Security update for buildkit

Announcement ID:	SUSE-SU-2025:20107-1
Release Date:	2025-02-03T09:18:58Z
Rating:	important
References:	bsc#1219267 bsc#1219268 bsc#1219438
Cross-References:	CVE-2024-23651 CVE-2024-23652 CVE-2024-23653
CVSS scores:	CVE-2024-23651 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-23651 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2024-23652 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2024-23652 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2024-23653 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-23653 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Micro 6.0

An update that solves three vulnerabilities can now be installed.

Description:

This update for buildkit fixes the following issues:

Update to version 0.12.5:
update runc to v1.1.12
exec: add extra validation for submount sources (fixes CVE-2024-23651, bsc#1219267)
oci: fix error handling on submount calls
executor: recheck mount stub path within root after container run (fixes CVE-2024-23652, bsc#1219268)
llbsolver: make sure interactive container API validates entitlements (fixes CVE-2024-23653, bsc#1219438)
gateway: pass executor with build and not access worker directly
pb: add extra validation to protobuf types
sourcepolicy: add validations for nil values
exporter: add validation for platforms key value
exporter: add validation for invalid platorm
exporter: validate null config metadata from gateway
ci: disable push if not upstream repo
hack: use git context only for upstream repo
hack/test: allow ALPINE_VERSION to be set from env
hack: align syntax
vendor: github.com/cyphar/filepath-securejoin v0.2.4
tracing: allow the Resource to be set externally
Update to version 0.12.4:
Fix possible concurrent map access on remote cache export
Fix hang on debug server listener
Fix possible deadlock in History API under high number of parallel builds
Fix possible panic on handling deleted records in History API
Fix possible data corruption in zstd library
Update to version 0.12.3:
Fix possible duplicate source files in provenance attestation for chained builds
Fix possible negative step time in progressbar for step shared with other build request
Fix properly closing history and cache DB on shutdown to avoid corruption
Fix incorrect error handling for invalid HTTP source URLs
Fix fallback cases for ambiguous insecure configuration provided for registry used as push target.
Fix possible data race with parallel image config resolves
Fix regression in v0.12 for clients waiting on buildkitd to become available
Fix Cgroup NS handling for hosts supporting only CgroupV1
Update to version 0.12.2:
Fix possible discarded network error when exporting result to client
Avoid unnecessary memory allocations when writing build progress
Update to version 0.12.1:
executor: fix resource sampler goroutine leak
[v0.11] make tracing socket forward error non-fatal
integration: missing env var to check feature compat
test: update pinned busybox image to 1.36
test: update pinned alpine image to 3.18
vendor: github.com/docker/docker 8e51b8b59cb8 (master, v25.0.0-dev)
executor/resource: stub out NewSysSampler on Windows
vendor: github.com/docker/cli v24.0.4
testutil: move CheckContainerdVersion to a separate package
llbsolver: fix policy rule ordering
filesync: fix backward compatibility with encoding + and %
hack: allow to set GO_VERSION during tests
test: always disable tls for dockerd worker
buildctl: set max backoff delay to 1 second
contenthash: data race
filesync: escape special query characters
applier: add hack to support docker zstd layers
Fix various nits
pullprogress data race
use sampler lock instead
Fix ResolveImageConfig to evaluate source policy
sampler data race fix
update cgroup parent test to work with cgroupns
Revert "specify a ResponseHeaderTimeout value"
oci: make sure cgroupns is enabled if supported
bash lint fix
rename BUILDFLAGS to GOBUILDFLAGS
allow ENOTSUP for PSI cgroup files
containerimage: use platform matcher to detect platform to unpack
exporter: silently skip unpacking unknown reference
improve error handling in ReadFile
dockerfile: arg for controlling go build flags
