From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([209.51.188.92]:35181) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gtLuj-0003dx-Td for guix-patches@gnu.org; Mon, 11 Feb 2019 19:27:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gtLfC-0003VI-GX for guix-patches@gnu.org; Mon, 11 Feb 2019 19:11:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:44961) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gtLfC-0003UK-5F for guix-patches@gnu.org; Mon, 11 Feb 2019 19:11:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gtLfB-0001xI-SU for guix-patches@gnu.org; Mon, 11 Feb 2019 19:11:01 -0500 Subject: [bug#34446] Runc container escape patches CVE-2019-5736 Resent-Message-ID: Date: Tue, 12 Feb 2019 01:10:34 +0100 From: Danny Milosavljevic Message-ID: <20190212011034.1dd00e4c@scratchpost.org> In-Reply-To: <20190211233708.GA2509@jasmine.lan> References: <20190211233708.GA2509@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/PmIWLROXcvmxz3LZ=3VymZ."; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Leo Famulari Cc: 34446@debbugs.gnu.org --Sig_/PmIWLROXcvmxz3LZ=3VymZ. Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi Leo, as originally released by upstream, Docker looks up auxiliary commands in P= ATH, using a Go function called "LookPath". Our package definition patches a lot of the specific LookPath calls to refer to inputs by absolute path. I've booby-trapped the remaining LookPath calls so we won't accidentially have an internal tool looked up in $PATH. If we have not forgotten any LookPath calls, there should have been no rema= ining LookPath calls and it would not have failed the build. > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/= iptables/iptables.go:90:15: undefined: exec.Guix_doesnt_want_LookPath > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/= iptables/iptables.go:90:45: invalid character U+005C '\' Please examine line 90. It probably has a LookPath line with a new argumen= t we haven't seen before. That means we'd have to find out which Guix package has an executable named= like the argument and add a case to the existing LookPath substituter in order to also substitute it. --Sig_/PmIWLROXcvmxz3LZ=3VymZ. Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAlxiDvoACgkQ5xo1VCww uqUkmwf8Du3Nrn6QXmR6MlDUjkM/VUFaK1/o5VM0L+PpqC/IwaVuJmFYp3tlLRf3 T+K36jOT402jaOnN/pfsOOXqia4jV6WjUCgFgQEysa71rMJn3Kj/WAJS/eprBuLP MAoVj8WwBx6qd7HpYj2N3Ts3hyEnvu3vQv+ntJJaMQinKpw10O6HbcgV59Eq3VfH k+h7Bjm3eWqMJynfs39sqFg3dxQ826/wfUvgrvTzjZbc/uDzFB+puZCORckosEvu gncTFlSsMsNlefjWejCia+/hP+vOIyf/3ZAKc8ErnTKfU5B+ZN8J51kmtwKYeKNm 3cZ5EDmfdNM+3AaTy8b0SN32s+c+aQ== =GeKg -----END PGP SIGNATURE----- --Sig_/PmIWLROXcvmxz3LZ=3VymZ.--