Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2020-01-19 20:52:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker-runc" Sun Jan 19 20:52:39 2020 rev:21 rq:764687 version:1.0.0rc8+gitr3917_3e425f80a8c9 Changes: -------- --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2019-10-23 15:47:16.114462304 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.26092/docker-runc.changes 2020-01-19 20:53:20.531921176 +0100 @@ -1,0 +2,6 @@ +Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai <asa...@suse.com> + +- Add backported fix for CVE-2019-19921. bsc#1160452 + + CVE-2019-19921.patch + +------------------------------------------------------------------- New: ---- CVE-2019-19921.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker-runc.spec ++++++ --- /var/tmp/diff_new_pack.Qk9OHq/_old 2020-01-19 20:53:21.535921704 +0100 +++ /var/tmp/diff_new_pack.Qk9OHq/_new 2020-01-19 20:53:21.535921704 +0100 @@ -1,7 +1,7 @@ # # spec file for package docker # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -48,11 +48,13 @@ Summary: Tool for spawning and running OCI containers License: Apache-2.0 Group: System/Management -Url: https://github.com/opencontainers/runc +URL: https://github.com/opencontainers/runc Source: %{realname}-git.%{git_short}.tar.xz Source1: %{realname}-rpmlintrc # FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2130. Patch1: CVE-2019-16884.patch +# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2207. +Patch2: CVE-2019-19921.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel @@ -91,6 +93,8 @@ %setup -q -n %{realname}-git.%{git_short} # CVE-2019-16884 bsc#1152308 %patch1 -p1 +# CVE-2019-19921 +%patch2 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at ++++++ CVE-2019-19921.patch ++++++ >From 9975f5238a792586bfa3e36e4c66a8d1154b44ac Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Sat, 21 Dec 2019 23:40:17 +1100 Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories mount(2) will blindly follow symlinks, which is a problem because it allows a malicious container to trick runc into mounting /proc to an entirely different location (and thus within the attacker's control for a rename-exchange attack). This is just a hotfix (to "stop the bleeding"), and the more complete fix would be finish libpathrs and port runc to it (to avoid these types of attacks entirely, and defend against a variety of other /proc-related attacks). It can be bypased by someone having "/" be a volume controlled by another container. Fixes: CVE-2019-19921 Signed-off-by: Aleksa Sarai <asa...@suse.de> --- libcontainer/rootfs_linux.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index 291021440a1a..6bc0747f9f7e 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -299,6 +299,20 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b switch m.Device { case "proc", "sysfs": + // If the destination already exists and is not a directory, we remove + // it. This is to avoid mounting through a symlink or similar -- which + // has been a "fun" attack scenario in the past. + // TODO: This won't be necessary once we switch to libpathrs and we can + // stop all of these symlink-exchange attacks. + if fi, err := os.Lstat(dest); err != nil { + if !os.IsNotExist(err) { + return err + } + } else if fi.Mode()&os.ModeDir == 0 { + if err := os.Remove(dest); err != nil { + return err + } + } if err := os.MkdirAll(dest, 0755); err != nil { return err } -- 2.24.1