Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2020-01-21 20:58:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker-runc" Tue Jan 21 20:58:22 2020 rev:22 rq:765630 version:1.0.0rc8+gitr3917_3e425f80a8c9 Changes: -------- --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2020-01-19 20:53:20.531921176 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.26092/docker-runc.changes 2020-01-21 20:58:33.848798577 +0100 @@ -1,0 +2,6 @@ +Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai <asa...@suse.com> + +- Update CVE-2019-19921 patch to match upstream PR. + * CVE-2019-19921.patch + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ CVE-2019-19921.patch ++++++ --- /var/tmp/diff_new_pack.E1BJor/_old 2020-01-21 20:58:36.000799580 +0100 +++ /var/tmp/diff_new_pack.E1BJor/_new 2020-01-21 20:58:36.012799586 +0100 @@ -1,4 +1,4 @@ -From 9975f5238a792586bfa3e36e4c66a8d1154b44ac Mon Sep 17 00:00:00 2001 +From 3291d66b98445bd7f7d02eac7f2bca2ac2c56942 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Sat, 21 Dec 2019 23:40:17 +1100 Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories @@ -17,19 +17,19 @@ Fixes: CVE-2019-19921 Signed-off-by: Aleksa Sarai <asa...@suse.de> --- - libcontainer/rootfs_linux.go | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) + libcontainer/rootfs_linux.go | 12 ++++++++++++ + 1 file changed, 12 insertions(+) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index 291021440a1a..6bc0747f9f7e 100644 +index 291021440a1a..106c4c2b98bf 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go -@@ -299,6 +299,20 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b +@@ -299,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b switch m.Device { case "proc", "sysfs": -+ // If the destination already exists and is not a directory, we remove -+ // it. This is to avoid mounting through a symlink or similar -- which ++ // If the destination already exists and is not a directory, we bail ++ // out This is to avoid mounting through a symlink or similar -- which + // has been a "fun" attack scenario in the past. + // TODO: This won't be necessary once we switch to libpathrs and we can + // stop all of these symlink-exchange attacks. @@ -38,9 +38,7 @@ + return err + } + } else if fi.Mode()&os.ModeDir == 0 { -+ if err := os.Remove(dest); err != nil { -+ return err -+ } ++ return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device) + } if err := os.MkdirAll(dest, 0755); err != nil { return err