From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([209.51.188.92]:57959) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gtcIv-0007Ir-0K for guix-patches@gnu.org; Tue, 12 Feb 2019 12:57:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gtcIt-0005nV-2y for guix-patches@gnu.org; Tue, 12 Feb 2019 12:57:08 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:45872) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gtcIo-0005hN-W9 for guix-patches@gnu.org; Tue, 12 Feb 2019 12:57:04 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gtcIo-0001rH-UZ for guix-patches@gnu.org; Tue, 12 Feb 2019 12:57:02 -0500 Subject: bug#34446: Runc container escape patches CVE-2019-5736 Resent-To: guix-patches@gnu.org Resent-Message-ID: Date: Tue, 12 Feb 2019 12:56:31 -0500 From: Leo Famulari Message-ID: <20190212175631.GA14638@jasmine.lan> References: <20190211233708.GA2509@jasmine.lan> <20190212011034.1dd00e4c@scratchpost.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: <20190212011034.1dd00e4c@scratchpost.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Danny Milosavljevic Cc: 34446-done@debbugs.gnu.org --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 12, 2019 at 01:10:34AM +0100, Danny Milosavljevic wrote: > as originally released by upstream, Docker looks up auxiliary commands in= PATH, > using a Go function called "LookPath". >=20 > Our package definition patches a lot of the specific LookPath calls to > refer to inputs by absolute path. >=20 > I've booby-trapped the remaining LookPath calls so we won't accidentially > have an internal tool looked up in $PATH. >=20 > If we have not forgotten any LookPath calls, there should have been no re= maining > LookPath calls and it would not have failed the build. Thanks for explaining this :) > > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwor= k/iptables/iptables.go:90:15: undefined: exec.Guix_doesnt_want_LookPath > > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwor= k/iptables/iptables.go:90:45: invalid character U+005C '\' >=20 > Please examine line 90. It probably has a LookPath line with a new argum= ent we > haven't seen before. Okay, they added a lookup for 'iptables-legacy' which is what Debian has renamed iptables. I changed this to just look up 'iptables' since its equivalent on our end and in how the Docker code uses it and pushed as ea7cddaac782b2cdc789a354e172356ed5c183e7. Thanks again for your help! --opJtzjQTFsWo+cga Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxjCM8ACgkQJkb6MLrK fwgv1RAAypYYRJ6tFT0fzoXvyZM+S3Aa8aCe0JXGueqAhfO6J3ab+Git/bEsblel /XW/k7vpAH8MXEckkzMiWQU5gwyMNlcY4wBcfVXTiRAJ5bWVT7jOzL48okJp8REo D7I74OZIIOUAg3SflHzgJhMIO/xG61KHAqbhJDAHzzUc6LYmUMSl8mMxFDcPus3S ZSZxcTtbiYuHaGagStkFxZijuZvhDTk9fI6+8aXns5ubBSFVkoa9P5CCYqIkQFo0 YED7pDq9bUXyD7veS5ud8Q2dbfBgM5pb8mhL/6sb+NrqUmkrOCcf0dirCuWj+mZU a+lwVnyhKVmp1OnA5HrQ5GyKrveiMXjAT05HtqDoEn0ypx14MMnDG0yCB3p/kWIO 9Zbef6+P/2s2pUav5otcQhrtT6ktJ/b+Wh/29rBPBQFVzK3nJKgRAPeHadoCXtdY A88PoO3reXcweMfBuk4UoO7ApmQsRJbeDdMLSlgwvVXJFosryleGCgqLjCQdKTUn yNhcvoOIy2zdWdRkk6w4rlpCmv0UvWcaBdg7Gmb/36fwNlqto4CP6/HXD07PrmEy nPLUbSWhrJcpv7mkE/m1qRgbcSMgjvJnZml5j8ZvXnzJjwHux+e9BH2Y7m1n36aP /nTt1lgYcDxx6NbstL5n69hlqPC4HNCYCa5GM2jTF3I+DEIngzM= =2yDZ -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga--