recipes-containers/containerd/containerd-docker_git.bb > b/recipes-containers/containerd/containerd-docker_git.bb > index f6b0e28..8d1a27a 100644 > --- a/recipes-containers/containerd/containerd-docker_git.bb > +++ b/recipes-containers/containerd/containerd-docker_git.bb > @@ -1,8 +1,11 @@ > SRCREV = "3addd840653146c90a254301d6c3a663c7fd6429" > SRC_URI = "\ > - git:// > github.com/docker/containerd.git;branch=v0.2.x;destsuffix=git/src/github.com/containerd/containerd;protocol=https > \ > + git:// > github.com/docker/containerd.git;branch=v0.2.x;destsuffix=git/src/github.com/containerd/containerd > \ > " > > + > +LIC_FILES_CHKSUM = > "file://LICENSE.code;md5=aadc30f9c14d876ded7bedc0afd2d3d7" > + > include containerd.inc > > CONTAINERD_VERSION = "v0.2.x" > @@ -12,3 +15,8 @@ PROVIDES += "virtual/containerd" > RPROVIDES_${PN} = "virtual/containerd" > > DEPENDS += "btrfs-tools" > + > +do_compile_prepend() { > + bberror "${PN} is depreciated and will be removed in the future" > + bbfatal "use container-opencontainers for a working configuration" > +} > diff --git > a/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch > b/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch > index fec9ea6..8b43c8a 100644 > --- > a/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch > +++ > b/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch > @@ -15,28 +15,18 @@ Signed-off-by: Hongxu Jia <[email protected]> > src/import/Makefile | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > -diff --git a/src/import/Makefile b/src/import/Makefile > -index 4355395..4fb5d3b 100644 > ---- a/src/import/Makefile > -+++ b/src/import/Makefile > -@@ -75,11 +75,15 @@ TEST_REQUIRES_ROOT_PACKAGES=$(filter \ > +Index: git/src/import/Makefile > +=================================================================== > +--- git.orig/src/import/Makefile 2020-10-12 08:09:41.638977052 -0700 > ++++ git/src/import/Makefile 2020-10-12 08:10:49.783074373 -0700 > +@@ -72,6 +72,10 @@ > COMMANDS=ctr containerd containerd-stress > - MANPAGES=ctr.1 containerd.1 containerd-config.1 containerd-config.toml.5 > + MANPAGES=ctr.8 containerd.8 containerd-config.8 containerd-config.toml.5 > > +ifndef GODEBUG > + EXTRA_LDFLAGS += -s -w > +endif > + > - # Build tags seccomp and apparmor are needed by CRI plugin. > - BUILDTAGS ?= seccomp apparmor > - GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",) > --GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X > $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) > $(EXTRA_LDFLAGS)' > --SHIM_GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X > $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) > -extldflags "-static"' > -+GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X > $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) > $(EXTRA_LDFLAGS)' > -+SHIM_GO_LDFLAGS=-ldflags '-X $(PKG)/version.Version=$(VERSION) -X > $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) > -extldflags "-static $(EXTRA_EXTLDFLAGS)" $(EXTRA_LDFLAGS)' > - > - #Replaces ":" (*nix), ";" (windows) with newline for easy parsing > - GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n") > --- > -2.7.4 > - > + ifdef BUILDTAGS > + GO_BUILDTAGS = ${BUILDTAGS} > + endif > diff --git > a/recipes-containers/containerd/containerd-opencontainers/0001-build-use-oe-provided-GO-and-flags.patch > b/recipes-containers/containerd/containerd-opencontainers/0001-build-use-oe-provided-GO-and-flags.patch > deleted file mode 100644 > index d4d5973..0000000 > --- > a/recipes-containers/containerd/containerd-opencontainers/0001-build-use-oe-provided-GO-and-flags.patch > +++ /dev/null > @@ -1,42 +0,0 @@ > -From 408e8b526d490af817a64b7220e8e2c3789de58f Mon Sep 17 00:00:00 2001 > -From: Bruce Ashfield <[email protected]> > -Date: Sun, 10 Feb 2019 23:46:06 +0000 > -Subject: [PATCH] build: use oe provided GO and flags > - > -We want to use the go compiler as defined in the oe-enviroment, not the > -generic call to 'go'. Without changing this, we'll get things like cgo > -errors and invalid flag combos. > - > -Signed-off-by: Bruce