dockerfile: arg to enable go race detection
Add support for health start interval
Re-vendor moby/moby
filesync: mark if options have been encoded to detect old versions
dockerfile: heredoc should use 0644 permissions
docs: update README to reference OpenTelemetry instead of OpenTracing
gateway: restore original filename in ReadFile error message
Dockerfile: update containerd to v1.7.2
Use system.ToSlash() instead of filepath.ToSlash()
Revert most changes to client/llb
Remove Architecture
Default to linux in client
Ensure we use proper path separators
Set default platform
Add nil pointer check in dispatchWorkdir
Remove nil pointer check and extra NormalizePath
Rename variable, remove superfluous check
Use current OS as a default
Handle file paths base on target platform
exporter: unlazy references in parallel
exporter: simplify unlazy references to reduce duplication
exporter: allow unpack on multi-platform images
tests: add unpack to scratch export test
overlay: set whiteout timestamps to 1970-01-01 (not to SOURCE_DATE_EPOCH)
dockerfile: graduate ADD --checksum=<checksum> from labs
dockerfile: graduate ADD <git ref> from labs
dockerfile: mod-outdated target to check modules updates
dockerfile: use xx in dnsname stage
dockerfile: install musl-dev to fix compilation issue
dockerfile: update Alpine to 3.18
vendor: update fsutil to 36ef4d8
export(local): split opt
buildctl: Provide --wait option
containerimage: support SOURCE_DATE_EPOCH for CreatedAt
move flightcontrol to use generics
containerimage: keep layer labels for exported images
shell: start shell from cmd, not entrypoint
sbom: propogate image-resolve-mode for generator image
client: add extra debug to tests
handle missing provenance for non-evaluated result
tests: add provenance test for duplicate platform
tests: add provenance test for when context directory does not exist
forward: make BridgeClient public for lint
gateway: enable named contexts for gateway frontend
vendor: update vt100 with resize panic fix
docs: dockerfile: remove "known issues" related to AuFS
docs: add running instruction to CONTRIBUTING.md
tests: add worker close method to interface
add and check for gateway.exec.secretenv cap
move Secretenv from Meta to InitMessage
support passing SecretEnv to gateway containers
Add comment, update from review
Fix issue with digest merge (inconsistent graph state)
docs: add helper commands section to CONTRIBUTING.md
docs: update CONTRIBUTING.md whitespace formatting
integration: fix not deleting dockerd workdir
remove uses of deprecated ResolverOptions.Client
filesync: fix handling non-ascii in file paths
tests: add test for unicode filenames
Adding more docs to client/llb
Add special case for rw bind mounts
vendor: github.com/docker/cli v24.0.2
vendor: github.com/docker/docker v24.0.2
progressui: fix index printing on partial rows
gateway: wrap ExecProcessServer Send calls with a mutex
resources: make maxsamples configurable
llbsolver: add systemusage samples to provenance attestation
resources: store sys cpu usage per step
resources: add sampler for periodic stat reads
resources: CNI network usage sampling support
resources: add build step resource tracking via cgroups
solver: lock before using actives
Emulate "bind" mounts using the bind filter
Fix mount layers on host
llbsolver: set temporary lease in Commit context
Update containerd dependency
exporter: Add exptypes with Common exporter keys
exporter/image/exptypes: Make strongly typed
solver: move AddBuildConfig into llbsolver package
tests: add test to check url format for image loaded from oci layout
solver: mark locally loaded images as such
solver: merge local and remote images into single list
purl: allow RefToPURL to take a type parameter
tests: don't use purl code to test itself
Use linux as a default for inputOS
Add path handling functions
response to comments
containerimage: Export option keys
vendor: update spdx/tools-golang to v0.5.1
exporter: remove non dist options from tar exporter
exporter: move fs opt parsing to method
tests: fixup attestation tar to not panic when file not found
git: set umask without reexec
add language property for sourcemap
