This is the fifth patch release in the 1.1.z series of runc, which fixes
three CVEs found in runc.
CVE-2023-25809 is a vulnerability involving rootless containers where
(under specific configurations), the container would have write access to the
/sys/fs/cgroup/user.slice/... cgroup hierarchy. No other hierarchies on the host
were affected. This vulnerability was discovered by Akihiro Suda.
GHSA-m8cg-xc2p-r3fc
CVE-2023-27561 was a regression which effectively re-introduced CVE-2019-19921.
This bug was present from v1.0.0-rc95 to v1.1.4. This regression was discovered
by Beuc. GHSA-vpvm-3wq2-2wvm
CVE-2023-28642 is a variant of CVE-2023-27561 and was fixed by the same patch.
This variant of the above vulnerability was reported by Lei Wang.
GHSA-g2j6-57v7-gm8c
In addition, the following other fixes are included in this release:
- Fix the inability to use /dev/null when inside a container
- Fix changing the ownership of host's /dev/null caused by fd redirection
- Fix rare runc exec/enter unshare error on older kernels, including CentOS < 7.7
- nsexec: Check for errors in write_log()
https://github.com/opencontainers/runc/releases/tag/v1.1.5
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There's a runtime dependency on tomli, but only for Python < 3.11.
Therefore this is not applicable for us.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Fix the following build failure without BR2_PACKAGE_SNMPPP_SNMPV3 raised
since bump to version 3.5.0 in commit
e011fa0415:
msgqueue.cpp: In member function 'int Snmp_pp::CSNMPMessage::ResendMessage()':
msgqueue.cpp:263:34: error: 'version3' was not declared in this scope; did you mean 'version1'?
263 | if (m_target->get_version() == version3) {
| ^~~~~~~~
| version1
Fixes:
- http://autobuild.buildroot.org/results/8ef3e4407a51c53c15e530606227338761dd905b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
- http://autobuild.buildroot.net/results/c92a3df1bc73e00e1e4493500bfb7277cf5064ee
.../build/flann-1.9.2/src/cpp/flann/util/lsh_table.h:367:5: error: 'random_device' is not a member of 'std'
std::random_device rd;
^
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Extend the linux-tools package to also build the userspace USB tools,
which currently include testusb and ffs-test.
These tools are in the kernel tree since a long time, and althogh a
Makefile had been present since kernel 2.6.39, it has been entirely
rewritten (with an install rule) back with kernel 5.9, to allow building
the same way as other tools provided with the kernel.
We make use of the Makefile install rule, thus version >= 5.9 is
required. Support for older kernels may be added later if needed, and
is left as an exercise for the motivated party.
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Herve Codina <herve.codina@bootlin.com>
[yann.morin.1998@free.fr: fix history of Makefile]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The value of the RM variable in make is 'rm -f' [0], thus the additional
-f is redundant. Avoid it on the docs to avoid developers taking it as a
good example to follow.
[0] https://www.gnu.org/software/make/manual/make.html#index-RM
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The value of the RM variable in make is 'rm -f' [0], thus the additional
-f is redundant.
[0] https://www.gnu.org/software/make/manual/make.html#index-RM
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Now LVM2 can be built using musl drop the toolchain config
restriction.
Signed-off-by: Simon Rowe <simon.rowe@nutanix.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
LVM relies on the glibc-specific behaviour of assigning to the
standard streams (stdin etc). As a result the package is currently
disabled when using musl.
This commit backports two patches from upstream lvm2 (not yet in a
release) that fix some build issues with musl, and two additional
patches taken from the Gentoo distribution to address more issues.
With those 4 patches combined, lvm2 builds fine with musl and can
therefore be re-enabled in musl configurations.
Signed-off-by: Simon Rowe <simon.rowe@nutanix.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
check-package complains with:
package/python-marshmallow-sqlalchemy/python-marshmallow-sqlalchemy.hash:2: separation does not match expectation (http://nightly.buildroot.org/#adding-packages-hash)
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
This variable is no longer used anywhere in the tree so remove it.
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Remove all support for FOO_GETTEXTIZE and alert users to FOO_AUTOPOINT
as the recommended solution in its stead. We can use the standard
check-deprecated-variable for this, because from a user perspective
FOO_AUTOPOINT is pretty-much a drop-in replacement.
The warnings about FOO_GETTEXTIZE_OPTS are no longer relevant, because
they will only make sense if FOO_GETTEXTIZE was already set.
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
[Arnout:
- use check-deprecated-variable;
- remove FOO_GETTEXTIZE_OPTS warnings;
- remove definition of GETTEXTIZE]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Commit 895bfba dropped POPT_AUTORECONF but did not drop POPT_GETTEXTIZE,
which requires POPT_AUTORECONF = YES.
Fixes: 895bfba ("package/popt: bump to version 1.19")
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Drop patch that is no longer necessary after moving to new package flag.
Add patch to fix builds due to missing required files.
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Add a new variable to run autopoint during autoreconf.
This variable depends on FOO_AUTORECONF = YES. It is mutually exclusive
to FOO_GETTEXTIZE. If both are set, FOO_AUTOPOINT is ignored to preserve
previous behavior.
This support is being added per a previous discussion [1].
The usage of gettextize needs to be removed cuz mama says so [2].
... is not part of the GNU build system, in the sense that it should
not be invoked automatically, and not be invoked by someone who doesn’t
assume the responsibilities of a package maintainer. For the latter
purpose, a separate tool is provided, see Invoking the autopoint Program [3]
Using gettextize has the unintended consequence of updating the package
based on the version of host-gettext vs what was chosen by the upstream
maintainer. As mama said above, we should use autopoint. Do as she says
to avoid further scolding (gettextize shoehorning and package patching).
[1] https://patchwork.ozlabs.org/project/buildroot/patch/20170827110920.15579-1-aleksander@aleksander.es/
[2] https://www.gnu.org/software/gettext/manual/html_node/gettextize-Invocation.html
[3] https://www.gnu.org/software/gettext/manual/html_node/autopoint-Invocation.html
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Previously, AUTOPOINT was hardcoded to /bin/true in autoconf.mk.
Moving the definition of this variable into AUTOCONF_ENV as part of the
autotools infrastructure will allow us to conditionally set the variable
based on package flags to support migrating away from FOO_GETTEXTIZE.
While we're at it, split the overly long line that defines AUTORECONF,
wrapping at 80 columns.
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
[Arnout: split long line]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
No package in the current tree is currently utilizing this option.
The long term solution is to use autopoint over gettextize in which case
these options aren't relevant anyway.
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
For change log, see:
https://www.greenwoodsoftware.com/less/news.608.html
Note 1: the package patch is kept, as it is included in version 609.
Note 2: the license file hash changed due to the year update.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Verified license remains MIT after hash changed.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
License hash changed due to year update:
9beda0bed2
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
License hash changed due to copyright header change:
49c41440e1
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Migrate to flit build backend.
Use license file instead of readme hashes.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
License hash changed due to date update:
e3055cd5ba
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
