runc:fix apply failed for patch of fix CVE-2024-3154

git-commit

@@ -1 +1 @@
-8fc687c6fb64e110866466035e90c718d58f2c7f
+288b7252b0db60842f5d7e1b9716c84c98f4ea30

patch/0039-runc-fix-CVE-2024-3154.patch

@@ -1,35 +1,20 @@
-From eefc6ae2544a6819da9f92c5aa8e65d356da4c96 Mon Sep 17 00:00:00 2001
+From 3107921b5e32c860e476fe413dcd70174dd38401 Mon Sep 17 00:00:00 2001
-From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Sat, 9 Mar 2024 21:30:56 +0900
+Date: Thu, 23 May 2024 19:15:34 +0800
 Subject: [PATCH] features: implement returning
  potentiallyUnsafeConfigAnnotations list
 
-See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson
-
-Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 ---
- docs/spec-conformance.md | 1 -
+ features.go                | 5 +++++
- features.go              | 5 +++++
+ types/features/features.go | 6 ++++++
- 2 files changed, 5 insertions(+), 1 deletion(-)
+ 2 files changed, 11 insertions(+)
 
-diff --git a/docs/spec-conformance.md b/docs/spec-conformance.md
-index 91c12aea8ac..b4f3b9df660 100644
---- a/docs/spec-conformance.md
-+++ b/docs/spec-conformance.md
-@@ -9,7 +9,6 @@ Spec version | Feature                                        | PR
- -------------|------------------------------------------------|----------------------------------------------------------
- v1.1.0       | `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV`       | [#3862](https://github.com/opencontainers/runc/pull/3862)
- v1.1.0       | `.process.ioPriority`                          | [#3783](https://github.com/opencontainers/runc/pull/3783)
--v1.2.0       | Features: `potentiallyUnsafeConfigAnnotations` | TODO
- 
- ## Architectures
- 
 diff --git a/features.go b/features.go
-index 81cd149ac73..eff04c1b2d2 100644
+index c9cd15c..7f76e7a 100644
 --- a/features.go
 +++ b/features.go
-@@ -64,6 +64,11 @@ var featuresCommand = cli.Command{
+@@ -55,6 +55,11 @@ var featuresCommand = cli.Command{
- 					},
+ 					Enabled: &tru,
  				},
  			},
 +			PotentiallyUnsafeConfigAnnotations: []string{
@@ -40,3 +25,23 @@ index 81cd149ac73..eff04c1b2d2 100644
  		}
  
  		if seccomp.Enabled {
+diff --git a/types/features/features.go b/types/features/features.go
+index c6269ca..8b467f7 100644
+--- a/types/features/features.go
++++ b/types/features/features.go
+@@ -25,6 +25,12 @@ type Features struct {
+ 	// Annotations contains implementation-specific annotation strings,
+ 	// such as the implementation version, and third-party extensions.
+ 	Annotations map[string]string `json:"annotations,omitempty"`
++
++	// PotentiallyUnsafeConfigAnnotations the list of the potential unsafe annotations
++	// that may appear in `config.json`.
++	//
++	// A value that ends with "." is interpreted as a prefix of annotations.
++	PotentiallyUnsafeConfigAnnotations []string `json:"potentiallyUnsafeConfigAnnotations,omitempty"`
+ }
+ 
+ // Linux is specific to Linux.
+-- 
+2.33.0
+

runc.spec

@@ -3,7 +3,7 @@
 
 Name: runc
 Version: 1.1.8
-Release: 15
+Release: 16
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -57,6 +57,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Thu May 23 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.8-16
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix apply failed for patch of fix CVE-2024-3154
+
 * Thu May 09 2024 zhaosai<zhaosaisai@kylinos.cn> - 1.1.8-15
 - Type:cves
 - CVE:CVE-2024-3154

series.conf

@@ -35,3 +35,4 @@ patch/0035-runc-Fix-undefined-behavior.patch
 patch/0036-runc-increase-the-number-of-cgroup-deletion-retries.patch
 patch/0037-runc-fix-CVE-2024-21626.patch
 patch/0038-runc-check-cmd-exist.patch
+patch/0039-runc-fix-CVE-2024-3154.patch