summaryrefslogtreecommitdiff
path: root/app-containers/runc
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2022-05-12 16:42:50 +0300
committerV3n3RiX <venerix@koprulu.sector>2022-05-12 16:42:50 +0300
commit752d6256e5204b958b0ef7905675a940b5e9172f (patch)
tree330d16e6362a49cbed8875a777fe641a43376cd3 /app-containers/runc
parent0c100b7dd2b30e75b799d806df4ef899fd98e1ea (diff)
gentoo resync : 12.05.2022
Diffstat (limited to 'app-containers/runc')
-rw-r--r--app-containers/runc/Manifest1
-rw-r--r--app-containers/runc/files/CVE-2021-43784.patch86
2 files changed, 0 insertions, 87 deletions
diff --git a/app-containers/runc/Manifest b/app-containers/runc/Manifest
index 2126ba206b32..b0101c67c48c 100644
--- a/app-containers/runc/Manifest
+++ b/app-containers/runc/Manifest
@@ -1,4 +1,3 @@
-AUX CVE-2021-43784.patch 3305 BLAKE2B c6e16dd2793d99c2513c3bc047c9ccbd9870c15908078895e9e436b437dac55854105ccb0edf48588294125958fc9285637f839b6804cce9a7269fb5f85f4360 SHA512 584bc4e5e88275fa2c300965882697ca6afb6e0987bc1a888d96febbc47e56b17f346c595fe6e3933a29c143c000d574a64475de8779e4f7ef2d724d7be43589
DIST runc-1.0.3.tar.gz 2375241 BLAKE2B 0fb9368ab5442462001c15a67a71821133ad90d16cac5aac760e52b2477db69c0a5dd59df42601119b19ede508889796c994a24624f88ec6a1a29dad19e0bf33 SHA512 64a1894c2b4ed5a68b185e88548fc9fbbd01d8a9495feed59fb196aa06763d64cfb71ca6cbc09d1defa26a0d94ad58626296585741f23df2e290147ba6c4c26e
DIST runc-1.1.0.tar.gz 2332427 BLAKE2B 3a194221d0bab813249e23c5f725255e453ce6843c2cb7e1a40a3c6fdd90a1a805c18ebadf56ee5d535f253025716aae6ab3f437140a3cc69e854e750e205e0c SHA512 542ea87c488fd120f2b77e53e2c197f09cd504fbe55dbe47008aaa5b0565aa300fc49f8cadc24ead796e45a4e95a30dfb08bfeefa58dc370145a218fd2869e41
DIST runc-1.1.1.tar.gz 2332722 BLAKE2B d0abe624ddd17885bd25a5923e35ed760a7acaeb2ae7eefa18cdd28a2ecfc79a958d550eafac421b58865376620d7475338752df823e0f1b4a69be201fe4ea90 SHA512 baf622e7edae9b68d2fa255f02359d770489c7578be3c6379a5d939b4f1dfa697ec9eb4ef7dce252e64ee5225f76c06e45182a9b92b68a952e21e3f5f91450d0
diff --git a/app-containers/runc/files/CVE-2021-43784.patch b/app-containers/runc/files/CVE-2021-43784.patch
deleted file mode 100644
index ab3886ee9ba7..000000000000
--- a/app-containers/runc/files/CVE-2021-43784.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From b8dbe46687c2a96efa9252b69d3fc1ce33bdc416 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <cyphar@cyphar.com>
-Date: Thu, 18 Nov 2021 16:12:59 +1100
-Subject: [PATCH] runc init: avoid netlink message length overflows
-
-When writing netlink messages, it is possible to have a byte array
-larger than UINT16_MAX which would result in the length field
-overflowing and allowing user-controlled data to be parsed as control
-characters (such as creating custom mount points, changing which set of
-namespaces to allow, and so on).
-
-Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
-Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
----
- libcontainer/container_linux.go | 20 +++++++++++++++++++-
- libcontainer/message_linux.go | 9 +++++++++
- 2 files changed, 28 insertions(+), 1 deletion(-)
-
-diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
-index 6ce1854f68..1484703b0c 100644
---- a/libcontainer/container_linux.go
-+++ b/libcontainer/container_linux.go
-@@ -2028,16 +2028,34 @@ func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) {
- return data.Bytes(), nil
- }
-
-+// netlinkError is an error wrapper type for use by custom netlink message
-+// types. Panics with errors are wrapped in netlinkError so that the recover
-+// in bootstrapData can distinguish intentional panics.
-+type netlinkError struct{ error }
-+
- // bootstrapData encodes the necessary data in netlink binary format
- // as a io.Reader.
- // Consumer can write the data to a bootstrap program
- // such as one that uses nsenter package to bootstrap the container's
- // init process correctly, i.e. with correct namespaces, uid/gid
- // mapping etc.
--func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (io.Reader, error) {
-+func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (_ io.Reader, Err error) {
- // create the netlink message
- r := nl.NewNetlinkRequest(int(InitMsg), 0)
-
-+ // Our custom messages cannot bubble up an error using returns, instead
-+ // they will panic with the specific error type, netlinkError. In that
-+ // case, recover from the panic and return that as an error.
-+ defer func() {
-+ if r := recover(); r != nil {
-+ if e, ok := r.(netlinkError); ok {
-+ Err = e.error
-+ } else {
-+ panic(r)
-+ }
-+ }
-+ }()
-+
- // write cloneFlags
- r.AddData(&Int32msg{
- Type: CloneFlagsAttr,
-diff --git a/libcontainer/message_linux.go b/libcontainer/message_linux.go
-index 1d4f5033aa..e4107ce39f 100644
---- a/libcontainer/message_linux.go
-+++ b/libcontainer/message_linux.go
-@@ -3,6 +3,9 @@
- package libcontainer
-
- import (
-+ "fmt"
-+ "math"
-+
- "github.com/vishvananda/netlink/nl"
- "golang.org/x/sys/unix"
- )
-@@ -54,6 +57,12 @@ type Bytemsg struct {
-
- func (msg *Bytemsg) Serialize() []byte {
- l := msg.Len()
-+ if l > math.MaxUint16 {
-+ // We cannot return nil nor an error here, so we panic with
-+ // a specific type instead, which is handled via recover in
-+ // bootstrapData.
-+ panic(netlinkError{fmt.Errorf("netlink: cannot serialize bytemsg of length %d (larger than UINT16_MAX)", l)})
-+ }
- buf := make([]byte, (l+unix.NLA_ALIGNTO-1) & ^(unix.NLA_ALIGNTO-1))
- native := nl.NativeEndian()
- native.PutUint16(buf[0:2], uint16(l))