From unknown Sun Jun 15 08:50:02 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34446] Runc container escape patches CVE-2019-5736 Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 11 Feb 2019 23:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 34446 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 34446@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15499289345327 (code B ref -1); Mon, 11 Feb 2019 23:49:01 +0000 Received: (at submit) by debbugs.gnu.org; 11 Feb 2019 23:48:54 +0000 Received: from localhost ([127.0.0.1]:44230 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLJl-0001Nr-Uw for submit@debbugs.gnu.org; Mon, 11 Feb 2019 18:48:54 -0500 Received: from eggs.gnu.org ([209.51.188.92]:47389) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLJk-0001Nd-JJ for submit@debbugs.gnu.org; Mon, 11 Feb 2019 18:48:53 -0500 Received: from lists.gnu.org ([209.51.188.17]:39787) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gtLJY-0007ld-Te for submit@debbugs.gnu.org; Mon, 11 Feb 2019 18:48:42 -0500 Received: from eggs.gnu.org ([209.51.188.92]:33196) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gtLJX-0002V9-JT for guix-patches@gnu.org; Mon, 11 Feb 2019 18:48:40 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_05,RCVD_IN_DNSWL_LOW, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gtL8U-0004tV-5t for guix-patches@gnu.org; Mon, 11 Feb 2019 18:37:15 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48875) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gtL8T-0004s6-V3 for guix-patches@gnu.org; Mon, 11 Feb 2019 18:37:14 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 7868E22213; Mon, 11 Feb 2019 18:37:12 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 11 Feb 2019 18:37:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=edka82eIDhdWpCqWsN/1QdrpyI32CW1GF0vtd8e7bK4=; b=hZTDg z6SDxmbSb9r46H57SP1DszB/eOUO4WTcMVpOftIpmQDUCZ7UqbWeKPE8QEuTsaen 9tiuU0fFukfFUF3eX5472Q9z9OlEV/4r3kOVqkUB/adb3ZCGxjUW6n2AlqYcocih aQSRpxqdk5Pi/3QScrgrhOjfmjI5rqN8lQUiRY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=edka82eIDhdWpCqWsN/1QdrpyI32C W1GF0vtd8e7bK4=; b=Y2hSVGKgbaP9XSkvEZT3cFhdkjUWA99XVzgTrn7khxUQe FAJdTPYRNgTBwDeLove4WttPtlHF1+iKSz80VkQ4L3gJlbISn0sEXuhOuGnoAcjs d6B0uhb5wl5dRVrZiDLvS+smXmM6NsyxwjSuMnKGytuJoFsTCDSHTkZVsH7Oe21n QtldRRWri3b2BeLOBsZZbbqpYQoOKoiVuA+YGbLbIklUJQlRgeFQ0+ggKBiRtU5L /m22T+7mo5f7OlRFqlEwBq+nHYaXvD6fn7VjdHHgR+gz5eYCDjEC1DqfAq9FGrSN XuSDPAoMYjPdaqxc+kFyehz6nKnH8/pIYrik476Jg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddttddguddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecunecujfgurhepfffhvffukfggtggufgesghdtreertderjeenucfhrhhomhepnf gvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuffho mhgrihhnpehsvggtlhhishhtshdrohhrghdpghhithhhuhgsrdgtohhmnecukfhppeejie druddvgedrvddtvddrudefjeenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgr mhhulhgrrhhirdhnrghmvgenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 48ABE1031E for ; Mon, 11 Feb 2019 18:37:10 -0500 (EST) Date: Mon, 11 Feb 2019 18:37:08 -0500 From: Leo Famulari Message-ID: <20190211233708.GA2509@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4" Content-Disposition: inline User-Agent: Mutt/1.11.2 (2019-01-07) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.111.4.26 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.9 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable These patches aim to fix CVE-2019-5736 in runc / Docker: https://seclists.org/oss-sec/2019/q1/119 However, after applying these patches, Docker fails to build as shown below. Runc, docker-cli, and containerd still build. Please help :) ------ phase `setup-environment' succeeded after 0.0 seconds starting phase `build' # WARNING! I don't seem to be running in a Docker container. # The result of this command might be an incorrect build, and will not be # officially supported. # # Try this instead: make all # Removing bundles/ ---> Making bundle: dynbinary (in bundles/dynbinary) Building: bundles/dynbinary-daemon/dockerd-dev # github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables =2Egopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/= iptables/iptables.go:90:15: