Accepting request 766725 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/766725
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/runc?expand=0&rev=27

CVE-2019-19921.patch

@@ -1,48 +0,0 @@
-From 3291d66b98445bd7f7d02eac7f2bca2ac2c56942 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Sat, 21 Dec 2019 23:40:17 +1100
-Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories
-
-mount(2) will blindly follow symlinks, which is a problem because it
-allows a malicious container to trick runc into mounting /proc to an
-entirely different location (and thus within the attacker's control for
-a rename-exchange attack).
-
-This is just a hotfix (to "stop the bleeding"), and the more complete
-fix would be finish libpathrs and port runc to it (to avoid these types
-of attacks entirely, and defend against a variety of other /proc-related
-attacks). It can be bypased by someone having "/" be a volume controlled
-by another container.
-
-Fixes: CVE-2019-19921
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- libcontainer/rootfs_linux.go | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
-index 291021440a1a..106c4c2b98bf 100644
---- a/libcontainer/rootfs_linux.go
-+++ b/libcontainer/rootfs_linux.go
-@@ -299,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
- 
- 	switch m.Device {
- 	case "proc", "sysfs":
-+		// If the destination already exists and is not a directory, we bail
-+		// out This is to avoid mounting through a symlink or similar -- which
-+		// has been a "fun" attack scenario in the past.
-+		// TODO: This won't be necessary once we switch to libpathrs and we can
-+		//       stop all of these symlink-exchange attacks.
-+		if fi, err := os.Lstat(dest); err != nil {
-+			if !os.IsNotExist(err) {
-+				return err
-+			}
-+		} else if fi.Mode()&os.ModeDir == 0 {
-+			return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
-+		}
- 		if err := os.MkdirAll(dest, 0755); err != nil {
- 			return err
- 		}
--- 
-2.24.1
-

runc-1.0.0-rc10.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c823307ce8695af05381c5c25a92daacd6219c674d8bebaa0e1bff801c2b1f24
+size 743480

runc-1.0.0-rc10.tar.xz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl4pJHYPHGFzYXJhaUBz
+dXNlLmRlAAoJEJ4YqiZ92420DgkP/2zEWRsjx/qNMFnwOo6yYy+sGeQn8KMmEQRD
+9OpX+mF6BtIMICQ9ocenYjTkwzd7UVq4SC1VXFKBZQgchlH4X+5RT89AUiFePRsi
+jsEP5Cwr/5xDBhW6gvwh5V1Z+XzdxTb4lNuodoFm0OucNoFGp7vCbKmfgxqY/m66
+9R23tKouot0y6q1sSBG2lLwwmj7JAQboxtVA+dTEzmhnEyfh0UzBlJKDW1I79mbE
+NeD1r/Rh/NVrJL6HaKfXhdVvITVyeabQLBgj0Y/JYVCWMfyXnz7sBJQ7lrwtVV+P
+9qROtwSu15vOLi9d2u+U8SwjAmDz01kLH3rYji/Xtie3xk8i/8yD9q8lFjA3fbu5
+IOs1vogsWt6yMWRnXHWbBxMmtOw+RQJ/gyUpCJE5MeMQNHPsZ6wYbMXTfzdqFnse
+bTkOHPPIRqnK6mDT0b3CoS7Ugi8qZs2lZ8CvVoOeTqaCMb5SIWehF7jIbo0ECzGf
+TQ0cZ982M03Rm4NjI7G5SCKIpJPEtOYS0NauOn6oqdDON9qCJVZdecCfdWYdEO1n
+ikpea7Ahc5x0g9p0WF+HsewvqpMpWUdCsVmLPiwJrBG2GFOC3oPvB2vjKUk28ix1
+3B7v3JS/XHlokRPMEkJn+zR7CVWchaT7Ov+3AHM9VCjk5dgNdADF3y7DYG8Q/ccV
+TZGdkemL
+=UoY/
+-----END PGP SIGNATURE-----

runc-1.0.0-rc9.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2f1c7ebac67c779affe2bb4370bba44b08ed280144ba58c86219186e303832ba
-size 711184

runc-1.0.0-rc9.tar.xz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl2SMNUPHGFzYXJhaUBz
-dXNlLmRlAAoJEJ4YqiZ92420L3MP/jX4BABEWVD2oF5PsqB9MadkngQ85ZfJPr8w
-0g9UcangIIJsx8vSt22qQbWMcyZH5rZ89NPIs6+xoRhRVJWA1ByPJpGnx+/7p25z
-S5hCe753rs51MczvYbRLlWCl4BuHeXsJb+FHvUI70G8WyZNZuS+4bdJTpWWTL8u4
-P/9MTvKWsVp5BdI4k3h/OXD1i4GT/9nZFCKG9wfuBWGwp5po8/Izi+tZ0ZN9RZMG
-Lz2YaS/Z5cP+OSKepyCXXzlhx0+eeQ5NrjK/DQirwA4jzR1NAVKJd6npJSglra6q
-3FGDdNGf+Kod3IaCStnRaZU/gHjJLIWO6rtAQy2aZDB73eHcqG3B9xoPRuWSLzdY
-uJO2xdh/wI69md2qtxBnP2EGZi2y7s5sp2FHbYV8gkBluynak6Ig3WAaewHm9mx1
-NpwIV+YuSoSwb+s+jxGg1y3pV6UaeraYYy1G3Zv+94vj7fIfRpmtRyjhhKU38sOp
-6jjIGLEnXof7tij09sIwZAdRugJUP8aT6xA05/JAo+kT2ooXEAYC3P5OMUhULX7k
-LIflH3Znq/ZFKBH8kKxghQ+Iwy5yzfGiCJd2lWfZ631L5md6WSPtTFabcGhgOc43
-CrF5bU0bkgokyNLqc7y80ou0uGyC3c5f4SB7cf/Jq6Jvo4EgTLWAzYBY5bTZ1zv6
-xl2XtUcX
-=Aezk
------END PGP SIGNATURE-----

runc.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Jan 23 17:18:05 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Upgrade to runc v1.0.0~rc10. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc10
+- Drop upstreamed patches:
+  - CVE-2019-19921.patch
+
 -------------------------------------------------------------------
 Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai <asarai@suse.com>
 

runc.spec

@@ -24,7 +24,7 @@
 # Package-wide golang version
 %define go_version 1.10
 %define go_tool go
-%define _version 1.0.0-rc9
+%define _version 1.0.0-rc10
 %define project github.com/opencontainers/runc
 
 # enable libseccomp for sle >= sle12sp2
@@ -41,7 +41,7 @@
 %endif
 
 Name:           runc
-Version:        1.0.0~rc9
+Version:        1.0.0~rc10
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0
@@ -51,8 +51,6 @@ Source0:        https://github.com/opencontainers/runc/releases/download/v%{_ver
 Source1:        https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc
 Source2:        runc.keyring
 Source3:        runc-rpmlintrc
-# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2207.
-Patch1:         CVE-2019-19921.patch
 BuildRequires:  fdupes
 BuildRequires:  go-go-md2man
 BuildRequires:  golang(API) = %{go_version}
@@ -87,8 +85,6 @@ Test package for runc. It contains the source code and the tests.
 
 %prep
 %setup -q -n %{name}-%{_version}
-# CVE-2019-19921
-%patch1 -p1
 
 %build
 # Do not use symlinks. If you want to run the unit tests for this package at