Accepting request 765103 from home:cyphar:docker

- Update CVE-2019-19921 patch to match upstream PR. * CVE-2019-19921.patch OBS-URL: https://build.opensuse.org/request/show/765103 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=86
2020-01-17 03:34:42 +00:00 · 2020-01-17 03:34:42 +00:00 · 8a0d82c468
commit 8a0d82c468
parent 8fefd473fa
2 changed files with 14 additions and 10 deletions
--- a/CVE-2019-19921.patch
+++ b/CVE-2019-19921.patch
@ -1,4 +1,4 @@
-From 9975f5238a792586bfa3e36e4c66a8d1154b44ac Mon Sep 17 00:00:00 2001
+From 3291d66b98445bd7f7d02eac7f2bca2ac2c56942 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Sat, 21 Dec 2019 23:40:17 +1100
 Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories
@ -17,19 +17,19 @@ by another container.
 Fixes: CVE-2019-19921
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
- libcontainer/rootfs_linux.go | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
+ libcontainer/rootfs_linux.go | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)

 diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
-index 291021440a1a..6bc0747f9f7e 100644
+index 291021440a1a..106c4c2b98bf 100644
 --- a/libcontainer/rootfs_linux.go
 +++ b/libcontainer/rootfs_linux.go
-@@ -299,6 +299,20 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
+@@ -299,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
 
 	switch m.Device {
 	case "proc", "sysfs":
-+		// If the destination already exists and is not a directory, we remove
-+		// it. This is to avoid mounting through a symlink or similar -- which
+		// If the destination already exists and is not a directory, we bail
+		// out This is to avoid mounting through a symlink or similar -- which
 +		// has been a "fun" attack scenario in the past.
 +		// TODO: This won't be necessary once we switch to libpathrs and we can
 +		//       stop all of these symlink-exchange attacks.
@ -38,9 +38,7 @@ index 291021440a1a..6bc0747f9f7e 100644
 +				return err
 +			}
 +		} else if fi.Mode()&os.ModeDir == 0 {
-+			if err := os.Remove(dest); err != nil {
-+				return err
-+			}
+			return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
 +		}
 		if err := os.MkdirAll(dest, 0755); err != nil {
 			return err
--- a/runc.changes
+++ b/runc.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Update CVE-2019-19921 patch to match upstream PR.
+  * CVE-2019-19921.patch
+
 -------------------------------------------------------------------
 Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai <asarai@suse.com>