undefined: exec.Guix_doesnt_want_LookPath =2Egopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/= iptables/iptables.go:90:45: invalid character U+005C '\' Backtrace: 4 (primitive-load "/gnu/store/n5jmx2wksfvcrwlpv2zafd5hany=E2=80= =A6") In ice-9/eval.scm: 191:35 3 (_ _) In srfi/srfi-1.scm: 863:16 2 (every1 # =E2=80=A6) In /gnu/store/rkv7z31csb2xandzhnvm5kc0i78pf0ay-module-import/guix/build/gnu= -build-system.scm: 799:28 1 (_ _) In /gnu/store/rkv7z31csb2xandzhnvm5kc0i78pf0ay-module-import/guix/build/uti= ls.scm: 616:6 0 (invoke _ . _) /gnu/store/rkv7z31csb2xandzhnvm5kc0i78pf0ay-module-import/guix/build/utils.= scm:616:6: In procedure invoke: Throw to key `srfi-34' with args `(#)'. builder for `/gnu/store/ihdm0nlw118mrb8wq127864g9pgrmghk-docker-18.09.2.drv= ' failed with exit code 1 build of /gnu/store/ihdm0nlw118mrb8wq127864g9pgrmghk-docker-18.09.2.drv fai= led View build log at '/var/log/guix/drvs/ih/dm0nlw118mrb8wq127864g9pgrmghk-doc= ker-18.09.2.drv.bz2'. guix build: error: build of `/gnu/store/ihdm0nlw118mrb8wq127864g9pgrmghk-do= cker-18.09.2.drv' failed ------ --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxiByQACgkQJkb6MLrK fwh5lRAA6kThjoAon5DgJ3XZbP5/wulDEPzn+vZ/KFklaCiy3Nk05y8C0J2vbw/q 4vZWhBtXNFnpTJE3KJNyekHRNTHmO4gy1GzYYWF+xBUhCOJfuCYc+NQk8FM6TaEN ChXFSt5EdSNXm2vhjTWsr65Gulzv/fAVrmzTwTnsNgqgSOlIitDKHumCdX+eO0HI SvfXBvopeJXn03isrg//oCMu8IB/bxKOh5SPKKcTekPG9NAkjU/sXOm/uzjqcTZN dL1SpPYbH5LLZKhnbT2ateHDSVVM9n2fFnx9Yn+DcVxGSALKlRE/JUfdwtPY9Eyv ogbiFh94H9hnRsHCz4yeM4SIjxD3bMdg3E6Z/4un1Re5fuF+7NB4mbRRtWozN+5P z7Fs5sIeLR8GsGg2t1nDK1Ztfc27qzhfig+NhRYMHFk6Vn8xEYmDmMnVucONIWoq /rzW7XB47K1pyrOVMV9qWUwQobRG/0vZDl08uAvL8YPBvVMzx5f+FTnUNCuls6qT Sub/CKSsNonc3QCs6aHmwYpIu1MeuZoOLVC07e9JpKtfFF6vsnVGefwpBTqxSImK O36X6zRpPeNQ7mzi+zGb0Pe9NNzoxtWrM7EGpfVAmm07nS7bnRPEkBZo0EDut8d5 sWs23y11ZSikyxlhMOxNeiuO5MvnLAoEJwGy30gNZeaqswTCLYA= =HRWT -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4-- From unknown Sun Jun 15 08:50:02 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34446] Runc container escape patches CVE-2019-5736 Resent-From: Danny Milosavljevic Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 12 Feb 2019 00:11:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34446 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Leo Famulari Cc: 34446@debbugs.gnu.org Received: via spool by 34446-submit@debbugs.gnu.org id=B34446.15499302487497 (code B ref 34446); Tue, 12 Feb 2019 00:11:01 +0000 Received: (at 34446) by debbugs.gnu.org; 12 Feb 2019 00:10:48 +0000 Received: from localhost ([127.0.0.1]:44242 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLey-0001wq-Io for submit@debbugs.gnu.org; Mon, 11 Feb 2019 19:10:48 -0500 Received: from dd26836.kasserver.com ([85.13.145.193]:46812) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLex-0001wh-Cz for 34446@debbugs.gnu.org; Mon, 11 Feb 2019 19:10:48 -0500 Received: from localhost (77.116.204.134.wireless.dyn.drei.com [77.116.204.134]) by dd26836.kasserver.com (Postfix) with ESMTPSA id C95BD336038A; Tue, 12 Feb 2019 01:10:44 +0100 (CET) Date: Tue, 12 Feb 2019 01:10:34 +0100 From: Danny Milosavljevic Message-ID: <20190212011034.1dd00e4c@scratchpost.org> In-Reply-To: <20190211233708.GA2509@jasmine.lan> References: <20190211233708.GA2509@jasmine.lan> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/PmIWLROXcvmxz3LZ=3VymZ."; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --Sig_/PmIWLROXcvmxz3LZ=3VymZ. Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi Leo, as originally released by upstream, Docker looks up auxiliary commands in P= ATH, using a Go function called "LookPath". Our package definition patches a lot of the specific LookPath calls to refer to inputs by absolute path. I've booby-trapped the remaining LookPath calls so we won't accidentially have an internal tool looked up in $PATH. If we have not forgotten any LookPath calls, there should have been no rema= ining LookPath calls and it would not have failed the build. > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/= iptables/iptables.go:90:15: undefined: exec.Guix_doesnt_want_LookPath > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/= iptables/iptables.go:90:45: invalid character U+005C '\' Please examine line 90. It probably has a LookPath line with a new argumen= t we haven't seen before. That means we'd have to find out which Guix package has an executable named= like the argument and add a case to the existing LookPath substituter in order to also substitute it. --Sig_/PmIWLROXcvmxz3LZ=3VymZ. Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAlxiDvoACgkQ5xo1VCww uqUkmwf8Du3Nrn6QXmR6MlDUjkM/VUFaK1/o5VM0L+PpqC/IwaVuJmFYp3tlLRf3 T+K36jOT402jaOnN/pfsOOXqia4jV6WjUCgFgQEysa71rMJn3Kj/WAJS/eprBuLP MAoVj8WwBx6qd7HpYj2N3Ts3hyEnvu3vQv+ntJJaMQinKpw10O6HbcgV59Eq3VfH k+h7Bjm3eWqMJynfs39sqFg3dxQ826/wfUvgrvTzjZbc/uDzFB+puZCORckosEvu gncTFlSsMsNlefjWejCia+/hP+vOIyf/3ZAKc8ErnTKfU5B+ZN8J51kmtwKYeKNm 3cZ5EDmfdNM+3AaTy8b0SN32s+c+aQ== =GeKg -----END PGP SIGNATURE----- --Sig_/PmIWLROXcvmxz3LZ=3VymZ.-- From unknown Sun Jun 15 08:50:02 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34446] Runc container escape patches CVE-2019-5736 Resent-From: Danny Milosavljevic Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 12 Feb 2019 00:15:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34446 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Leo Famulari Cc: 34446@debbugs.gnu.org Received: via spool by 34446-submit@debbugs.gnu.org id=B34446.15499304437821 (code B ref 34446); Tue, 12 Feb 2019 00:15:02 +0000 Received: (at 34446) by debbugs.gnu.org; 12 Feb 2019 00:14:03 +0000 Received: from localhost ([127.0.0.1]:44247 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLi7-000225-1H for submit@debbugs.gnu.org; Mon, 11 Feb 2019 19:14:03 -0500 Received: from dd26836.kasserver.com ([85.13.145.193]:47152) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLi5-00021Z-A3 for 34446@debbugs.gnu.org; Mon, 11 Feb 2019 19:14:01 -0500 Received: from localhost (77.116.204.134.wireless.dyn.drei.com [77.116.204.134]) by dd26836.kasserver.com (Postfix) with ESMTPSA id 59B493360331; Tue, 12 Feb 2019 01:14:00 +0100 (CET) Date: Tue, 12 Feb 2019 01:13:55 +0100 From: Danny Milosavljevic Message-ID: <20190212011355.41f1e853@scratchpost.org> In-Reply-To: <20190212011034.1dd00e4c@scratchpost.org> References: <20190211233708.GA2509@jasmine.lan> <20190212011034.1dd00e4c@scratchpost.org> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/xsV40xxMXE/r30TcCzH9S12"; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --Sig_/xsV40xxMXE/r30TcCzH9S12 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable > That means we'd have to find out which Guix package has an executable nam= ed like > the argument and add a case to the existing LookPath substituter in order= to > also substitute it. and add an input to the "docker" package if necessary. --Sig_/xsV40xxMXE/r30TcCzH9S12 Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAlxiD8MACgkQ5xo1VCww uqUj0gf/XRbLJb6STgbtPm6CyMuvz0dhG46xEXOZZpcFFqqqORhopkEetll+KVw3 qVDQBwlTsJ6EdElYcRu4Fkl+NIxpl6o65SAT3VtKhw/OEBHceLORz5iU0/YSBfsP 75oXhvBeHI08+RF+8PYnNpmXIFkVyH+t3z9dBE+gseaWGxckD9aAujVg3nci4w61 R86gNj1BtZyo9ryY8CHO+qJnEwqKlj5QHr/EIUpJkh5RPpc1ARuKMCFsQfDHNp5m jGkbpe8KCn5x/3qEWNwLrZJYmmuMRPyR1ntzYsH3GDxIk6Xnuetn+GZP0AM5iqEq x0JyZg7BPmrSvtTrpSpkRBx8/25AGA== =kOaV -----END PGP SIGNATURE----- --Sig_/xsV40xxMXE/r30TcCzH9S12-- From unknown Sun Jun 15 08:50:02 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34446] [PATCH 2/2] gnu: Docker: Update to 18.09.2. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 12 Feb 2019 00:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34446 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 34446@debbugs.gnu.org Received: via spool by 34446-submit@debbugs.gnu.org id=B34446.15499312709158 (code B ref 34446); Tue, 12 Feb 2019 00:28:01 +0000 Received: (at 34446) by debbugs.gnu.org; 12 Feb 2019 00:27:50 +0000 Received: from localhost ([127.0.0.1]:44255 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLvS-0002Nd-C7 for submit@debbugs.gnu.org; Mon, 11 Feb 2019 19:27:50 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:58987) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLvQ-0002NL-Am for 34446@debbugs.gnu.org; Mon, 11 Feb 2019 19:27:49 