[pkg-go] Bug#853866: unblock: runc/0.1.1+dfsg1-2

Tianon Gravi tianon at debian.org
Wed Feb 1 16:12:19 UTC 2017 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package runc

There was a CVE filed against runc recently (CVE-2016-9962), and the
patch to fix it was applied in the 0.1.1+dfsg1-2 team upload I just
made.  The patch is simply setting "runc exec" processes as
"non-dumpable" (which according to the CVE text and upstream, closes the
vulnerability).

unblock runc/0.1.1+dfsg1-2

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
diff -Nru runc-0.1.1+dfsg1/debian/changelog runc-0.1.1+dfsg1/debian/changelog
--- runc-0.1.1+dfsg1/debian/changelog	2016-07-13 06:01:04.000000000 -0700
+++ runc-0.1.1+dfsg1/debian/changelog	2017-02-01 07:17:54.000000000 -0800
@@ -1,3 +1,10 @@
+runc (0.1.1+dfsg1-2) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2016-9962 (Closes: #850951)
+
+ -- Tianon Gravi <tianon at debian.org>  Wed, 01 Feb 2017 07:17:54 -0800
+
 runc (0.1.1+dfsg1-1) unstable; urgency=medium
 
   * New upstream release [June 2016].
diff -Nru runc-0.1.1+dfsg1/debian/control runc-0.1.1+dfsg1/debian/control
--- runc-0.1.1+dfsg1/debian/control	2016-07-13 05:58:01.000000000 -0700
+++ runc-0.1.1+dfsg1/debian/control	2016-11-29 14:18:25.000000000 -0800
@@ -3,7 +3,8 @@
 Priority: extra
 Maintainer: Debian Go Packaging Team <pkg-go-maintainers at lists.alioth.debian.org>
 Uploaders: Alexandre Viau <alexandre at alexandreviau.net>,
-           Dmitry Smirnov <onlyjob at debian.org>
+           Dmitry Smirnov <onlyjob at debian.org>,
+           Tim Potter <tpot at hpe.com>
 Build-Depends: debhelper (>= 9),
                dh-golang,
     go-md2man,
diff -Nru runc-0.1.1+dfsg1/debian/patches/cve-2016-9962.patch runc-0.1.1+dfsg1/debian/patches/cve-2016-9962.patch
--- runc-0.1.1+dfsg1/debian/patches/cve-2016-9962.patch	1969-12-31 16:00:00.000000000 -0800
+++ runc-0.1.1+dfsg1/debian/patches/cve-2016-9962.patch	2017-01-31 20:50:59.000000000 -0800
@@ -0,0 +1,23 @@
+Description: set "runc exec" processes as non-dumpable (CVE-2016-9962)
+Origin: https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5 (backported to v0.1.1)
+Author: Tianon Gravi <tianon at debian.org>
+Forwarded: not-needed
+Applied-Upstream: > 1.0.0-rc2
+
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 8f37d6c..3c74c63 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -364,6 +364,12 @@ void nsexec(void)
+ 		return;
+ 	}
+ 
++	/* make the process non-dumpable */
++	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
++		pr_perror("Failed to set process as non-dumpable");
++		exit(1);
++	}
++
+ 	// Retrieve the netlink header
+ 	struct nlmsghdr nl_msg_hdr;
+ 	int		len;
diff -Nru runc-0.1.1+dfsg1/debian/patches/series runc-0.1.1+dfsg1/debian/patches/series
--- runc-0.1.1+dfsg1/debian/patches/series	2016-07-13 05:08:22.000000000 -0700
+++ runc-0.1.1+dfsg1/debian/patches/series	2017-01-31 20:48:05.000000000 -0800
@@ -1 +1,2 @@
 disable-failing-tests.patch
+cve-2016-9962.patch

More information about the Pkg-go-maintainers mailing list