[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#34446: Runc container escape patches CVE-2019-5736
|
From: |
Leo Famulari |
|
Subject: |
bug#34446: Runc container escape patches CVE-2019-5736 |
|
Date: |
Tue, 12 Feb 2019 12:56:31 -0500 |
|
User-agent: |
Mutt/1.11.2 (2019-01-07) |
On Tue, Feb 12, 2019 at 01:10:34AM +0100, Danny Milosavljevic wrote:
> as originally released by upstream, Docker looks up auxiliary commands in
> PATH,
> using a Go function called "LookPath".
>
> Our package definition patches a lot of the specific LookPath calls to
> refer to inputs by absolute path.
>
> I've booby-trapped the remaining LookPath calls so we won't accidentially
> have an internal tool looked up in $PATH.
>
> If we have not forgotten any LookPath calls, there should have been no
> remaining
> LookPath calls and it would not have failed the build.
Thanks for explaining this :)
> > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables/iptables.go:90:15:
> > undefined: exec.Guix_doesnt_want_LookPath
> > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables/iptables.go:90:45:
> > invalid character U+005C '\'
>
> Please examine line 90. It probably has a LookPath line with a new argument
> we
> haven't seen before.
Okay, they added a lookup for 'iptables-legacy' which is what Debian has
renamed iptables. I changed this to just look up 'iptables' since its
equivalent on our end and in how the Docker code uses it and pushed as
ea7cddaac782b2cdc789a354e172356ed5c183e7.
Thanks again for your help!
signature.asc
Description: PGP signature