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D807D232C5; Mon, 11 Feb 2019 19:27:42 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 11 Feb 2019 19:27:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=mesmtp; bh=buy/FuU5qB vuXaH/pDiSIYe5uUfUHhMvkS/B3UxAm1c=; b=Hjg1/fDXjv6upv+voCBDc4OIK2 lYJ4E2eV3fqwMPC5VnRsama1bJwz5J8dZLM4N9X59WDGuz2YokC7bk+KsGMX48tg hkoLK8pfS60YDQKsQ0uZJO0ZTgLXJZPFxk/VVlZ4wvdToc0lzw0bQxQYp6R/XoyB nFT7h2ZEUDxA7949M= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=buy/FuU5qBvuXaH/pDiSIYe5uUfUHhMvkS/B3UxAm1c=; b=20u7kLoY ADag4ZPs3U/7pCaMlMKGvDcM2FwCyb/LNcXi21TBz93vbbjhlF7Kkmm7gtGEMnqE hN4Vh85glV6rGXk+IfWKIwOd6gRj43lXwQfAZlq4CicurQG+5OT9BYyroMre3W2T zyZvV2srNu5DjEqWXBKXeWN1p3IGDBkev5myp5O8qrl3FidZdfDhOsCbpodDzLUb Z39TpJZtQOLhH4CYNWxP1wuwDmHpwZHUQ9cWZxcavZQ7tyZUo7fxmsrE+Wjn1kO4 aU/PM5M4P3pDELafT5Bu3TuoDks/+t8GjfDUAZZHsltnnpVxaCGbND+TuKDmksAR YJRq3ssz/KQquw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddttddgvddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpe fnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucff ohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeejiedruddvgedrvddtvddrudefje enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvgen ucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 75A13E412B for <34446@debbugs.gnu.org>; Mon, 11 Feb 2019 19:27:42 -0500 (EST) From: Leo Famulari Date: Mon, 11 Feb 2019 19:27:36 -0500 Message-Id: X-Mailer: git-send-email 2.20.1 In-Reply-To: <61ed83d852124caae74fd8cd53a9c375ee3ac80d.1549931256.git.leo@famulari.name> References: <61ed83d852124caae74fd8cd53a9c375ee3ac80d.1549931256.git.leo@famulari.name> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) * gnu/packages/docker.scm (%docker-version): Update to 18.09.2. (docker, docker-cli): Adjust accordingly. --- gnu/packages/docker.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/packages/docker.scm b/gnu/packages/docker.scm index 992eb0dcc1..5a400e6490 100644 --- a/gnu/packages/docker.scm +++ b/gnu/packages/docker.scm @@ -43,7 +43,7 @@ #:use-module (gnu packages version-control) #:use-module (gnu packages virtualization)) -(define %docker-version "18.09.0") +(define %docker-version "18.09.2") (define-public python-docker-py (package @@ -241,7 +241,7 @@ network attachments.") (file-name (git-file-name name version)) (sha256 (base32 - "1liqbx58grqih6m8hz9y20y5waflv19pv15l3wl64skap2bsn21c")) + "1zfpk2n8j6gnwbrxrh6d6pj24y60dhbanpf55shrm2yxz54ka36c")) (patches (search-patches "docker-engine-test-noinstall.patch" "docker-fix-tests.patch")))) @@ -483,7 +483,7 @@ provisioning etc.") (file-name (git-file-name name version)) (sha256 (base32 - "1ivisys20kphvbqlazc3bsg7pk0ykj9gjx5d4yg439x4n13jxwvb")))) + "0jzcqh1kqbfyj6ax7z67gihaqgjiz6ddz6rq6k458l68v7zn77r8")))) (build-system go-build-system) (arguments `(#:import-path "github.com/docker/cli" -- 2.20.1 From unknown Sun Jun 15 08:50:02 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34446] [PATCH 1/2] gnu: runc: Update to 1.0.0-rc6 [fixes CVE-2019-5736]. References: <20190211233708.GA2509@jasmine.lan> In-Reply-To: <20190211233708.GA2509@jasmine.lan> Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 12 Feb 2019 00:28:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34446 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 34446@debbugs.gnu.org Received: via spool by 34446-submit@debbugs.gnu.org id=B34446.15499312799174 (code B ref 34446); Tue, 12 Feb 2019 00:28:02 +0000 Received: (at 34446) by debbugs.gnu.org; 12 Feb 2019 00:27:59 +0000 Received: from localhost ([127.0.0.1]:44257 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLvU-0002Nm-Lr for submit@debbugs.gnu.org; Mon, 11 Feb 2019 19:27:59 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:57493) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLvQ-0002NK-Ak for 34446@debbugs.gnu.org; Mon, 11 Feb 2019 19:27:49 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D050C23221; Mon, 11 Feb 2019 19:27:42 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 11 Feb 2019 19:27:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; s=mesmtp; bh=Qq5xgdv+EsPmvKwvUPszssf 7/IjgPfCdKxzA7NtcDzA=; b=f/0MMt+okH9RavGMPkitN9MhEAZgBiUcHHf3QKx