Accepting request 764685 from Virtualization:containers
CVE-2019-19921 OBS-URL: https://build.opensuse.org/request/show/764685 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/runc?expand=0&rev=25
This commit is contained in:
commit
fc1984a25f
50
CVE-2019-19921.patch
Normal file
50
CVE-2019-19921.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From 9975f5238a792586bfa3e36e4c66a8d1154b44ac Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Sat, 21 Dec 2019 23:40:17 +1100
|
||||
Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories
|
||||
|
||||
mount(2) will blindly follow symlinks, which is a problem because it
|
||||
allows a malicious container to trick runc into mounting /proc to an
|
||||
entirely different location (and thus within the attacker's control for
|
||||
a rename-exchange attack).
|
||||
|
||||
This is just a hotfix (to "stop the bleeding"), and the more complete
|
||||
fix would be finish libpathrs and port runc to it (to avoid these types
|
||||
of attacks entirely, and defend against a variety of other /proc-related
|
||||
attacks). It can be bypased by someone having "/" be a volume controlled
|
||||
by another container.
|
||||
|
||||
Fixes: CVE-2019-19921
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
libcontainer/rootfs_linux.go | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
|
||||
index 291021440a1a..6bc0747f9f7e 100644
|
||||
--- a/libcontainer/rootfs_linux.go
|
||||
+++ b/libcontainer/rootfs_linux.go
|
||||
@@ -299,6 +299,20 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
|
||||
|
||||
switch m.Device {
|
||||
case "proc", "sysfs":
|
||||
+ // If the destination already exists and is not a directory, we remove
|
||||
+ // it. This is to avoid mounting through a symlink or similar -- which
|
||||
+ // has been a "fun" attack scenario in the past.
|
||||
+ // TODO: This won't be necessary once we switch to libpathrs and we can
|
||||
+ // stop all of these symlink-exchange attacks.
|
||||
+ if fi, err := os.Lstat(dest); err != nil {
|
||||
+ if !os.IsNotExist(err) {
|
||||
+ return err
|
||||
+ }
|
||||
+ } else if fi.Mode()&os.ModeDir == 0 {
|
||||
+ if err := os.Remove(dest); err != nil {
|
||||
+ return err
|
||||
+ }
|
||||
+ }
|
||||
if err := os.MkdirAll(dest, 0755); err != nil {
|
||||
return err
|
||||
}
|
||||
--
|
||||
2.24.1
|
||||
|
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Add backported fix for CVE-2019-19921. bsc#1160452
|
||||
+ CVE-2019-19921.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Oct 5 11:40:13 UTC 2019 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package runc
|
||||
#
|
||||
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -46,11 +46,13 @@ Release: 0
|
||||
Summary: Tool for spawning and running OCI containers
|
||||
License: Apache-2.0
|
||||
Group: System/Management
|
||||
Url: https://github.com/opencontainers/runc
|
||||
URL: https://github.com/opencontainers/runc
|
||||
Source0: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz#/runc-%{_version}.tar.xz
|
||||
Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc
|
||||
Source2: runc.keyring
|
||||
Source3: runc-rpmlintrc
|
||||
# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2207.
|
||||
Patch1: CVE-2019-19921.patch
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: go-go-md2man
|
||||
BuildRequires: golang(API) = %{go_version}
|
||||
@ -85,6 +87,8 @@ Test package for runc. It contains the source code and the tests.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{_version}
|
||||
# CVE-2019-19921
|
||||
%patch1 -p1
|
||||
|
||||
%build
|
||||
# Do not use symlinks. If you want to run the unit tests for this package at
|
||||
|
Loading…
Reference in New Issue
Block a user