Google Git
Sign in
fuchsia / third_party / github.com / moby / moby / refs/tags/v18.06.2-ce^1..refs/tags/v18.06.2-ce / .
commitcdb0218236f1625134bf8ff5ecef2035eaa70e51[log] [tgz]
authorAndrew Hsu <andrewhsu@docker.com>Wed Feb 06 15:30:06 2019 -0800
committerGitHub <noreply@github.com>Wed Feb 06 15:30:06 2019 -0800
treee84ea01c6e33252eea1bf27350830934000e71ee
parent56ad4cdec604490933bc9455f946554a55d48902 [diff]
parentd212dfee1a4ef6a5312061d73d097aa3df8eebe6 [diff]
Merge pull request #239 from seemethere/bundle_me_up_1806

[18.06-ce] [ENGSEC-28] CVE-2019-5736 apply fix via git bundle instead of patches
diff --git a/Dockerfile b/Dockerfile
index 38ca482..a4af1f6 100644
--- a/Dockerfile
+++ b/Dockerfile

@@ -155,6 +155,7 @@
 ENV INSTALL_BINARY_NAME=runc
 COPY hack/dockerfile/install/install.sh ./install.sh
 COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
+COPY git-bundles git-bundles
 RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
 
 FROM base AS tini

diff --git a/git-bundles/CVE-2019-5736.bundle b/git-bundles/CVE-2019-5736.bundle
new file mode 100644
index 0000000..dcd170a
--- /dev/null
+++ b/git-bundles/CVE-2019-5736.bundle
Binary files differ

diff --git a/hack/dockerfile/install/runc.installer b/hack/dockerfile/install/runc.installer
index 62263b3..3508ed9 100755
--- a/hack/dockerfile/install/runc.installer
+++ b/hack/dockerfile/install/runc.installer

@@ -2,6 +2,8 @@
 
 # When updating RUNC_COMMIT, also update runc in vendor.conf accordingly
 RUNC_COMMIT=69663f0bd4b60df09991c08812a60108003fa340
+RUNC_OVERRIDE_COMMIT=a592beb5bc4c4092b1b1bac971afed27687340c5
+RUNC_BUNDLE=/go/src/github.com/docker/docker/git-bundles/CVE-2019-5736.bundle
 
 install_runc() {
 	# Do not build with ambient capabilities support
@@ -11,12 +13,26 @@
 	git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc"
 	cd "$GOPATH/src/github.com/opencontainers/runc"
 	git checkout -q "$RUNC_COMMIT"
+
+	if [ -f "$RUNC_BUNDLE" ];then
+		git bundle unbundle "$RUNC_BUNDLE"
+		git checkout -q "$RUNC_OVERRIDE_COMMIT"
+		if [ "$(git rev-parse HEAD)" != "$RUNC_OVERRIDE_COMMIT" ]; then
+			echo "ERROR: Commit with bundle does not match override commit"
+			echo "       $(git rev-parse HEAD) != '$RUNC_OVERRIDE_COMMIT'"
+			exit 1
+		fi
+		RUNC_COMMIT=$RUNC_OVERRIDE_COMMIT
+	fi
+
 	if [ -z "$1" ]; then
 		target=static
 	else
 		target="$1"
 	fi
-	make BUILDTAGS="$RUNC_BUILDTAGS" "$target"
+
+	OVERRIDE_VERSION="1.0.0-rc5+dev.docker-18.06"
+	make BUILDTAGS="$RUNC_BUILDTAGS" COMMIT="$RUNC_COMMIT" VERSION="$OVERRIDE_VERSION" "$target"
 	mkdir -p ${PREFIX}
 	cp runc ${PREFIX}/docker-runc
 }