uEtWydzfj9iNSPu0ef994KMkg9GPrITcNkVPLJ87lio6jEnJd3hG4zSsMJ7+11Dl bZ8yUfiitd8l0+AKuN5s/ah3TP49hGY5Kjh3NWXblvmQClaGDMUHfhRJzYKZeQPI 1tRE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Qq5xgdv+EsPmvKwvU Pszssf7/IjgPfCdKxzA7NtcDzA=; b=y5IIs3MfzD+xVpBIpyV10YGyn6yemFGQl jIAbuu6soFAEk6iONsfj56vLY3xOYC0lmzqDrXQbme5zaigiHiDuLtGVWfWgqu+j TMyyTkoI6ZesA+Xv9YlYVRASfVXV+/K1Lm9FJ9KQ7tZ9TeyHRWH+kszraRDbmojq N1r9R2Wb0LbZ36wWRI7VQU7nUBvJCWxrEoFrmS/+QQQMPVdaswD+w+61HPt2aDjt gDqIXkcdbx8SqwjTbxA8q0UE30kg6eb0AreCRFpcQRlNYd2OJzPPSEEXZFvg5KM8 9VzLcZG0uvNdECYJGN45IdE8OfChFBUAE7NtdIZ9XVQmhw9Zr9KFA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddttddgvddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecunecujfgurhephffvufffkffoggfgsedtkeertdertddtnecuhfhrohhmpefnvg houcfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucffohhm rghinhepshgvtghlihhsthhsrdhorhhgpdhmihhtrhgvrdhorhhgpdgrphgrtghhvgdroh hrghdpghhithhhuhgsrdgtohhmnecukfhppeejiedruddvgedrvddtvddrudefjeenucfr rghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvgenucevlh hushhtvghrufhiiigvpedt X-ME-Proxy: Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 490CBE4364 for <34446@debbugs.gnu.org>; Mon, 11 Feb 2019 19:27:42 -0500 (EST) From: Leo Famulari Date: Mon, 11 Feb 2019 19:27:35 -0500 Message-Id: <61ed83d852124caae74fd8cd53a9c375ee3ac80d.1549931256.git.leo@famulari.name> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/virtualization.scm (runc): Update to 1.0.0-rc6. [source]: Use a descriptive file-name. Add 'runc-CVE-2019-5736.patch' * gnu/packages/patches/runc-CVE-2019-5736.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/patches/runc-CVE-2019-5736.patch | 343 ++++++++++++++++++ gnu/packages/virtualization.scm | 6 +- 3 files changed, 348 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/runc-CVE-2019-5736.patch diff --git a/gnu/local.mk b/gnu/local.mk index 3bb60d3ade..5fbd02e120 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1205,6 +1205,7 @@ dist_patch_DATA = \ %D%/packages/patches/ruby-concurrent-test-arm.patch \ %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ + %D%/packages/patches/runc-CVE-2019-5736.patch \ %D%/packages/patches/rust-1.19-mrustc.patch \ %D%/packages/patches/rust-1.25-accept-more-detailed-gdb-lines.patch \ %D%/packages/patches/rust-bootstrap-stage0-test.patch \ diff --git a/gnu/packages/patches/runc-CVE-2019-5736.patch b/gnu/packages/patches/runc-CVE-2019-5736.patch new file mode 100644 index 0000000000..f629fcbfb4 --- /dev/null +++ b/gnu/packages/patches/runc-CVE-2019-5736.patch @@ -0,0 +1,343 @@ +Fix CVE-2019-5736: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736 +https://seclists.org/oss-sec/2019/q1/119 + +Patch copied from upstream source repository: + +https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b + +From 0a8e4117e7f715d5fbeef398405813ce8e88558b Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Wed, 9 Jan 2019 13:40:01 +1100 +Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary + to container + +There are quite a few circumstances where /proc/self/exe pointing to a +pretty important container binary is a _bad_ thing, so to avoid this we +have to make a copy (preferably doing self-clean-up and not being +writeable). + +We require memfd_create(2) -- though there is an O_TMPFILE fallback -- +but we can always extend this to use a scratch MNT_DETACH overlayfs or +tmpfs. The main downside to this approach is no page-cache sharing for +the runc binary (which overlayfs would give us) but this is far less +complicated. + +This is only done during nsenter so that it happens transparently to the +Go code, and any libcontainer users benefit from it. This also makes +ExtraFiles and --preserve-fds handling trivial (because we don't need to +worry about it). + +Fixes: CVE-2019-5736 +Co-developed-by: Christian Brauner +Signed-off-by: Aleksa Sarai +--- + libcontainer/nsenter/cloned_binary.c | 268 +++++++++++++++++++++++++++ + libcontainer/nsenter/nsexec.c | 11 ++ + 2 files changed, 279 insertions(+) + create mode 100644 libcontainer/nsenter/cloned_binary.c + +diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c +new file mode 100644 +index 