diff --git a/CVE-2019-19921.patch b/CVE-2019-19921.patch deleted file mode 100644 index bca128c..0000000 --- a/CVE-2019-19921.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 3291d66b98445bd7f7d02eac7f2bca2ac2c56942 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Sat, 21 Dec 2019 23:40:17 +1100 -Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories - -mount(2) will blindly follow symlinks, which is a problem because it -allows a malicious container to trick runc into mounting /proc to an -entirely different location (and thus within the attacker's control for -a rename-exchange attack). - -This is just a hotfix (to "stop the bleeding"), and the more complete -fix would be finish libpathrs and port runc to it (to avoid these types -of attacks entirely, and defend against a variety of other /proc-related -attacks). It can be bypased by someone having "/" be a volume controlled -by another container. - -Fixes: CVE-2019-19921 -Signed-off-by: Aleksa Sarai ---- - libcontainer/rootfs_linux.go | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index 291021440a1a..106c4c2b98bf 100644 ---- a/libcontainer/rootfs_linux.go -+++ b/libcontainer/rootfs_linux.go -@@ -299,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b - - switch m.Device { - case "proc", "sysfs": -+ // If the destination already exists and is not a directory, we bail -+ // out This is to avoid mounting through a symlink or similar -- which -+ // has been a "fun" attack scenario in the past. -+ // TODO: This won't be necessary once we switch to libpathrs and we can -+ // stop all of these symlink-exchange attacks. -+ if fi, err := os.Lstat(dest); err != nil { -+ if !os.IsNotExist(err) { -+ return err -+ } -+ } else if fi.Mode()&os.ModeDir == 0 { -+ return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device) -+ } - if err := os.MkdirAll(dest, 0755); err != nil { - return err - } --- -2.24.1 - diff --git a/runc-1.0.0-rc10.tar.xz b/runc-1.0.0-rc10.tar.xz new file mode 100644 index 0000000..43fb692 --- /dev/null +++ b/runc-1.0.0-rc10.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c823307ce8695af05381c5c25a92daacd6219c674d8bebaa0e1bff801c2b1f24 +size 743480 diff --git a/runc-1.0.0-rc10.tar.xz.asc b/runc-1.0.0-rc10.tar.xz.asc new file mode 100644 index 0000000..d238a72 --- /dev/null +++ b/runc-1.0.0-rc10.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl4pJHYPHGFzYXJhaUBz +dXNlLmRlAAoJEJ4YqiZ92420DgkP/2zEWRsjx/qNMFnwOo6yYy+sGeQn8KMmEQRD +9OpX+mF6BtIMICQ9ocenYjTkwzd7UVq4SC1VXFKBZQgchlH4X+5RT89AUiFePRsi +jsEP5Cwr/5xDBhW6gvwh5V1Z+XzdxTb4lNuodoFm0OucNoFGp7vCbKmfgxqY/m66 +9R23tKouot0y6q1sSBG2lLwwmj7JAQboxtVA+dTEzmhnEyfh0UzBlJKDW1I79mbE +NeD1r/Rh/NVrJL6HaKfXhdVvITVyeabQLBgj0Y/JYVCWMfyXnz7sBJQ7lrwtVV+P +9qROtwSu15vOLi9d2u+U8SwjAmDz01kLH3rYji/Xtie3xk8i/8yD9q8lFjA3fbu5 +IOs1vogsWt6yMWRnXHWbBxMmtOw+RQJ/gyUpCJE5MeMQNHPsZ6wYbMXTfzdqFnse +bTkOHPPIRqnK6mDT0b3CoS7Ugi8qZs2lZ8CvVoOeTqaCMb5SIWehF7jIbo0ECzGf +TQ0cZ982M03Rm4NjI7G5SCKIpJPEtOYS0NauOn6oqdDON9qCJVZdecCfdWYdEO1n +ikpea7Ahc5x0g9p0WF+HsewvqpMpWUdCsVmLPiwJrBG2GFOC3oPvB2vjKUk28ix1 +3B7v3JS/XHlokRPMEkJn+zR7CVWchaT7Ov+3AHM9VCjk5dgNdADF3y7DYG8Q/ccV +TZGdkemL +=UoY/ +-----END PGP SIGNATURE----- diff --git a/runc-1.0.0-rc9.tar.xz b/runc-1.0.0-rc9.tar.xz deleted file mode 100644 index 081bbe4..0000000 --- a/runc-1.0.0-rc9.