package/runc: add upstream security fix for CVE-2019-5736 - buildroot

diff options

author	Peter Korsgaard <peter@korsgaard.com>	2019-02-12 14:15:04 +0100
committer	Peter Korsgaard <peter@korsgaard.com>	2019-02-12 20:04:14 +0100
commit	6e3f7fbc072c88ab344f2ffa39e402464b566f19 (patch)
tree	0952afe3de10b80f5692d649b75491304364543a /package/mongodb/0001-ssl_manager.cpp-fix-build-with-gcc-7-and-fpermissive.patch
parent	11c55c94da9a51f0448a1ae869065736993e1787 (diff)
download	buildroot-6e3f7fbc072c88ab344f2ffa39e402464b566f19.tar.gz buildroot-6e3f7fbc072c88ab344f2ffa39e402464b566f19.zip

package/runc: add upstream security fix for CVE-2019-5736

The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: * Creating a new container using an attacker-controlled image. * Attaching (docker exec) into an existing container which the attacker had previous write access to. For more details, see the advisory: https://www.openwall.com/lists/oss-security/2019/02/11/2 The fix for this issue uses fexecve(3), which isn't available on uClibc, so add a dependency on !uclibc to runc and propagate to the reverse dependencies (containerd/docker-engine). Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Diffstat (limited to 'package/mongodb/0001-ssl_manager.cpp-fix-build-with-gcc-7-and-fpermissive.patch')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: