commit docker-runc for openSUSE:Factory

root Tue, 21 Jan 2020 11:59:24 -0800

Hello community,

here is the log from the commit of package docker-runc for openSUSE:Factory 
checked in at 2020-01-21 20:58:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/docker-runc (Old)
 and      /work/SRC/openSUSE:Factory/.docker-runc.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "docker-runc"

Tue Jan 21 20:58:22 2020 rev:22 rq:765630 version:1.0.0rc8+gitr3917_3e425f80a8c9

Changes:
--------
--- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes  2020-01-19 
20:53:20.531921176 +0100
+++ /work/SRC/openSUSE:Factory/.docker-runc.new.26092/docker-runc.changes       
2020-01-21 20:58:33.848798577 +0100
@@ -1,0 +2,6 @@
+Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai <asa...@suse.com>
+
+- Update CVE-2019-19921 patch to match upstream PR.
+  * CVE-2019-19921.patch
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ CVE-2019-19921.patch ++++++
--- /var/tmp/diff_new_pack.E1BJor/_old  2020-01-21 20:58:36.000799580 +0100
+++ /var/tmp/diff_new_pack.E1BJor/_new  2020-01-21 20:58:36.012799586 +0100
@@ -1,4 +1,4 @@
-From 9975f5238a792586bfa3e36e4c66a8d1154b44ac Mon Sep 17 00:00:00 2001
+From 3291d66b98445bd7f7d02eac7f2bca2ac2c56942 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asa...@suse.de>
 Date: Sat, 21 Dec 2019 23:40:17 +1100
 Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories
@@ -17,19 +17,19 @@
 Fixes: CVE-2019-19921
 Signed-off-by: Aleksa Sarai <asa...@suse.de>
 ---
- libcontainer/rootfs_linux.go | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
+ libcontainer/rootfs_linux.go | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
 
 diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
-index 291021440a1a..6bc0747f9f7e 100644
+index 291021440a1a..106c4c2b98bf 100644
 --- a/libcontainer/rootfs_linux.go
 +++ b/libcontainer/rootfs_linux.go
-@@ -299,6 +299,20 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel 
string, enableCgroupns b
+@@ -299,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel 
string, enableCgroupns b
  
        switch m.Device {
        case "proc", "sysfs":
-+              // If the destination already exists and is not a directory, we 
remove
-+              // it. This is to avoid mounting through a symlink or similar 
-- which
++              // If the destination already exists and is not a directory, we 
bail
++              // out This is to avoid mounting through a symlink or similar 
-- which
 +              // has been a "fun" attack scenario in the past.
 +              // TODO: This won't be necessary once we switch to libpathrs 
and we can
 +              //       stop all of these symlink-exchange attacks.
@@ -38,9 +38,7 @@
 +                              return err
 +                      }
 +              } else if fi.Mode()&os.ModeDir == 0 {
-+                      if err := os.Remove(dest); err != nil {
-+                              return err
-+                      }
++                      return fmt.Errorf("filesystem %q must be mounted on 
ordinary directory", m.Device)
 +              }
                if err := os.MkdirAll(dest, 0755); err != nil {
                        return err

commit docker-runc for openSUSE:Factory

Reply via email to