dockerfile/docs: add set -ex to heredoc #3870
authprovider: fix a bug where registry-1.docker.io auth was always a cache miss
response to comments
tracing: fix buildx tracing delegation
Update continuity and fsutil
cache: add a few more fields to ref trace logs.
vendor: github.com/containerd/go-runc v1.1.0
provenance: fix possible empty digest access
vendor: fix broken vendoring
dockerfile: bump up nerdctl to v1.4.0
bump nydus-snapshotter dependence to v0.8.2
vendor: github.com/docker/cli v24.0.1
vendor: github.com/docker/docker v24.0.1
vendor: github.com/containerd/containerd v1.7.1
vendor: github.com/Microsoft/hcsshim v0.10.0-rc.8
vendor: github.com/Microsoft/go-winio v0.6.1
vendor: golang.org/x/sys v0.7.0
vendor: github.com/containerd/typeurl/v2 v2.1.1
chore: bump spdx tools
Fix typo in attestation-storage.md
vendor: github.com/docker/cli v24.0.0
vendor: github.com/docker/docker v24.0.0
vendor: github.com/opencontainers/runc v1.1.7
vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.2
vendor: github.com/klauspost/compress v1.16.3
Dockerfile: CONTAINERD_VERSION=v1.7.1
Dockerfile: CONTAINERD_ALT_VERSION_16=v1.6.21
Dockerfile: RUNC_VERSION=v1.1.7
session: avoid logging healthcheck error on canceled connection
session: fix run and close synchronization
testutil: update ReadImages to fallback to reading manifest
Add trace logs for cache leaks.
Add some doc strings for LLB functions
attestations: move containerd media type warnings
update generated proto files
attestations: replace intoto media type with vendored const
nydus: bump nydus versions in Dockerfile and doc
feedback changes for moby/buildkit #2251
testutil: expose underlying docker address for supported workers
testutil: expose integration workers as public
remove type aliases for leasemanager/contentstore
llbsolver: move history blobs to a separate namespace
build(deps): bump github.com/docker/distribution
added import/export support for OCI compatible image manifest version of cache manifest (opt-in on export, inferred on import) moby/buildkit #2251
llb: carry platform from inputs for merge/diff
llb: don't include platform in fileop
control: fix possible deadlock on network error
exporter/containerimage: remove redundant type for var declaration
Fix not to set the value on empty vertex
Fix to import as digest
cache: always release ref when getting size in usage.
Drop unneeded variable
ssh: add fallback to ensure conn is closed in all cases.
vendor: github.com/opencontainers/image-spec v1.1.0-rc3
vendor: github.com/docker/cli v23.0.5
vendor: github.com/docker/docker v23.0.5
nydus: update nydus-snapshotter dependency to v0.8.0
progressui: fix possible zero prefix numbers in logs
llbsolver: send active event only to current client
llbsolver: send delete status event
llbsolver: filter out records marked deleted from list responses
Add Windows service support
docs: fixup build repro doc with updated policy format
test: use appropriate snapshotter service to walk snapshots
overlay: use function to check for overlay-based mounts
Update uses of Image platform fields in OCI image-spec
allow setting user agent products
Bump up golangci-lint to v1.52.2
chore: tidy up duplicated imports
solver: Release unused refs in LoadWithParents
Avoid panic on parallel walking on DefinitionOp
solver: skip sbom post processor if result is nil
vendor: github.com/docker/docker v23.0.4
vendor: github.com/docker/cli v23.0.4
vendor: golang.org/x/time v0.3.0
vendor: github.com/docker/cli v23.0.2
vendor: github.com/docker/docker v23.0.2
test: don't hang if a process doesn't run
ci: put worker name first for better UX in actions
go.mod: remove github.com/kr/pretty
Revert "Problem: can't use anonymous S3 credentials"
go.mod: bump up runc to v1.1.6
go.mod: Bump up stargz-snapshotter to v0.14.3
dockerfile: bump up stargz-snapshotter to v0.14.3
dockerfile: bump up runc to v1.1.6
buildkitd: add grpc reflection
Bump up nerdctl to 1.3.0
Bump up containerd 1.6.20
Fix gzip decoding of HTTP sources.
ci: update runner os to ubuntu 22.04
Fix bearer token expiration check (fixes #3779)
docs: update buildkitd.toml with new field info
