From 49a657e3771241ad0df29d7f7e520f3ae183ebc4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 23 2020 13:33:11 +0000 Subject: import runc-1.0.0-66.rc8.el7_7 --- diff --git a/SOURCES/runc-CVE-2019-19921.patch b/SOURCES/runc-CVE-2019-19921.patch new file mode 100644 index 0000000..b81c5da --- /dev/null +++ b/SOURCES/runc-CVE-2019-19921.patch @@ -0,0 +1,45 @@ +From 3291d66b98445bd7f7d02eac7f2bca2ac2c56942 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Sat, 21 Dec 2019 23:40:17 +1100 +Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories + +mount(2) will blindly follow symlinks, which is a problem because it +allows a malicious container to trick runc into mounting /proc to an +entirely different location (and thus within the attacker's control for +a rename-exchange attack). + +This is just a hotfix (to "stop the bleeding"), and the more complete +fix would be finish libpathrs and port runc to it (to avoid these types +of attacks entirely, and defend against a variety of other /proc-related +attacks). It can be bypased by someone having "/" be a volume controlled +by another container. + +Fixes: CVE-2019-19921 +Signed-off-by: Aleksa Sarai +--- + libcontainer/rootfs_linux.go | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go +index 291021440..106c4c2b9 100644 +--- a/libcontainer/rootfs_linux.go ++++ b/libcontainer/rootfs_linux.go +@@ -299,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b + + switch m.Device { + case "proc", "sysfs": ++ // If the destination already exists and is not a directory, we bail ++ // out This is to avoid mounting through a symlink or similar -- which ++ // has been a "fun" attack scenario in the past. ++ // TODO: This won't be necessary once we switch to libpathrs and we can ++ // stop all of these symlink-exchange attacks. ++ if fi, err := os.Lstat(dest); err != nil { ++ if !os.IsNotExist(err) { ++ return err ++ } ++ } else if fi.Mode()&os.ModeDir == 0 { ++ return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device) ++ } + if err := os.MkdirAll(dest, 0755); err != nil { + return err + } diff --git a/SPECS/runc.spec b/SPECS/runc.spec index 8ee14d0..d510b6f 100644 --- a/SPECS/runc.spec +++ b/SPECS/runc.spec @@ -25,7 +25,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" - Name: %{repo} Version: 1.0.0 -Release: 65.rc8%{?dist} +Release: 66.rc8%{?dist} Summary: CLI for running Open Containers License: ASL 2.0 URL: %{git0} @@ -33,11 +33,12 @@ Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source1: 99-containers.conf Patch0: 1807.patch Patch1: change-default-root.patch -%ifnarch %{ix86} +# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19921 +# patch: https://github.com/opencontainers/runc/pull/2207/commits/3291d66b98445bd7f7d02eac7f2bca2ac2c56942.patch +Patch2: runc-CVE-2019-19921.patch Requires: criu -%endif Requires(pre): container-selinux >= 2:2.2-2 -ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64 %{ix86} +ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64 BuildRequires: go-toolset-1.10 BuildRequires: openssl-devel BuildRequires: git @@ -123,6 +124,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath} %{_usr}/lib/sysctl.d/99-containers.conf %changelog +* Mon Mar 02 2020 Jindrich Novy - 1.0.0-66.rc8 +- fix "CVE-2019-19921 runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation" +- Resolves: #1803100 + * Fri Aug 02 2019 Jindrich Novy - 1.0.0-65.rc8 - rebase to 1.0.0-65 in RHEL7u7