000000000..c8a42c23f +--- /dev/null ++++ b/libcontainer/nsenter/cloned_binary.c +@@ -0,0 +1,268 @@ ++/* ++ * Copyright (C) 2019 Aleksa Sarai ++ * Copyright (C) 2019 SUSE LLC ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* Use our own wrapper for memfd_create. */ ++#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) ++# define SYS_memfd_create __NR_memfd_create ++#endif ++#ifdef SYS_memfd_create ++# define HAVE_MEMFD_CREATE ++/* memfd_create(2) flags -- copied from . */ ++# ifndef MFD_CLOEXEC ++# define MFD_CLOEXEC 0x0001U ++# define MFD_ALLOW_SEALING 0x0002U ++# endif ++int memfd_create(const char *name, unsigned int flags) ++{ ++ return syscall(SYS_memfd_create, name, flags); ++} ++#endif ++ ++/* This comes directly from . */ ++#ifndef F_LINUX_SPECIFIC_BASE ++# define F_LINUX_SPECIFIC_BASE 1024 ++#endif ++#ifndef F_ADD_SEALS ++# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) ++# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) ++#endif ++#ifndef F_SEAL_SEAL ++# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ ++# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ ++# define F_SEAL_GROW 0x0004 /* prevent file from growing */ ++# define F_SEAL_WRITE 0x0008 /* prevent writes */ ++#endif ++ ++#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */ ++#ifdef HAVE_MEMFD_CREATE ++# define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe" ++# define RUNC_MEMFD_SEALS \ ++ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) ++#endif ++ ++static void *must_realloc(void *ptr, size_t size) ++{ ++ void *old = ptr; ++ do { ++ ptr = realloc(old, size); ++ } while(!ptr); ++ return ptr; ++} ++ ++/* ++ * Verify whether we are currently in a self-cloned program (namely, is ++ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather ++ * for shmem files), and we want to be sure it's actually sealed. ++ */ ++static int is_self_cloned(void) ++{ ++ int fd, ret, is_cloned = 0; ++ ++ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); ++ if (fd < 0) ++ return -ENOTRECOVERABLE; ++ ++#ifdef HAVE_MEMFD_CREATE ++ ret = fcntl(fd, F_GET_SEALS); ++ is_cloned = (ret == RUNC_MEMFD_SEALS); ++#else ++ struct stat statbuf = {0}; ++ ret = fstat(fd, &statbuf); ++ if (ret >= 0) ++ is_cloned = (statbuf.st_nlink == 0); ++#endif ++ close(fd); ++ return is_cloned; ++} ++ ++/* ++ * Basic wrapper around mmap(2) that gives you the file length so you can ++ * safely treat it as an ordinary buffer. Only gives you read access. ++ */ ++static char *read_file(char *path, size_t *length) ++{ ++ int fd; ++ char buf[4096], *copy = NULL; ++ ++ if (!length) ++ return NULL; ++ ++ fd = open(path, O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ return NULL; ++ ++ *length = 0; ++ for (;;) { ++ int n; ++ ++ n = read(fd, buf, sizeof(buf)); ++ if (n < 0) ++ goto error; ++ if (!n) ++ break; ++ ++ copy = must_realloc(copy, (*length + n) * sizeof(*copy)); ++ memcpy(copy + *length, buf, n); ++ *length += n; ++ } ++ close(fd); ++ return copy; ++ ++error: ++ close(fd); ++ free(copy); ++ return NULL; ++} ++ ++/* ++ * A poor-man's version of "xargs -0". Basically parses a given block of ++ * NUL-delimited data, within the given length and adds a pointer to each entry ++ * to the array of pointers. ++ */ ++static int parse_xargs(char *data, int data_length, char ***output) ++{ ++ int num = 0; ++ char *cur = data; ++ ++ if (!data || *output != NULL) ++ return -1; ++ ++ while (cur < data + data_length) { ++ num++; ++ *output = must_realloc(*output, (num + 1) * sizeof(**output)); ++ (*output)[num - 1] = cur; ++ cur += strlen(cur) + 1; ++ } ++ (*output)[num] = NULL; ++ return num; ++} ++ ++/* ++ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ. ++ * This is necessary because we are running in a context where we don't have a ++ * main() that we can just get the arguments from. ++ */ ++static int fetchve(char ***argv, char ***envp) ++{ ++ char *cmdline = NULL, *environ = NULL; ++ size_t cmdline_size, environ_size; ++ ++ cmdline = read_file("/proc/self/cmdline", &cmdline_size); ++ if (!cmdline) ++ goto error; ++ environ = read_file("/proc/self/environ", &environ_size); ++ if (!environ) ++ goto error; ++ ++ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) ++ goto error; ++ if (parse_xargs(environ, environ_size, envp) <= 0) ++ goto error; ++ ++ return 0; ++ ++error: ++ free(environ); ++ free(cmdline); ++ return -EINVAL; ++} ++ ++static int clone_binary(void) ++{ ++ int binfd, memfd; ++ ssize_t sent = 0; ++ ++#ifdef HAVE_MEMFD_CREATE ++ memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING); ++#else ++ memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711); ++#endif ++ if (memfd < 0) ++ return -ENOTRECOVERABLE; ++ ++ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); ++ if (binfd < 0) ++ goto error; ++ ++ sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX); ++ close(binfd); ++ if (sent < 0) ++ goto error; ++ ++#ifdef HAVE_MEMFD_CREATE ++ int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS); ++ if (err < 0) ++ goto error; ++#else ++ /* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */ ++ int newfd; ++ char *fdpath = NULL; ++ ++ if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0) ++ goto error; ++ newfd = open(fdpath, O_RDONLY | O_CLOEXEC); ++ free(fdpath); ++ if (newfd < 0) ++ goto error; ++ ++ close(memfd); ++ memfd = newfd; ++#endif ++ return memfd; ++ ++error: ++ close(memfd); ++ return -EIO; ++} ++ ++int ensure_cloned_binary(void) ++{ ++ int execfd; ++ char **argv = NULL, **envp = NULL; ++ ++ /* Check that we're not self-cloned, and if we are then bail. */ ++ int cloned = is_self_cloned(); ++ if (cloned > 0 || cloned == -ENOTRECOVERABLE) ++ return cloned; ++ ++ if (fetchve(&argv, &envp) < 0) ++ return -EINVAL; ++ ++ execfd = clone_binary(); ++ if (execfd < 0) ++ return -EIO; ++ ++ fexecve(execfd, argv, envp); ++ return -ENOEXEC; ++} +diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c +index 28269dfc0..7750af35e 100644 +--- a/libcontainer/nsenter/nsexec.c ++++ b/libcontainer/nsenter/nsexec.c +@@ -534,6 +534,9 @@ void join_namespaces(char *nslist) + free(namespaces); + } + ++/* Defined in cloned_binary.c. */ ++extern int ensure_cloned_binary(void); ++ + void nsexec(void) + { + int pipenum; +@@ -549,6 +552,14 @@ void nsexec(void) + if (pipenum == -1) + return; + ++ /* ++ * We need to re-exec if we are not in a cloned binary. This is necessary ++ * to ensure that containers won't be able to access the host binary ++ * through /proc/self/exe. See CVE-2019-5736. ++ */ ++ if (ensure_cloned_binary() < 0) ++ bail("could not ensure we are a cloned binary"); ++ + /* Parse all of the netlink configuration. */ + nl_parse(pipenum, &config); + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index f5e4540329..8a5af2e8ea 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -847,15 +847,17 @@ monitor/GPU.") (define-public runc (package (name "runc") - (version "1.0.0-rc5") + (version "1.0.0-rc6") (source (origin (method url-fetch) (uri (string-append "https://github.com/opencontainers/runc/releases/" "download/v" version "/runc.tar.xz")) + (file-name (string-append name "-" version ".tar.xz")) + (patches (search-patches "runc-CVE-2019-5736.patch")) (sha256 (base32 - "081avdzwnqpk368wbaihlzsypaxpj42d7699h7jgp0fks14x4103")))) + "1c7832dq70slkjh8qp2civ1wxhhdd2hrx84pq7db1mmqc9fdr3cc")))) (build-system go-build-system) (arguments '(#:import-path "github.com/opencontainers/runc" -- 2.20.1 From unknown Sun Jun 15 08:50:02 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#34446] [PATCH 1/2] gnu: runc: Update to 1.0.0-rc6 [fixes CVE-2019-5736]. Resent-From: Danny Milosavljevic Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 12 Feb 2019 00:46:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34446 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Leo Famulari Cc: 34446@debbugs.gnu.org Received: via spool by 34446-submit@debbugs.gnu.org id=B34446.154993231010842 (code B ref 34446); Tue, 12 Feb 2019 00:46:01 +0000 Received: (at 34446) by debbugs.gnu.org; 12 Feb 2019 00:45:10 +0000 Received: from localhost ([127.0.0.1]:44268 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtMCE-0002oo-Hr for submit@debbugs.gnu.org; Mon, 11 Feb 2019 19:45:10 -0500 Received: from dd26836.kasserver.com ([85.13.145.193]:49860) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtMCB-0002ob-L9 