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2f1c7ebac67c779affe2bb4370bba44b08ed280144ba58c86219186e303832ba -size 711184 diff --git a/runc-1.0.0-rc9.tar.xz.asc b/runc-1.0.0-rc9.tar.xz.asc deleted file mode 100644 index 26eb25b..0000000 --- a/runc-1.0.0-rc9.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl2SMNUPHGFzYXJhaUBz -dXNlLmRlAAoJEJ4YqiZ92420L3MP/jX4BABEWVD2oF5PsqB9MadkngQ85ZfJPr8w -0g9UcangIIJsx8vSt22qQbWMcyZH5rZ89NPIs6+xoRhRVJWA1ByPJpGnx+/7p25z -S5hCe753rs51MczvYbRLlWCl4BuHeXsJb+FHvUI70G8WyZNZuS+4bdJTpWWTL8u4 -P/9MTvKWsVp5BdI4k3h/OXD1i4GT/9nZFCKG9wfuBWGwp5po8/Izi+tZ0ZN9RZMG -Lz2YaS/Z5cP+OSKepyCXXzlhx0+eeQ5NrjK/DQirwA4jzR1NAVKJd6npJSglra6q -3FGDdNGf+Kod3IaCStnRaZU/gHjJLIWO6rtAQy2aZDB73eHcqG3B9xoPRuWSLzdY -uJO2xdh/wI69md2qtxBnP2EGZi2y7s5sp2FHbYV8gkBluynak6Ig3WAaewHm9mx1 -NpwIV+YuSoSwb+s+jxGg1y3pV6UaeraYYy1G3Zv+94vj7fIfRpmtRyjhhKU38sOp -6jjIGLEnXof7tij09sIwZAdRugJUP8aT6xA05/JAo+kT2ooXEAYC3P5OMUhULX7k -LIflH3Znq/ZFKBH8kKxghQ+Iwy5yzfGiCJd2lWfZ631L5md6WSPtTFabcGhgOc43 -CrF5bU0bkgokyNLqc7y80ou0uGyC3c5f4SB7cf/Jq6Jvo4EgTLWAzYBY5bTZ1zv6 -xl2XtUcX -=Aezk ------END PGP SIGNATURE----- diff --git a/runc.changes b/runc.changes index 8b0c88f..8825f86 100644 --- a/runc.changes +++ b/runc.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Jan 23 17:18:05 UTC 2020 - Aleksa Sarai + +- Upgrade to runc v1.0.0~rc10. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc10 +- Drop upstreamed patches: + - CVE-2019-19921.patch + ------------------------------------------------------------------- Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai diff --git a/runc.spec b/runc.spec index d51231a..5f67208 100644 --- a/runc.spec +++ b/runc.spec @@ -24,7 +24,7 @@ # Package-wide golang version %define go_version 1.10 %define go_tool go -%define _version 1.0.0-rc9 +%define _version 1.0.0-rc10 %define project github.com/opencontainers/runc # enable libseccomp for sle >= sle12sp2 @@ -41,7 +41,7 @@ %endif Name: runc -Version: 1.0.0~rc9 +Version: 1.0.0~rc10 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 @@ -51,8 +51,6 @@ Source0: https://github.com/opencontainers/runc/releases/download/v%{_ver Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc Source2: runc.keyring Source3: runc-rpmlintrc -# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2207. -Patch1: CVE-2019-19921.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: golang(API) = %{go_version} @@ -87,8 +85,6 @@ Test package for runc. It contains the source code and the tests. %prep %setup -q -n %{name}-%{_version} -# CVE-2019-19921 -%patch1 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at