* [Buildroot] [PATCH 1/1] runc: bump to 6635b4f, fixes critical CVE-2019-5736
@ 2019-02-12 8:38 Christian Stewart
2019-02-12 9:20 ` Peter Korsgaard
0 siblings, 1 reply; 2+ messages in thread
From: Christian Stewart @ 2019-02-12 8:38 UTC (permalink / raw)
To: buildroot
Runc has a bug and related CVE which enables code running in a container to
overwrite the runc binary, taking root control of the host system and escaping
containment. This commit upgrades Runc to fix the vulnerability.
Fixes: CVE-2019-5736
Signed-off-by: Christian Stewart <christian@paral.in>
---
package/runc/runc.hash | 2 +-
package/runc/runc.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/runc/runc.hash b/package/runc/runc.hash
index 1636e5b8e9..1cd3413e6c 100644
--- a/package/runc/runc.hash
+++ b/package/runc/runc.hash
@@ -1,3 +1,3 @@
# Locally computed
-sha256 a221f8380e7b5806031f54d423af6dde24c305dad49868056cf70e5f5f4ef771 runc-v1.0.0-rc6.tar.gz
+sha256 a960decadf6bd5d3cee1ca7b94455d37cc921c964061428bd9f3dd17a13c8bb3 runc-6635b4f0c6af3810594d2770f662f34ddc15b40d.tar.gz
sha256 552a739c3b25792263f731542238b92f6f8d07e9a488eae27e6c4690038a8243 LICENSE
diff --git a/package/runc/runc.mk b/package/runc/runc.mk
index 0539661266..60e54ce2bd 100644
--- a/package/runc/runc.mk
+++ b/package/runc/runc.mk
@@ -4,7 +4,7 @@
#
################################################################################
-RUNC_VERSION = v1.0.0-rc6
+RUNC_VERSION = 6635b4f0c6af3810594d2770f662f34ddc15b40d
RUNC_SITE = $(call github,opencontainers,runc,$(RUNC_VERSION))
RUNC_LICENSE = Apache-2.0
RUNC_LICENSE_FILES = LICENSE
--
2.19.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [Buildroot] [PATCH 1/1] runc: bump to 6635b4f, fixes critical CVE-2019-5736
2019-02-12 8:38 [Buildroot] [PATCH 1/1] runc: bump to 6635b4f, fixes critical CVE-2019-5736 Christian Stewart
@ 2019-02-12 9:20 ` Peter Korsgaard
0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2019-02-12 9:20 UTC (permalink / raw)
To: buildroot
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:
> Runc has a bug and related CVE which enables code running in a container to
> overwrite the runc binary, taking root control of the host system and escaping
> containment. This commit upgrades Runc to fix the vulnerability.
> Fixes: CVE-2019-5736
> Signed-off-by: Christian Stewart <christian@paral.in>
I am working on this as well. The fix (I would prefer to just add commit
0a8e4117e7f715d as a patch for easy backport) uses fexecve, which isn't
available on uClibc, so we need to propagate that dependency to the
reverse dependencies.
I also recently added a unit test for docker / compose. This test uses a
prebuilt uClibc based toolchain, so the test needs to be updated.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-12 9:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-12 8:38 [Buildroot] [PATCH 1/1] runc: bump to 6635b4f, fixes critical CVE-2019-5736 Christian Stewart
2019-02-12 9:20 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.