Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: d3a9befc86113228f77c89030336faa84a5557c0 https://github.com/lxc/lxc/commit/d3a9befc86113228f77c89030336faa84a5557c0 Author: Christian Brauner <christian.brau...@ubuntu.com> Date: 2019-02-12 (Tue, 12 Feb 2019)
Changed paths: M src/lxc/Makefile.am M src/lxc/rexec.c A src/lxc/rexec.h M src/lxc/tools/lxc_attach.c Log Message: ----------- rexec: make rexecution opt-in for library callers We cannot rexecute the liblxc shared library unconditionally as this would break most of our downstreams. Here are some scenarios: - anyone performing a dlopen() on the shared library (e.g. users of the LXC Python bindings) - LXD as it needs to know the absolute path to its own executable based on /proc/self/exe etc. This commit makes the rexecution of liblxc conditional on whether the LXC_MEMFD_REXEC environment variable is set or not. If it is then liblxc is unconditionally rexecuted. The only relevant attack vector exists for lxc-attach which we simply reexecute unconditionally. Reported-by: Stéphane Graber <stgra...@ubuntu.com> Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> Commit: b091c341d5131e54ed4152855439b7a188d371dc https://github.com/lxc/lxc/commit/b091c341d5131e54ed4152855439b7a188d371dc Author: Stéphane Graber <stgra...@stgraber.org> Date: 2019-02-12 (Tue, 12 Feb 2019) Changed paths: M src/lxc/Makefile.am M src/lxc/rexec.c A src/lxc/rexec.h M src/lxc/tools/lxc_attach.c Log Message: ----------- Merge pull request #2846 from brauner/2019-02-12/CVE-2019-5736 rexec: make rexecution opt-in for library callers Compare: https://github.com/lxc/lxc/compare/b88ccedc1e05...b091c341d513 _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel