Accepting request 765103 from home:cyphar:docker
- Update CVE-2019-19921 patch to match upstream PR. * CVE-2019-19921.patch OBS-URL: https://build.opensuse.org/request/show/765103 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=86
This commit is contained in:
Aleksa Sarai
Git OBS Bridge
parent
8fefd473fa
commit
8a0d82c468
@ -1,4 +1,4 @@
|
|||||||
From 9975f5238a792586bfa3e36e4c66a8d1154b44ac Mon Sep 17 00:00:00 2001
|
From 3291d66b98445bd7f7d02eac7f2bca2ac2c56942 Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Sat, 21 Dec 2019 23:40:17 +1100
|
Date: Sat, 21 Dec 2019 23:40:17 +1100
|
||||||
Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories
|
Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories
|
||||||
@ -17,19 +17,19 @@ by another container.
|
|||||||
Fixes: CVE-2019-19921
|
Fixes: CVE-2019-19921
|
||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
---
|
---
|
||||||
libcontainer/rootfs_linux.go | 14 ++++++++++++++
|
libcontainer/rootfs_linux.go | 12 ++++++++++++
|
||||||
1 file changed, 14 insertions(+)
|
1 file changed, 12 insertions(+)
|
||||||
|
|
||||||
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
|
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
|
||||||
index 291021440a1a..6bc0747f9f7e 100644
|
index 291021440a1a..106c4c2b98bf 100644
|
||||||
--- a/libcontainer/rootfs_linux.go
|
--- a/libcontainer/rootfs_linux.go
|
||||||
+++ b/libcontainer/rootfs_linux.go
|
+++ b/libcontainer/rootfs_linux.go
|
||||||
@@ -299,6 +299,20 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
|
@@ -299,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
|
||||||
|
|
||||||
switch m.Device {
|
switch m.Device {
|
||||||
case "proc", "sysfs":
|
case "proc", "sysfs":
|
||||||
+ // If the destination already exists and is not a directory, we remove
|
+ // If the destination already exists and is not a directory, we bail
|
||||||
+ // it. This is to avoid mounting through a symlink or similar -- which
|
+ // out This is to avoid mounting through a symlink or similar -- which
|
||||||
+ // has been a "fun" attack scenario in the past.
|
+ // has been a "fun" attack scenario in the past.
|
||||||
+ // TODO: This won't be necessary once we switch to libpathrs and we can
|
+ // TODO: This won't be necessary once we switch to libpathrs and we can
|
||||||
+ // stop all of these symlink-exchange attacks.
|
+ // stop all of these symlink-exchange attacks.
|
||||||
@ -38,9 +38,7 @@ index 291021440a1a..6bc0747f9f7e 100644
|
|||||||
+ return err
|
+ return err
|
||||||
+ }
|
+ }
|
||||||
+ } else if fi.Mode()&os.ModeDir == 0 {
|
+ } else if fi.Mode()&os.ModeDir == 0 {
|
||||||
+ if err := os.Remove(dest); err != nil {
|
+ return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
|
||||||
+ return err
|
|
||||||
+ }
|
|
||||||
+ }
|
+ }
|
||||||
if err := os.MkdirAll(dest, 0755); err != nil {
|
if err := os.MkdirAll(dest, 0755); err != nil {
|
||||||
return err
|
return err
|
||||||
|
|||||||
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
- Update CVE-2019-19921 patch to match upstream PR.
|
||||||
|
* CVE-2019-19921.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai <asarai@suse.com>
|
Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user