buildkitd: allow durations for gc config
buildkitd: allow multiple units for gc config
dockerui: expose context detection functions as public
Prevent overflow of runc exit code.
Upgrade to latest go-runc.
runc worker: fix sigkill handling
Dockerfile: RUNC_VERSION=v1.1.5
client: add client opts to enable system certificates
Make ClientOpts type safe
build(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5
fileop: create new fileOpSolver instance per Exec call
Provide CacheManager to Controller instead of CacheKeyManager.
http: ensure HEAD and GET requests have same headers
docs: add auto-generated sections to buildctl.md
client: allow grpc dial option passthrough
cni: simplify netns creation
add Bass to list of LLB languages
llbsolver: fix sorting of history records
llbsolver: Fix performance of recomputeDigests
solve: use comparables instead of reflection in result struct
vendor: github.com/docker/cli v23.0.1
vendor: github.com/docker/docker v23.0.1
client: create oci-layout file in StoreIndex
ci: output annotations for failures
test: set mod vendor
test: use gotestsum to generate reports
fix gateway exec tty cleanup on context.Canceled
fix process termination handling for runc exec
Register builds before recording build history
docs(dockerfile): minimal Dockerfile version support for chmod
Update builder.md to document newly supported --chmod features in both ADD and COPY statements.
use bklog.G(ctx) instead of logrus directly
integration: missing mergeDiff compat check
chore: translateLegacySolveRequest does not need to return error checking.
integration: split feature compat check for subtests
integration: missing feature compat check for cache
dockerfile: fix reproducible digest test for non-amd64
integration: add FeatureMergeDiff compat
integration: add FeatureCacheBackend* compat
integration: enforce features compat through env vars
ci: upstream docs conformance validation
dockerfile(docs): fix liquid syntax
Problem: can't use anonymous S3 credentials
hack: remove build_ci_first_pass script
hack: binaries and cross bake targets
go.mod: update to go 1.20
Dockerfile: CONTAINERD_VERSION=v1.7.0
go.mod: github.com/containerd/containerd v1.7.0
Add Namespace to list of buildkit users.
remove buildinfo
buildinfo: add BUILDKIT_BUILDINFO build arg
buildinfo: mark as deprecated
docs: deprecated features page
rootless: guide for Bottlerocket OS (sysctl -w user.max_user_namespaces=N)
rootless: fix up unprivileged mount opts
Dockerfile: CONTAINERD_VERSION=v1.7.0-rc.3, CONTAINERD_ALT_VERSION_16=v1.6.19
go.mod: github.com/containerd/containerd v1.7.0-rc.3
version: add "v" prefix to version for tagging convention consistency
remove context name validation from kubepod connhelper
gateway: add hostname option to NewContainer API
fix error message typo
provenance: ensure URLs are redacted before written
test/client: Close buildkit client
docs: missing security policy markdown file
diffapply: do chown before xattrs
Add test for merge of files with capabilities.
fix a possible panic on cache
Update cmd/buildkitd/main_windows.go
ci(validate): use bake
hack: shfmt bake target
hack: generated-files bake target
hack: doctoc bake target
hack: lint bake target
hack: authors Dockerfile and bake target
hack: bake definition with vendor targets
Fix buildkitd panic when frontend input is nil.
ci: trigger workflows on push to release branches
build(deps): bump golang.org/x/net from 0.5.0 to 0.7.0
ci: create GitHub Release for frontend as well
ci: make release depends on image job
lint: fix issues with go 1.20
remove deprecated golangci-lint linters
update golangci-lint to v1.51.1
update to go 1.20
Allow DefinitionOp to track sources
specify a ResponseHeaderTimeout value
Ensures that the primary GID is also included in the additional GIDs
ci: fix missing TESTFLAGS env var in test-os workflow
Dockerfile: update containerd to v1.7.0-beta.4, v1.6.18
go.mod: github.com/containerd/containerd v1.7.0-beta.4
ci: update softprops/action-gh-release to v0.1.15
ci: remove unused vars in dockerd workflow
ci: split cross job
Dockerfile: remove binaries-linux-helper stage
ci: rename unclear env vars
readme: fix and update badges
