Google Git
Sign in
fuchsia / third_party / github.com / moby / moby / refs/tags/v18.09.2^1..refs/tags/v18.09.2 / .
commiteb137ff1765faeb29c2d99025bfd8ed41836dd06[log] [tgz]
authorAndrew Hsu <andrewhsu@docker.com>Wed Feb 06 15:39:49 2019 -0800
committerGitHub <noreply@github.com>Wed Feb 06 15:39:49 2019 -0800
tree0100f8796b7c15dfa5ab09ea98fa1a23a6d0d9d2
parenta79fabbfe84117696a19671f4aa88b82d0f64fc1 [diff]
parent03dfb0ba53cc5f64b746a25aa5ed8a48763ea223 [diff]
Merge pull request #240 from seemethere/bundle_me_up_1809

[18.09-ce] [ENGSEC-30] CVE-2019-5736 apply fix via git bundle instead of patches
diff --git a/Dockerfile b/Dockerfile
index 6acae07..233a565 100644
--- a/Dockerfile
+++ b/Dockerfile

@@ -154,6 +154,7 @@
 FROM runtime-dev AS runc
 ENV INSTALL_BINARY_NAME=runc
 COPY hack/dockerfile/install/install.sh ./install.sh
+COPY git-bundles /go/src/github.com/docker/docker/git-bundles
 COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
 RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
 

diff --git a/git-bundles/CVE-2019-5736.bundle b/git-bundles/CVE-2019-5736.bundle
new file mode 100644
index 0000000..0de9be4
--- /dev/null
+++ b/git-bundles/CVE-2019-5736.bundle
Binary files differ

diff --git a/hack/dockerfile/install/runc.installer b/hack/dockerfile/install/runc.installer
index c6d2898..1ad05ea 100755
--- a/hack/dockerfile/install/runc.installer
+++ b/hack/dockerfile/install/runc.installer

@@ -5,6 +5,8 @@
 # version that is used. If you need to update runc, open a pull request in
 # the containerd project first, and update both after that is merged.
 RUNC_COMMIT=96ec2177ae841256168fcf76954f7177af9446eb
+RUNC_OVERRIDE_COMMIT=09c8266bf2fcf9519a651b04ae54c967b9ab86ec
+RUNC_BUNDLE=/go/src/github.com/docker/docker/git-bundles/CVE-2019-5736.bundle
 
 install_runc() {
 	# If using RHEL7 kernels (3.10.0 el7), disable kmem accounting/limiting
@@ -19,12 +21,25 @@
 	git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc"
 	cd "$GOPATH/src/github.com/opencontainers/runc"
 	git checkout -q "$RUNC_COMMIT"
+
+	if [ -f "$RUNC_BUNDLE" ];then
+		git bundle unbundle "$RUNC_BUNDLE"
+		git checkout -q "$RUNC_OVERRIDE_COMMIT"
+		if [ "$(git rev-parse HEAD)" != "$RUNC_OVERRIDE_COMMIT" ]; then
+			echo "ERROR: Commit with bundle does not match override commit"
+			echo "       $(git rev-parse HEAD) != '$RUNC_OVERRIDE_COMMIT'"
+			exit 1
+		fi
+		RUNC_COMMIT=$RUNC_OVERRIDE_COMMIT
+	fi
+
 	if [ -z "$1" ]; then
 		target=static
 	else
 		target="$1"
 	fi
-	make BUILDTAGS="$RUNC_BUILDTAGS" "$target"
+	OVERRIDE_VERSION="1.0.0-rc6+dev.docker-18.09"
+	make BUILDTAGS="$RUNC_BUILDTAGS" COMMIT="$RUNC_COMMIT" VERSION="$OVERRIDE_VERSION" "$target"
 	mkdir -p ${PREFIX}
 	cp runc ${PREFIX}/runc
 }