On 31 January 2017 at 20:46, Tianon Gravi <tia...@debian.org> wrote:
> I'm preparing a patch for the package now, but I'm curious what the
> implications of an upload will be so close to the freeze -- do we need
> to request a freeze exception or a migration adjustment after the
> updated package is up?  Should I hold off on uploading?  (would rather
> not lose "runc" from stretch)

CVE fix backported for v0.1.1 is attached (applies cleanly in the
current packaging when added to "debian/patches/series").

Happy to do the actual upload if I can get some guidance on how to
make sure it's done properly WRT freeze (or just as happy to leave it
to someone else).  O:)

- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4
Description: set "runc exec" processes as non-dumpable (CVE-2016-9962)
Origin: https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5 (backported to v0.1.1)
Author: Tianon Gravi <tia...@debian.org>
Forwarded: not-needed
Applied-Upstream: > 1.0.0-rc2

diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index 8f37d6c..3c74c63 100644
--- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c
@@ -364,6 +364,12 @@ void nsexec(void)
+	/* make the process non-dumpable */
+	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
+		pr_perror("Failed to set process as non-dumpable");
+		exit(1);
+	}
 	// Retrieve the netlink header
 	struct nlmsghdr nl_msg_hdr;
 	int		len;
Pkg-go-maintainers mailing list

Reply via email to