Package: runc | Debian Sources

Package: runc / 0.1.1+dfsg1-2+deb9u1

Metadata

Package	Version	Patches format
runc	0.1.1+dfsg1-2+deb9u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
disable failing tests.patch \| (download)	libcontainer/configs/config_test.go \| 1 1 + 0 - 0 ! libcontainer/factory_linux_test.go \| 1 1 + 0 - 0 ! libcontainer/integration/checkpoint_test.go \| 1 1 + 0 - 0 ! libcontainer/integration/exec_test.go \| 30 30 + 0 - 0 ! libcontainer/integration/execin_test.go \| 9 9 + 0 - 0 ! libcontainer/integration/seccomp_test.go \| 3 3 + 0 - 0 ! 6 files changed, 45 insertions(+)	disable failing test(s) ### FAIL: TestFactoryNewTmpfs (0.00s) ### factory_linux_test.go:60: operation not permitted ### FAIL: TestCommandHookRunTimeout (0.01s) ### panic: runtime error: invalid memory address or nil pointer dereference [recovered] ### panic: runtime error: invalid memory address or nil pointer dereference
cve 2016 9962.patch \| (download)	libcontainer/nsenter/nsexec.c \| 6 6 + 0 - 0 ! 1 file changed, 6 insertions(+)	set "runc exec" processes as non-dumpable (cve-2016-9962)
CVE 2019 5736.patch \| (download)	libcontainer/nsenter/cloned_binary.c \| 516 516 + 0 - 0 ! libcontainer/nsenter/nsexec.c \| 8 8 + 0 - 0 ! 2 files changed, 524 insertions(+)	cve-2019-5736 Backport upstream patches for CVE-2019-5736 Fix in nsexec.c is adjusted to current version Include commits: 2d4a37b427167907ef2402586a8e8e2931a22490 nsenter: cloned_binary: userspace copy fallback if sendfile fails 16612d74de5f84977e50a9c8ead7f0e9e13b8628 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying af9da0a45082783f6005b252488943b5ee2e2138 nsenter: cloned_binary: use the runc statedir for O_TMPFILE 2429d59352b81f6b9cc79b5ed26780c5fe6ba4ec nsenter: cloned_binary: expand and add pre-3.11 fallbacks 5b775bf297c47a6bc50e36da89d1ec74a6fa01dc nsenter: cloned_binary: detect and handle short copies bb7d8b1f41f7bf0399204d54009d6da57c3cc775 nsexec (CVE-2019-5736): avoid parsing environ 0a8e4117e7f715d5fbeef398405813ce8e88558b nsenter: clone /proc/self/exe to avoid exposing host binary to container Bug-Debian: https://bugs.debian.org/922050

Patch

File delta

Description

disable failing tests.patch | (download)

libcontainer/configs/config_test.go | 1 1 + 0 - 0 !
libcontainer/factory_linux_test.go | 1 1 + 0 - 0 !
libcontainer/integration/checkpoint_test.go | 1 1 + 0 - 0 !
libcontainer/integration/exec_test.go | 30 30 + 0 - 0 !
libcontainer/integration/execin_test.go | 9 9 + 0 - 0 !
libcontainer/integration/seccomp_test.go | 3 3 + 0 - 0 !
6 files changed, 45 insertions(+)

 disable failing test(s)
### FAIL: TestFactoryNewTmpfs (0.00s)
###     factory_linux_test.go:60: operation not permitted

### FAIL: TestCommandHookRunTimeout (0.01s)
### panic: runtime error: invalid memory address or nil pointer dereference [recovered]
### panic: runtime error: invalid memory address or nil pointer dereference

cve 2016 9962.patch | (download)

libcontainer/nsenter/nsexec.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 set "runc exec" processes as non-dumpable (cve-2016-9962)

CVE 2019 5736.patch | (download)

libcontainer/nsenter/cloned_binary.c | 516 516 + 0 - 0 !
libcontainer/nsenter/nsexec.c | 8 8 + 0 - 0 !
2 files changed, 524 insertions(+)

cve-2019-5736

Backport upstream patches for CVE-2019-5736

Fix in nsexec.c is adjusted to current version

Include commits:
2d4a37b427167907ef2402586a8e8e2931a22490 nsenter: cloned_binary: userspace copy fallback if sendfile fails
16612d74de5f84977e50a9c8ead7f0e9e13b8628 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying
af9da0a45082783f6005b252488943b5ee2e2138 nsenter: cloned_binary: use the runc statedir for O_TMPFILE
2429d59352b81f6b9cc79b5ed26780c5fe6ba4ec nsenter: cloned_binary: expand and add pre-3.11 fallbacks
5b775bf297c47a6bc50e36da89d1ec74a6fa01dc nsenter: cloned_binary: detect and handle short copies
bb7d8b1f41f7bf0399204d54009d6da57c3cc775 nsexec (CVE-2019-5736): avoid parsing environ
0a8e4117e7f715d5fbeef398405813ce8e88558b nsenter: clone /proc/self/exe to avoid exposing host binary to container

Bug-Debian: https://bugs.debian.org/922050