Bump versions #141
Bump versions #141
Conversation
|
@endersonmaia is attempting to deploy a commit to the Bug Buster App Team on Vercel. A member of the Team first needs to authorize it. |
|
I'm considering sending a PR with a distroless version using Canonical's It should be good to have a smaller image, it may reduce the attack surface. |
|
Maybe we should also bump Ubuntu in the following files: |
Could you open an issue for it, please? |
|
About reproducibility, should I try to add locked versions to debian packages within this PR or use another one? |
Yeah, I think it would be nice to work towards having reproducible builds. |
endersonmaia
force-pushed
the
feature/bump-ubuntu-and-go-versions
branch
from
f427515 to
c58426b
Compare
|
I ran the tests, and, for some reason, now the BusyBox exploit is not working... ash: arithmetic syntax errorAny insights, @edubart? |
endersonmaia
force-pushed
the
feature/bump-ubuntu-and-go-versions
branch
from
c58426b to
0c9315a
Compare
|
Starting with See: https://snapshot.ubuntu.com/ This way we can avoid pining the package versions, and focus on the I'll send fixups. |
endersonmaia
force-pushed
the
feature/bump-ubuntu-and-go-versions
branch
from
9dc73d8 to
de36e8b
Compare
|
I removed the commit where I introduced it, rebased and squashed. |
endersonmaia
force-pushed
the
feature/bump-ubuntu-and-go-versions
branch
from
de36e8b to
f2420c7
Compare
That's a shame! |
I may go back to that on another PR. |
tests/Dockerfile
Outdated
| RUN apt-get install -y \ | ||
| build-essential \ | ||
| git \ | ||
| lua5.4-dev \ | ||
| luarocks |
There was a problem hiding this comment.
Why not fix these versions as well?
There was a problem hiding this comment.
sent a fixup at c41fcc6
|
Here is the patch that makes the BusyBox exploit still valid. diff --git a/tests/bounties/busybox-bounty/Makefile b/tests/bounties/busybox-bounty/Makefile
index 790ee66..8fc373d 100644
--- a/tests/bounties/busybox-bounty/Makefile
+++ b/tests/bounties/busybox-bounty/Makefile
@@ -5,7 +5,7 @@ SOURCE_DIR=busybox-$(VERSION)
BOUNTY_TAR=busybox-$(VERSION)-bounty_$(ARCH).tar.xz
BOUNTY_RISCV64_TAR=busybox-$(VERSION)-bounty_riscv64.tar.xz
-HARDEN_CFLAGS=-Os -D_FORTIFY_SOURCE=2 -fPIE -fstack-clash-protection -fstack-protector-strong -ffunction-sections -fdata-sections -Wno-unused-result
+HARDEN_CFLAGS=-O1 -ftrivial-auto-var-init=pattern -D_FORTIFY_SOURCE=2 -fPIE -fstack-clash-protection -fstack-protector-strong -ffunction-sections -fdata-sections -Wno-unused-result
HARDEN_LDFLAGS=-pie -Wl,-z,now,-z,relro,--gc-sections -s
# Use GitHub Actions cache when available
diff --git a/tests/bounties/lua-bounty/Makefile b/tests/bounties/lua-bounty/Makefile
index 49708a5..9898efb 100644
--- a/tests/bounties/lua-bounty/Makefile
+++ b/tests/bounties/lua-bounty/Makefile
@@ -5,7 +5,7 @@ SOURCE_DIR=lua-$(VERSION)
BOUNTY_TAR=lua-$(VERSION)-bounty_$(ARCH).tar.xz
BOUNTY_RISCV64_TAR=lua-$(VERSION)-bounty_riscv64.tar.xz
-HARDEN_CFLAGS=-Os -D_FORTIFY_SOURCE=2 -fexceptions -fPIE -fstack-clash-protection -fstack-protector-strong -ffunction-sections -fdata-sections
+HARDEN_CFLAGS=-O1 -ftrivial-auto-var-init=pattern -D_FORTIFY_SOURCE=2 -fexceptions -fPIE -fstack-clash-protection -fstack-protector-strong -ffunction-sections -fdata-sections
HARDEN_LDFLAGS=-pie -Wl,-z,now,-z,relro,--gc-sections -s
# Use GitHub Actions cache when available
diff --git a/tests/bounties/solidity-bounty/Dockerfile b/tests/bounties/solidity-bounty/Dockerfile
index 4e78a40..e6a5407 100644
--- a/tests/bounties/solidity-bounty/Dockerfile
+++ b/tests/bounties/solidity-bounty/Dockerfile
@@ -36,6 +36,8 @@ ARG VERSION
RUN wget -O solidity-${VERSION}.tar.gz https://github.com/ethereum/solidity/releases/download/v${VERSION}/solidity_${VERSION}.tar.gz
RUN tar xzf solidity-${VERSION}.tar.gz
COPY --from=boost-builder /opt/boost /opt/boost
+ENV CFLAGS="-O1 -ftrivial-auto-var-init=pattern -D_FORTIFY_SOURCE=2 -fPIE -fstack-clash-protection -fstack-protector-strong -ffunction-sections -fdata-sections -Wno-unused-result"
+ENV CXXFLAGS=$CFLAGS
RUN cmake \
-S solidity_${VERSION} \
-B solidity_${VERSION}/build \
diff --git a/tests/bounties/sqlite-bounty/Makefile b/tests/bounties/sqlite-bounty/Makefile
index 3e44e1b..cd86918 100644
--- a/tests/bounties/sqlite-bounty/Makefile
+++ b/tests/bounties/sqlite-bounty/Makefile
@@ -6,7 +6,7 @@ BOUNTY_TAR=sqlite-$(VERSION)-bounty_$(ARCH).tar.xz
BOUNTY_RISCV64_TAR=sqlite-$(VERSION)-bounty_riscv64.tar.xz
CC=gcc
-HARDEN_CFLAGS=-Os -D_FORTIFY_SOURCE=2 -fPIE -fstack-clash-protection -fstack-protector-strong -ffunction-sections -fdata-sections
+HARDEN_CFLAGS=-O1 -ftrivial-auto-var-init=pattern -D_FORTIFY_SOURCE=2 -fPIE -fstack-clash-protection -fstack-protector-strong -ffunction-sections -fdata-sections
HARDEN_LDFLAGS=-pie -Wl,-z,now,-z,relro,--gc-sections
SQLITE_CFLAGS=-DSQLITE_THREADSAFE=0 -DSQLITE_OMIT_LOAD_EXTENSION
SQLITE_LDFLAGS=-lm -s |
|
Can you rebase, to trigger the new CI on PRs? |
- lock baseimage to ubuntu:noble-20240801 - avoid using apt upgrade -y - lock version of all packages installed via apt It's not guaranteed since apt update will bring the current state of the remote mirror used and because of that the dependecies for the installed packages can change between runs.
Co-authored-by: Guilherme Dantas <[email protected]>
endersonmaia
force-pushed
the
feature/bump-ubuntu-and-go-versions
branch
from
07e8838 to
dff60e9
Compare
|
I think the CI is failing because you opened a PR from your fork under |
I'll need to create another PR. |
|
Replaced by #148 |
Since Ubuntu released oficial ricvs64 container images for 24.04, I suggest bumping its versions.
Also bumped cartesi/sdk and golang.
I just built but didn't test if everything worked.