ci: rename build workflow to buildkit
ci: reusable test workflow
ci: move test-os to a dedicated workflow
ci: move frontend integration tests and build to a dedicated workflow
stargz-snapshotter: graduate from experimental
Bump up stargz-snapshotter to v0.14.1
set osversion in index descriptor from base image
progress: solve status description
ci: update buildx to latest
Dockerfile: update xx to 1.2.1
integration: make sure registry directory exists
gha: avoid range requests with too big offset
ci: merge test-nydus job in test one
ci: remove branch restriction on pull request event
client: add tests for layerID in comment field
exporter: fix sbom supplement core detection
exporter: fix supplement sboms on empty scratch layer
exporter: fix file layer finder whiteout detection
exporter: canonicalize sbom file paths during search
Add platform tracing socket paths and mounts
integration: log dockerd cmd
integration: set custom flags for dockerd worker
remotecache: proper exporter naming for gha, s3 and azblob
remotecache: explicit names for registry and local
exporter: use compression.ParseAttributes func
remotecache: mutualize compression parsing attrs
lex: add support for optional colon in variable expansion
test: rework TestProcessWithMatches to use a matrix
dockerfile: update to use dockerui pkg
dockerui: separate docker frontend params to reusable package
cache: add fallback for snapshotID
exporter: remove wrappers for oci data types
vendor: github.com/docker/cli v23.0.0
vendor: github.com/docker/docker v23.0.0
hack: do not cache some stages on release
hack: do not set attest flags when exporting to docker
git: override the locale to ensure consistent output
fix support for empty git ref with subdir
gitutil: use subtests
source: more tests cases for git identifier
source: use subtests cases for git identifier
otel: bump dependencies to v1.11.2/v0.37.0
hack: treat unset variables as an error
frontend: fix typo in release script
ci: create matrix for building frontend image
inline cache: fix blob indexes by uncompressed digest
Skip configuring cache exporter if it is nil.
docs: update syntax for labs channel in examples
integration: remove wrong compat condition
integration: fix compat check for CNI DNS test
cache: don’t link blobonly based on chainid
do not mount secrets that are optional and missing from solve opts
SOURCE_DATE_EPOCH: drop timezone
sbom: create tmp directory for scanner image
progress: keep color enabled with NO_COLOR empty
hack: remove azblob_test
integration: basic azblob cache test
test: add proxy build args when existed
vendor: github.com/docker/cli v23.0.0-rc.3
vendor: github.com/docker/docker v23.0.0-rc.3
vendor: golang.org/x/net v0.5.0
vendor: golang.org/x/text v0.6.0
vendor: golang.org/x/sys v0.4.0
Dockerfile: CNI plugins v1.2.0
Dockerfile: CONTAINERD_VERSION=v1.7.0-beta.3, CONTAINERD_ALT_VERSION_16=v1.6.16
Fix tracing listener on Windows
go.mod: github.com/containerd/containerd v1.7.0-beta.3
control: send current timestamp header with event streams
vendor: update containerd to v1.6.16-0.1709cfe273d9
buildctl: add ref-file to get history record for a build
client: make sure ref is configurable for the history API
history: save completed steps with cache stats
history: fix exporter key not being passed
history: fix logs and traces are saving on canceled builds
hack: add correct entrypoint to shell script
ci: use moby/buildkit:latest in build action
dockerfile: add testReproSourceDateEpoch
Fix cache cannot reuse lazy layers
Correct manifests_prefix documentation for S3 cache
Use golang.org/x/sys/windows instead of syscall
dockerfile: release frontend for i386 platform
Add get-user-info utility
optimize --dry-run flag
fix(tracing): spelling of OTEL_TRACES_EXPORTER value
Propagate sshforward send side connection close
buildctl: add buildctl debug histories, buildctl prune-histories
dockerfile: fix panic on warnings with multi-platform
vendor: github.com/docker/cli v23.0.0-rc.2
vendor: github.com/docker/docker v23.0.0-rc.2
vendor: github.com/containerd/containerd v1.6.15
cache: add registry.insecure option to registry exporter
Make local cache non-lazy
