All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] runc: bump to 6635b4f, fixes critical CVE-2019-5736
@ 2019-02-12  8:38 Christian Stewart
  2019-02-12  9:20 ` Peter Korsgaard
  0 siblings, 1 reply; 2+ messages in thread
From: Christian Stewart @ 2019-02-12  8:38 UTC (permalink / raw)
  To: buildroot

Runc has a bug and related CVE which enables code running in a container to
overwrite the runc binary, taking root control of the host system and escaping
containment. This commit upgrades Runc to fix the vulnerability.

Fixes: CVE-2019-5736
Signed-off-by: Christian Stewart <christian@paral.in>
---
 package/runc/runc.hash | 2 +-
 package/runc/runc.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/runc/runc.hash b/package/runc/runc.hash
index 1636e5b8e9..1cd3413e6c 100644
--- a/package/runc/runc.hash
+++ b/package/runc/runc.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256	a221f8380e7b5806031f54d423af6dde24c305dad49868056cf70e5f5f4ef771  runc-v1.0.0-rc6.tar.gz
+sha256	a960decadf6bd5d3cee1ca7b94455d37cc921c964061428bd9f3dd17a13c8bb3  runc-6635b4f0c6af3810594d2770f662f34ddc15b40d.tar.gz
 sha256  552a739c3b25792263f731542238b92f6f8d07e9a488eae27e6c4690038a8243  LICENSE
diff --git a/package/runc/runc.mk b/package/runc/runc.mk
index 0539661266..60e54ce2bd 100644
--- a/package/runc/runc.mk
+++ b/package/runc/runc.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-RUNC_VERSION = v1.0.0-rc6
+RUNC_VERSION = 6635b4f0c6af3810594d2770f662f34ddc15b40d
 RUNC_SITE = $(call github,opencontainers,runc,$(RUNC_VERSION))
 RUNC_LICENSE = Apache-2.0
 RUNC_LICENSE_FILES = LICENSE
-- 
2.19.2

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [Buildroot] [PATCH 1/1] runc: bump to 6635b4f, fixes critical CVE-2019-5736
  2019-02-12  8:38 [Buildroot] [PATCH 1/1] runc: bump to 6635b4f, fixes critical CVE-2019-5736 Christian Stewart
@ 2019-02-12  9:20 ` Peter Korsgaard
  0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2019-02-12  9:20 UTC (permalink / raw)
  To: buildroot

>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:

 > Runc has a bug and related CVE which enables code running in a container to
 > overwrite the runc binary, taking root control of the host system and escaping
 > containment. This commit upgrades Runc to fix the vulnerability.

 > Fixes: CVE-2019-5736
 > Signed-off-by: Christian Stewart <christian@paral.in>

I am working on this as well. The fix (I would prefer to just add commit
0a8e4117e7f715d as a patch for easy backport) uses fexecve, which isn't
available on uClibc, so we need to propagate that dependency to the
reverse dependencies.

I also recently added a unit test for docker / compose. This test uses a
prebuilt uClibc based toolchain, so the test needs to be updated.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-12  9:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-12  8:38 [Buildroot] [PATCH 1/1] runc: bump to 6635b4f, fixes critical CVE-2019-5736 Christian Stewart
2019-02-12  9:20 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.