On 31 January 2017 at 20:46, Tianon Gravi <tia...@debian.org> wrote: > I'm preparing a patch for the package now, but I'm curious what the > implications of an upload will be so close to the freeze -- do we need > to request a freeze exception or a migration adjustment after the > updated package is up? Should I hold off on uploading? (would rather > not lose "runc" from stretch)
CVE fix backported for v0.1.1 is attached (applies cleanly in the current packaging when added to "debian/patches/series"). Happy to do the actual upload if I can get some guidance on how to make sure it's done properly WRT freeze (or just as happy to leave it to someone else). O:) ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
Description: set "runc exec" processes as non-dumpable (CVE-2016-9962) Origin: https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5 (backported to v0.1.1) Author: Tianon Gravi <tia...@debian.org> Forwarded: not-needed Applied-Upstream: > 1.0.0-rc2 diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c index 8f37d6c..3c74c63 100644 --- a/libcontainer/nsenter/nsexec.c +++ b/libcontainer/nsenter/nsexec.c @@ -364,6 +364,12 @@ void nsexec(void) return; } + /* make the process non-dumpable */ + if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { + pr_perror("Failed to set process as non-dumpable"); + exit(1); + } + // Retrieve the netlink header struct nlmsghdr nl_msg_hdr; int len;