docs/build-repro.md: add the SOURCE_DATE_EPOCH section
docs: clarified build argument example by changing the variable name
azblob cache: account_name attribute
docs: master -> 0.11
ci: fix dockerd workflow with latest changes from moby
integration: set mirrors and entitlements with dockerd worker
github: update CI to buildkit version
exporter: ensure spdx order prioritizes primary sbom
hack: remove s3_test
integration: basic s3 cache test
integration: add runCmd and randomString utils
integration: expose backend logs in sandbox interface
azblob_test: pin busybox to avoid "Illegal instruction" error
docs: add nerdctl container buildkitd address docs
feat: add namespace support for nerdctl container
ci: add ci to check README toc
testutil: pin busybox and alpine used in releases
exporter: allow configuring inline attestations for image exporters
exporter: force enabling inline attestations for image export
docs: change semicolons to double ampersands
llbsolver: fix panic when requesting provenance on nil result
vendor: update fsutil to fb43384
attestation: only supplement file data for the core scan
docs: add index page for attestations
docs: move attestation docs to dedicated directory
docs: rename slsa.md to slsa-provenance.md
docs: tidy up json examples for slsa definitions
docs: add cross-linking between slsa pages
Flakiness in azblob test job
vendor: update spdx/tools-golang to d6f58551be3f
feat: add nerdctl-container support for client
docs: slsa review updates
docs: moved slsa definitions to a separate page
docs: slsa editorial fixes
docs: add filename to provenance attestation
docs: update hermetic field after it was moved in implementation
docs: update provenance docs
docs: add slsa provenance documentation
progress: fix clean context cancelling
fix: updated_at -> updated-at
Solve panic due to concurrent access to ExportSpans
feat: allow ignoring remote cache-export error if failing
add cache stats to the build history API
vendor: github.com/docker/cli v23.0.0-rc.1
vendor: github.com/docker/docker v23.0.0-rc.1
vendor: github.com/containerd/containerd v1.6.14
frontend: fix testMultiStageImplicitFrom to account for busybox changes
sshforward: skip conn close on stream CloseSend.
chore: update buildkitd.toml docs with mirror path example
feat: handle mirror url with path
provenance: fix the order of the build steps
provenance: move hermetic field into a correct struct
add possibility to override filename for provenance
Fix typo in CapExecMountBindReadWriteNoOutput.
Use SkipOutput instead of -1 for output indexes to clarify semantics.
fix indentation for in-toto and traces
attestation: forbid provenance attestations from frontend
attestation: validate attestations before unbundling as well
exporter: make attestation validation public
result: change reason types to strings
attestations: ignore spdx parse errors
attestations: propogate metadata through unbundling
gateway: add addition check to prevent content func from being forwarded
ociindex: add utility method for getting a single manifest from the index
ociindex: refactor to hide implementation internally
cache: test gha cache exporter
containerdexecutor: add network namespace callback
frontend/dockerfile: BFlags.Parse(): use strings.Cut()
frontend/dockerfile: parseExtraHosts(): use strings.Cut()
frontend/dockerfile: parseMount() use strings.Cut(), and some minor cleanup
frontend/dockerfile: move check for cache-sharing
frontend/dockerfile: provide suggestions for mount share mode
frontend/dockerfile: define types for enums
frontend/dockerfile/shell: use strings.Equalfold
frontend/dockerfile/parser: remove redundant concat
frontend/dockerfile: parseBuildStageName(): pre-compile regex
frontend/dockerfile: remove isSSHMountsSupported, isSecretMountsSupported
docs: Enable rootless for stargz-snapshotter
executor/oci: GetResolvConf(): simplify handling of resolv.conf

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-156=1

Package List:

SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
- buildkit-0.12.5-1.1
- buildkit-debuginfo-0.12.5-1.1

Security update for buildkit

Description:

Patch Instructions:

Package List:

References: