From 01dc9f6ec07e8340e43011c1c6ed4fe91cc6fbfdd2bd91b1c8b6686c91ca9a94 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.com>
Date: Tue, 14 Jan 2020 04:49:43 +0000
Subject: [PATCH 1/2] Accepting request 764148 from home:cyphar:docker

- Add backported fix for CVE-2019-19921.
  + CVE-2019-19921.patch

OBS-URL: https://build.opensuse.org/request/show/764148
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=83
---
 CVE-2019-19921.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++
 runc.changes         |  6 ++++++
 runc.spec            |  8 +++++--
 3 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2019-19921.patch

diff --git a/CVE-2019-19921.patch b/CVE-2019-19921.patch
new file mode 100644
index 0000000..713e246
--- /dev/null
+++ b/CVE-2019-19921.patch
@@ -0,0 +1,50 @@
+From 9975f5238a792586bfa3e36e4c66a8d1154b44ac Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Sat, 21 Dec 2019 23:40:17 +1100
+Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories
+
+mount(2) will blindly follow symlinks, which is a problem because it
+allows a malicious container to trick runc into mounting /proc to an
+entirely different location (and thus within the attacker's control for
+a rename-exchange attack).
+
+This is just a hotfix (to "stop the bleeding"), and the more complete
+fix would be finish libpathrs and port runc to it (to avoid these types
+of attacks entirely, and defend against a variety of other /proc-related
+attacks). It can be bypased by someone having "/" be a volume controlled
+by another container.
+
+Fixes: CVE-2019-19921
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ libcontainer/rootfs_linux.go | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index 291021440a1a..6bc0747f9f7e 100644
+--- a/libcontainer/rootfs_linux.go
++++ b/libcontainer/rootfs_linux.go
+@@ -299,6 +299,20 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
+ 
+ 	switch m.Device {
+ 	case "proc", "sysfs":
++		// If the destination already exists and is not a directory, we remove
++		// it. This is to avoid mounting through a symlink or similar -- which
++		// has been a "fun" attack scenario in the past.
++		// TODO: This won't be necessary once we switch to libpathrs and we can
++		//       stop all of these symlink-exchange attacks.
++		if fi, err := os.Lstat(dest); err != nil {
++			if !os.IsNotExist(err) {
++				return err
++			}
++		} else if fi.Mode()&os.ModeDir == 0 {
++			if err := os.Remove(dest); err != nil {
++				return err
++			}
++		}
+ 		if err := os.MkdirAll(dest, 0755); err != nil {
+ 			return err
+ 		}
+-- 
+2.24.1
+
diff --git a/runc.changes b/runc.changes
index e112ae2..c2fee47 100644
--- a/runc.changes
+++ b/runc.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Add backported fix for CVE-2019-19921.
+  + CVE-2019-19921.patch
+
 -------------------------------------------------------------------
 Sat Oct  5 11:40:13 UTC 2019 - Aleksa Sarai <asarai@suse.com>
 
diff --git a/runc.spec b/runc.spec
index 5e7cbc2..d51231a 100644
--- a/runc.spec
+++ b/runc.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package runc
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -46,11 +46,13 @@ Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0
 Group:          System/Management
-Url:            https://github.com/opencontainers/runc
+URL:            https://github.com/opencontainers/runc
 Source0:        https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz#/runc-%{_version}.tar.xz
 Source1:        https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc
 Source2:        runc.keyring
 Source3:        runc-rpmlintrc
+# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2207.
+Patch1:         CVE-2019-19921.patch
 BuildRequires:  fdupes
 BuildRequires:  go-go-md2man
 BuildRequires:  golang(API) = %{go_version}
@@ -85,6 +87,8 @@ Test package for runc. It contains the source code and the tests.
 
 %prep
 %setup -q -n %{name}-%{_version}
+# CVE-2019-19921
+%patch1 -p1
 
 %build
 # Do not use symlinks. If you want to run the unit tests for this package at

From 8fefd473fa9426e16cce8c32f2397603f58d20942e222ab3a58f746eeef12573 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.com>
Date: Wed, 15 Jan 2020 14:07:23 +0000
Subject: [PATCH 2/2] Accepting request 764682 from home:cyphar:docker

Add bug reference for CVE-2019-19921.

OBS-URL: https://build.opensuse.org/request/show/764682
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=84
---
 runc.changes | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/runc.changes b/runc.changes
index c2fee47..aae49bb 100644
--- a/runc.changes
+++ b/runc.changes
@@ -1,7 +1,7 @@
 -------------------------------------------------------------------
 Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai <asarai@suse.com>
 
-- Add backported fix for CVE-2019-19921.
+- Add backported fix for CVE-2019-19921. bsc#1160452
   + CVE-2019-19921.patch
 
 -------------------------------------------------------------------