[debbugs-tracker] bug#34446: closed (Runc container escape patches CVE-2

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#34446: closed (Runc container escape patches CVE-2

From:	GNU bug Tracking System
Subject:	[debbugs-tracker] bug#34446: closed (Runc container escape patches CVE-2019-5736)
Date:	Tue, 12 Feb 2019 17:57:02 +0000

Your message dated Tue, 12 Feb 2019 12:56:31 -0500
with message-id <address@hidden>
and subject line Re: [bug#34446] Runc container escape patches CVE-2019-5736
has caused the debbugs.gnu.org bug report #34446,
regarding Runc container escape patches CVE-2019-5736
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
34446: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=34446
GNU Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: Runc container escape patches CVE-2019-5736 Date: Mon, 11 Feb 2019 18:37:08 -0500 User-agent: Mutt/1.11.2 (2019-01-07)

These patches aim to fix CVE-2019-5736 in runc / Docker:

https://seclists.org/oss-sec/2019/q1/119

However, after applying these patches, Docker fails to build as shown
below. Runc, docker-cli, and containerd still build.

Please help :)

------
phase `setup-environment' succeeded after 0.0 seconds
starting phase `build'
# WARNING! I don't seem to be running in a Docker container.
# The result of this command might be an incorrect build, and will not be
# officially supported.
#
# Try this instead: make all
#

Removing bundles/

---> Making bundle: dynbinary (in bundles/dynbinary)
Building: bundles/dynbinary-daemon/dockerd-dev
# github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables
.gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables/iptables.go:90:15:
 undefined: exec.Guix_doesnt_want_LookPath
.gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables/iptables.go:90:45:
 invalid character U+005C '\'
Backtrace:
           4 (primitive-load "/gnu/store/n5jmx2wksfvcrwlpv2zafd5hany…")
In ice-9/eval.scm:
   191:35  3 (_ _)
In srfi/srfi-1.scm:
   863:16  2 (every1 #<procedure ac28a0 at /gnu/store/rkv7z31csb2xa…> …)
In 
/gnu/store/rkv7z31csb2xandzhnvm5kc0i78pf0ay-module-import/guix/build/gnu-build-system.scm:
   799:28  1 (_ _)
In 
/gnu/store/rkv7z31csb2xandzhnvm5kc0i78pf0ay-module-import/guix/build/utils.scm:
    616:6  0 (invoke _ . _)

/gnu/store/rkv7z31csb2xandzhnvm5kc0i78pf0ay-module-import/guix/build/utils.scm:616:6:
 In procedure invoke:
Throw to key `srfi-34' with args `(#<condition &invoke-error [program: 
"hack/make.sh" arguments: ("dynbinary") exit-status: 2 term-signal: #f 
stop-signal: #f] 491cc0>)'.
builder for `/gnu/store/ihdm0nlw118mrb8wq127864g9pgrmghk-docker-18.09.2.drv' 
failed with exit code 1
build of /gnu/store/ihdm0nlw118mrb8wq127864g9pgrmghk-docker-18.09.2.drv failed
View build log at 
'/var/log/guix/drvs/ih/dm0nlw118mrb8wq127864g9pgrmghk-docker-18.09.2.drv.bz2'.
guix build: error: build of 
`/gnu/store/ihdm0nlw118mrb8wq127864g9pgrmghk-docker-18.09.2.drv' failed
------

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message --- Subject: Re: [bug#34446] Runc container escape patches CVE-2019-5736 Date: Tue, 12 Feb 2019 12:56:31 -0500 User-agent: Mutt/1.11.2 (2019-01-07)

On Tue, Feb 12, 2019 at 01:10:34AM +0100, Danny Milosavljevic wrote:
> as originally released by upstream, Docker looks up auxiliary commands in 
> PATH,
> using a Go function called "LookPath".
> 
> Our package definition patches a lot of the specific LookPath calls to
> refer to inputs by absolute path.
> 
> I've booby-trapped the remaining LookPath calls so we won't accidentially
> have an internal tool looked up in $PATH.
> 
> If we have not forgotten any LookPath calls, there should have been no 
> remaining
> LookPath calls and it would not have failed the build.

Thanks for explaining this :)

> > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables/iptables.go:90:15:
> >  undefined: exec.Guix_doesnt_want_LookPath
> > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables/iptables.go:90:45:
> >  invalid character U+005C '\'
> 
> Please examine line 90.  It probably has a LookPath line with a new argument 
> we
> haven't seen before.

Okay, they added a lookup for 'iptables-legacy' which is what Debian has
renamed iptables. I changed this to just look up 'iptables' since its
equivalent on our end and in how the Docker code uses it and pushed as
ea7cddaac782b2cdc789a354e172356ed5c183e7.

Thanks again for your help!

signature.asc
Description: PGP signature

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

[debbugs-tracker] bug#34446: closed (Runc container escape patches CVE-2019-5736), GNU bug Tracking System <=

Prev by Date: [debbugs-tracker] Processed: control message for bug 34440
Next by Date: [debbugs-tracker] bug#34386: closed (parted v. 3.2 – Ability to choose IEC binary units (power of 2^10, 1024) option covering all units)
Previous by thread: [debbugs-tracker] bug#34455: closed (26.1; (elisp) parse-sexp-lookup-properties)
Next by thread: [debbugs-tracker] bug#34386: closed (parted v. 3.2 – Ability to choose IEC binary units (power of 2^10, 1024) option covering all units)
Index(es):
- Date
- Thread