Bug#853866: unblock: runc/0.1.1+dfsg1-2

Tianon Gravi Wed, 01 Feb 2017 08:15:39 -0800

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Please unblock package runc

There was a CVE filed against runc recently (CVE-2016-9962), and the
patch to fix it was applied in the 0.1.1+dfsg1-2 team upload I just
made.  The patch is simply setting "runc exec" processes as
"non-dumpable" (which according to the CVE text and upstream, closes the
vulnerability).

unblock runc/0.1.1+dfsg1-2

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru runc-0.1.1+dfsg1/debian/changelog runc-0.1.1+dfsg1/debian/changelog
--- runc-0.1.1+dfsg1/debian/changelog   2016-07-13 06:01:04.000000000 -0700
+++ runc-0.1.1+dfsg1/debian/changelog   2017-02-01 07:17:54.000000000 -0800
@@ -1,3 +1,10 @@
+runc (0.1.1+dfsg1-2) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2016-9962 (Closes: #850951)
+
+ -- Tianon Gravi <tia...@debian.org>  Wed, 01 Feb 2017 07:17:54 -0800
+
 runc (0.1.1+dfsg1-1) unstable; urgency=medium
 
   * New upstream release [June 2016].
diff -Nru runc-0.1.1+dfsg1/debian/control runc-0.1.1+dfsg1/debian/control
--- runc-0.1.1+dfsg1/debian/control     2016-07-13 05:58:01.000000000 -0700
+++ runc-0.1.1+dfsg1/debian/control     2016-11-29 14:18:25.000000000 -0800
@@ -3,7 +3,8 @@
 Priority: extra
 Maintainer: Debian Go Packaging Team 
<pkg-go-maintain...@lists.alioth.debian.org>
 Uploaders: Alexandre Viau <alexan...@alexandreviau.net>,
-           Dmitry Smirnov <only...@debian.org>
+           Dmitry Smirnov <only...@debian.org>,
+           Tim Potter <t...@hpe.com>
 Build-Depends: debhelper (>= 9),
                dh-golang,
     go-md2man,
diff -Nru runc-0.1.1+dfsg1/debian/patches/cve-2016-9962.patch 
runc-0.1.1+dfsg1/debian/patches/cve-2016-9962.patch
--- runc-0.1.1+dfsg1/debian/patches/cve-2016-9962.patch 1969-12-31 
16:00:00.000000000 -0800
+++ runc-0.1.1+dfsg1/debian/patches/cve-2016-9962.patch 2017-01-31 
20:50:59.000000000 -0800
@@ -0,0 +1,23 @@
+Description: set "runc exec" processes as non-dumpable (CVE-2016-9962)
+Origin: 
https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5
 (backported to v0.1.1)
+Author: Tianon Gravi <tia...@debian.org>
+Forwarded: not-needed
+Applied-Upstream: > 1.0.0-rc2
+
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 8f37d6c..3c74c63 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -364,6 +364,12 @@ void nsexec(void)
+               return;
+       }
+ 
++      /* make the process non-dumpable */
++      if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
++              pr_perror("Failed to set process as non-dumpable");
++              exit(1);
++      }
++
+       // Retrieve the netlink header
+       struct nlmsghdr nl_msg_hdr;
+       int             len;
diff -Nru runc-0.1.1+dfsg1/debian/patches/series 
runc-0.1.1+dfsg1/debian/patches/series
--- runc-0.1.1+dfsg1/debian/patches/series      2016-07-13 05:08:22.000000000 
-0700
+++ runc-0.1.1+dfsg1/debian/patches/series      2017-01-31 20:48:05.000000000 
-0800
@@ -1 +1,2 @@
 disable-failing-tests.patch
+cve-2016-9962.patch

Bug#853866: unblock: runc/0.1.1+dfsg1-2

Reply via email to