Ashfield <[email protected]> > ---- > - Makefile | 8 ++++---- > - 1 file changed, 4 insertions(+), 4 deletions(-) > - > -Index: git/src/import/Makefile > -=================================================================== > ---- git.orig/src/import/Makefile > -+++ git/src/import/Makefile > -@@ -166,19 +166,19 @@ > - # Build a binary from a cmd. > - bin/%: cmd/% FORCE > - @echo "$(WHALE) $@${BINARY_SUFFIX}" > -- @go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} > ${GO_LDFLAGS} ${GO_TAGS} ./$< > -+ @$(GO) build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} > ${GO_LDFLAGS} ${GO_TAGS} ./$< > - > - bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie > for a static shim build: > https://github.com/golang/go/issues/17789#issuecomment-258542220 > - @echo "$(WHALE) bin/containerd-shim" > -- @CGO_ENABLED=0 go build ${GO_BUILD_FLAGS} -o bin/containerd-shim > ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim > -+ @$(GO) build ${GO_BUILD_FLAGS} -o bin/containerd-shim > ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim > - > - bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set > !cgo and omit pie for a static shim build: > https://github.com/golang/go/issues/17789#issuecomment-258542220 > - @echo "$(WHALE) bin/containerd-shim-runc-v1" > -- @CGO_ENABLED=0 go build ${GO_BUILD_FLAGS} -o > bin/containerd-shim-runc-v1 ${SHIM_GO_LDFLAGS} ${GO_TAGS} > ./cmd/containerd-shim-runc-v1 > -+ @$(GO) build ${GO_BUILD_FLAGS} -o bin/containerd-shim-runc-v1 > ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v1 > - > - bin/containerd-shim-runhcs-v1: cmd/containerd-shim-runhcs-v1 FORCE # set > !cgo and omit pie for a static shim build: > https://github.com/golang/go/issues/17789#issuecomment-258542220 > - @echo "$(WHALE) bin/containerd-shim-runhcs-v1${BINARY_SUFFIX}" > -- @CGO_ENABLED=0 go build ${GO_BUILD_FLAGS} -o > bin/containerd-shim-runhcs-v1${BINARY_SUFFIX} ${SHIM_GO_LDFLAGS} ${GO_TAGS} > ./cmd/containerd-shim-runhcs-v1 > -+ @$(GO) build ${GO_BUILD_FLAGS} -o > bin/containerd-shim-runhcs-v1${BINARY_SUFFIX} ${SHIM_GO_LDFLAGS} > $(GOBUILDFLAGS) ${GO_TAGS} ./cmd/containerd-shim-runhcs-v1 > - > - binaries: $(BINARIES) ## build binaries > - @echo "$(WHALE) $@" > diff --git a/recipes-containers/containerd/ > containerd-opencontainers_git.bb b/recipes-containers/containerd/ > containerd-opencontainers_git.bb > index 5f697ed..19a1e60 100644 > --- a/recipes-containers/containerd/containerd-opencontainers_git.bb > +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb > @@ -1,5 +1,5 @@ > -SRCREV = "3b3e9d5f62a114153829f9fbe2781d27b0a2ddac" > -SRC_URI = "git:// > github.com/containerd/containerd;branch=release/1.2;protocol=https \ > +SRCREV = "9cc61520f4cd876b86e77edfeb88fbcd536d1f9d" > +SRC_URI = "git://github.com/containerd/containerd;branch=release/1.4 \ > file://0001-build-use-oe-provided-GO-and-flags.patch \ > file://0001-Add-build-option-GODEBUG-1.patch \ > " > @@ -8,20 +8,10 @@ include containerd.inc > > LIC_FILES_CHKSUM = > "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d89" > > -CONTAINERD_VERSION = "v1.2.14" > +CONTAINERD_VERSION = "v1.4.13" > +CVE_VERSION = "1.4.13" > Thanks for the CVE efforts! But we unfortunately don't do version bumps like this on the stable branches. Only a 1.2.x version bump would meet the bugfix only criteria that most layers in the yocto project ecosystem follow. If there aren't any minor releases upstream, then we are stuck with patches. If there's no other route to address bugs or security issues, then it isn't impossible to do a version bump like this, but it is rare and would need some runtime testing as these components can be quite sensitive to interop issues when versions change. Bruce > -# Work around internal error in gold triggered due to DWARF-5 by forcing > to use bfd even with ld-is-gold: > -# > _/OE/lge/build/webosose/dunfell/BUILD/work/qemux86_64-webos-linux/containerd-opencontainers/v1.2.14+gitAUTOINC+3b3e9d5f62-r0/git/src/import/cmd/containerd-shim > -# > /OE/lge/build/webosose/dunfell/BUILD/work/qemux86_64-webos-linux/containerd-opencontainers/v1.2.14+gitAUTOINC+3b3e9d5f62-r0/recipe-sysroot-native/usr/lib/x86_64-webos-linux/go/pkg/tool/linux_amd64/link: > running x86_64-webos-linux-gcc failed: exit status 1 > -# > /OE/lge/build/webosose/dunfell/BUILD/work/qemux86_64-webos-linux/containerd-opencontainers/v1.2.14+gitAUTOINC+3b3e9d5f62-r0/recipe-sysroot-native/usr/bin/x86_64-webos-linux/../../libexec/x86_64-webos-linux/gcc/x86_64-webos-linux/9.3.0/ld: > internal error in read_header_prolog, at ../../gold/dwarf_reader.cc:1678 > -# collect2: error: ld returned 1 exit status > -# alternatively we can backport DWARF-5 support to binutils-2.34 used in > dunfell like in: > -# > https://git.openembedded.org/openembedded-core/commit/?id=d07d4d739ae17787017f771dd2068fda0e836722 > -EXTRA_EXTLDFLAGS = "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', > ' -fuse-ld=bfd ', '', d)}" > - > -EXTRA_OEMAKE += "GODEBUG=1 EXTRA_EXTLDFLAGS='${EXTRA_EXTLDFLAGS}'" > +EXTRA_OEMAKE += "GODEBUG=1" > > PROVIDES += "virtual/containerd" > RPROVIDES_${PN} = "virtual/containerd" > - > -CVE_PRODUCT = "containerd" > diff --git a/recipes-containers/containerd/containerd.inc > b/recipes-containers/containerd/containerd.inc > index e226edf..2a14a44 100644 > --- a/recipes-containers/containerd/containerd.inc > +++ b/recipes-containers/containerd/containerd.inc > @@ -6,7 +6,7 @@ DESCRIPTION = "containerd is a daemon to control runC, > built for performance and > > # Apache-2.0 for containerd > LICENSE = "Apache-2.0" > -LIC_FILES_CHKSUM = > "file://src/import/LICENSE.code;md5=aadc30f9c14d876ded7bedc0afd2d3d7" > +LIC_FILES_CHKSUM ?= > "file://src/import/LICENSE.code;md5=aadc30f9c14d876ded7bedc0afd2d3d7" > > SRC_URI += "file://containerd.service" > > @@ -38,7 +38,7 @@ do_compile() { > # without this, the stress test parts of the build fail > cp ${S}/src/import/*.go ${S}/src/import/vendor/src/ > github.com/containerd/containerd > > - for c in content errdefs fs images mount snapshots linux api runtimes > defaults progress \ > + for c in content timeout ttrpcutil oom stdio process errdefs fs > images mount snapshots linux api runtimes defaults progress \ > protobuf reference diff platforms runtime remotes version archive > dialer gc metadata \ > metrics filters identifiers labels leases plugin server services \ > cmd cio containers namespaces oci events log reaper sys rootfs > nvidia seed apparmor seccomp; do > @@ -64,6 +64,7 @@ do_compile() { > export BUILDTAGS="no_btrfs static_build netgo" > export CFLAGS="${CFLAGS}" > export LDFLAGS="${LDFLAGS}" > + export SHIM_CGO_ENABLED="${CGO_ENABLED}" > > cd ${S}/src/import > oe_runmake binaries > @@ -79,12 +80,16 @@ do_install() { > > cp ${S}/src/import/bin/containerd ${D}/${bindir}/containerd > cp ${S}/src/import/bin/containerd-shim ${D}/${bindir}/containerd-shim > + cp ${S}/src/import/bin/containerd-shim-runc-v1 > ${D}/${bindir}/containerd-shim-runc-v1 > + cp ${S}/src/import/bin/containerd-shim-runc-v2 > ${D}/${bindir}/containerd-shim-runc-v2 > cp ${S}/src/import/bin/ctr ${D}/${bindir}/containerd-ctr > > ln -sf containerd ${D}/${bindir}/docker-containerd > ln -sf containerd-shim ${D}/${bindir}/docker-containerd-shim > ln -sf containerd-ctr ${D}/${bindir}/docker-containerd-ctr > > + ln -sf containerd-ctr ${D}/${bindir}/ctr > + > if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; > then > install -d ${D}${systemd_unitdir}/system > install -m 644 ${WORKDIR}/containerd.service > ${D}/${systemd_unitdir}/system > diff --git > a/recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch > b/recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch > new file mode 100644 > index 0000000..a58feed > --- /dev/null > +++ > b/recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch > @@ -0,0 +1,70 @@ > +From 408e8b526d490af817a64b7220e8e2c3789de58f Mon Sep 17 00:00:00 2001 > +From: Bruce Ashfield <[email protected]> > +Date: Sun, 10 Feb 2019 23:46:06 +0000 > +Subject: [PATCH] build: use oe provided GO and flags > + > +We want to use the go compiler as defined in the oe-enviroment, not the > +generic call to 'go'. Without changing this, we'll get things like cgo > +errors and invalid flag combos. > + > +Signed-off-by: Bruce Ashfield <[email protected]> > +--- > + Makefile | 8 ++++---- > + 1 file changed, 4 insertions(+), 4 deletions(-) > + > +Index: git/src/import/Makefile > +=================================================================== > +--- git.orig/src/import/Makefile 2020-10-12 07:36:18.775820388 -0700 > ++++ git/src/import/Makefile 2020-10-12 08:00:05.134151221 -0700 > +@@ -163,19 +163,19 @@ > + > + build: ## build the go packages > + @echo "$(WHALE) $@" > +- @go build ${DEBUG_GO_GCFLAGS} ${GO_GCFLAGS} ${GO_BUILD_FLAGS} > ${EXTRA_FLAGS} ${GO_LDFLAGS} ${PACKAGES} > ++ @$(GO) build ${DEBUG_GO_GCFLAGS} ${GO_GCFLAGS} ${GO_BUILD_FLAGS} > ${EXTRA_FLAGS} ${GO_LDFLAGS} ${PACKAGES} > + > + test: ## run tests, except integration tests and tests that require root > + @echo "$(WHALE) $@" > +- @go test ${TESTFLAGS} $(filter-out ${INTEGRATION_PACKAGE},${PACKAGES}) > ++ @$(GO) test ${TESTFLAGS} $(filter-out > ${INTEGRATION_PACKAGE},${PACKAGES}) > + > + root-test: ## run tests, except integration tests > + @echo "$(WHALE) $@" > +- @go test ${TESTFLAGS} $(filter-out > ${INTEGRATION_PACKAGE},${TEST_REQUIRES_ROOT_PACKAGES}) -test.root > ++ @$(GO) test ${TESTFLAGS} $(filter-out > ${INTEGRATION_PACKAGE},${TEST_REQUIRES_ROOT_PACKAGES}) -test.root > + > + integration: ## run integration tests > + @echo "$(WHALE) $@" > +- @go test ${TESTFLAGS} -test.root -parallel ${TESTFLAGS_PARALLEL} > ++ @$(GO) test ${TESTFLAGS} -test.root -parallel ${TESTFLAGS_PARALLEL} > + > + benchmark: ## run benchmarks tests > + @echo "$(WHALE) $@" > +@@ -185,7 +185,7 @@ > + > + define BUILD_BINARY = > + @echo "$(WHALE) $@" > +-@go build ${DEBUG_GO_GCFLAGS} ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@ > ${GO_LDFLAGS} ${GO_TAGS} ./$< > ++@$(GO) build ${DEBUG_GO_GCFLAGS} ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@ > ${GO_LDFLAGS} ${GO_TAGS} ./$< > + endef > + > + # Build a binary from a cmd. > +@@ -194,15 +194,15 @@ > + > + bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie > for a static shim build: > https://github.com/golang/go/issues/17789#issuecomment-258542220 > + @echo "$(WHALE) bin/containerd-shim" > +- @CGO_ENABLED=${SHIM_CGO_ENABLED} go build ${GO_BUILD_FLAGS} -o > bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim > ++ @CGO_ENABLED=${SHIM_CGO_ENABLED} $(GO) build -a -pkgdir > dontusecurrentpkgs ${GO_BUILD_FLAGS} -o bin/containerd-shim > ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim > + > + bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set > !cgo and omit pie for a static shim build: > https://github.com/golang/go/issues/17789#issuecomment-258542220 > + @echo "$(WHALE) bin/containerd-shim-runc-v1" > +- @CGO_ENABLED=${SHIM_CGO_ENABLED} go build ${GO_BUILD_FLAGS} -o > bin/containerd-shim-runc-v1 ${SHIM_GO_LDFLAGS} ${GO_TAGS} > ./cmd/containerd-shim-runc-v1 > ++ @CGO_ENABLED=${SHIM_CGO_ENABLED} $(GO) build -a -pkgdir > dontusecurrentpkgs ${GO_BUILD_FLAGS} -o bin/containerd-shim-runc-v1 > ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v1 > + > + bin/containerd-shim-runc-v2: cmd/containerd-shim-runc-v2 FORCE # set > !cgo and omit pie for a static shim build: > https://github.com/golang/go/issues/17789#issuecomment-258542220 > + @echo "$(WHALE) bin/containerd-shim-runc-v2" > +- @CGO_ENABLED=${SHIM_CGO_ENABLED} go build ${GO_BUILD_FLAGS} -o > bin/containerd-shim-runc-v2 ${SHIM_GO_LDFLAGS} ${GO_TAGS} > ./cmd/containerd-shim-runc-v2 > ++ @CGO_ENABLED=${SHIM_CGO_ENABLED} $(GO) build -a -pkgdir > dontusecurrentpkgs ${GO_BUILD_FLAGS} -o bin/containerd-shim-runc-v2 > ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v2 > + > + binaries: $(BINARIES) ## build binaries > + @echo "$(WHALE) $@" > -- > 2.39.2 > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7893): https://lists.yoctoproject.org/g/meta-virtualization/message/7893 Mute This Topic: https://lists.yoctoproject.org/mt/97157111/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/leave/6693005/21656/1014668956/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