for 34446@debbugs.gnu.org; Mon, 11 Feb 2019 19:45:08 -0500 Received: from localhost (77.116.204.134.wireless.dyn.drei.com [77.116.204.134]) by dd26836.kasserver.com (Postfix) with ESMTPSA id DD753336038A; Tue, 12 Feb 2019 01:45:05 +0100 (CET) Date: Tue, 12 Feb 2019 01:45:01 +0100 From: Danny Milosavljevic Message-ID: <20190212014501.31dcb6a8@scratchpost.org> In-Reply-To: <61ed83d852124caae74fd8cd53a9c375ee3ac80d.1549931256.git.leo@famulari.name> References: <20190211233708.GA2509@jasmine.lan> <61ed83d852124caae74fd8cd53a9c375ee3ac80d.1549931256.git.leo@famulari.name> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/x04HAfNoTi04YUeUl+HIbyV"; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --Sig_/x04HAfNoTi04YUeUl+HIbyV Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Mon, 11 Feb 2019 19:27:35 -0500 Leo Famulari wrote: > (define-public runc > (package > (name "runc") > - (version "1.0.0-rc5") > + (version "1.0.0-rc6") > (source (origin > (method url-fetch) > (uri (string-append > "https://github.com/opencontainers/runc/releases/" > "download/v" version "/runc.tar.xz")) > + (file-name (string-append name "-" version ".tar.xz")) > + (patches (search-patches "runc-CVE-2019-5736.patch")) > (sha256 > (base32 > - "081avdzwnqpk368wbaihlzsypaxpj42d7699h7jgp0fks14x4103"))= )) > + "1c7832dq70slkjh8qp2civ1wxhhdd2hrx84pq7db1mmqc9fdr3cc"))= )) > (build-system go-build-system) > (arguments > '(#:import-path "github.com/opencontainers/runc" Docker still contains some vendored dependencies, among those github.com/op= encontainers/runc, in directory "vendor", and so does containerd. It might make sense to also= remove them now. --Sig_/x04HAfNoTi04YUeUl+HIbyV Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAlxiFw0ACgkQ5xo1VCww uqVnJwf/eHV/npPpHWzXmmxBHBRIg1rBXbX8u1minq5VdWC/ZAR5glcI9in4OKeu Yxzwpe2sYiCG3XBtRvX47eVUXEAxMNt7k3D8pWi+vC9i1oPe05cVofP/qNqWnV6i oAIX2h0m04e829f3YjWfB/7dnDAg9DtlKnTIvR5AN/vYFCcERO0h38h4ZJ6k4fT0 EXj/LQXbkmrFElCfaU/h/TBAXCeBRsNDVA7/9JnEsmHjR1bz7Gw8gyvqj+8fZ2Jv 9M1UODihGeYIaM8AfKWsiLY1ashumSgzsl8qqKwtsVNKSl+zMu6ENGr6fJPIU6Nq hK+qg4mMxOSp4Ywm5dNag0p/Y861eg== =cQtd -----END PGP SIGNATURE----- --Sig_/x04HAfNoTi04YUeUl+HIbyV-- From unknown Sun Jun 15 08:50:02 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#34446: closed (Re: [bug#34446] Runc container escape patches CVE-2019-5736) Message-ID: References: <20190212175631.GA14638@jasmine.lan> <20190211233708.GA2509@jasmine.lan> X-Gnu-PR-Message: they-closed 34446 X-Gnu-PR-Package: guix-patches Reply-To: 34446@debbugs.gnu.org Date: Tue, 12 Feb 2019 17:57:03 +0000 Content-Type: multipart/mixed; boundary="----------=_1549994223-7140-1" This is a multi-part message in MIME format... ------------=_1549994223-7140-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #34446: Runc container escape patches CVE-2019-5736 which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 34446@debbugs.gnu.org. --=20 34446: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D34446 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1549994223-7140-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 34446-done) by debbugs.gnu.org; 12 Feb 2019 17:56:44 +0000 Received: from localhost ([127.0.0.1]:45150 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtcIW-0001qX-HQ for submit@debbugs.gnu.org; Tue, 12 Feb 2019 12:56:44 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:58255) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtcIT-0001qK-K6 for 34446-done@debbugs.gnu.org; Tue, 12 Feb 2019 12:56:43 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 2CEB423A82; Tue, 12 Feb 2019 12:56:36 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Tue, 12 Feb 2019 12:56:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=u89T6yT1MgNyjBlVX8M2o3La 0saeLGYWJAMCVUJTafA=; b=2BTYeAXD/JL2qhtFNl1zDshUO+REjbcfOtTvTiVb olpVeTKFeh8RA6gg4Gjgc1onai8YkWZ4QtIIQTHy58b/DhFqZfLA80wbUhwIe9qG CpNqR5a/rd1+g4OQhcDlQtICiqFFiZQgHupgm6lEM15HIWW8tsH6K/KQ0D2VI88C TtE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=u89T6y T1MgNyjBlVX8M2o3La0saeLGYWJAMCVUJTafA=; b=LF7rMb72Z6Jgd58uqTraZ8 HZY22CjIrUe5v/4AkW4PhPvHMGW6Z9fGB7iGgRF+T1S8glxPEPYqqG2vkKXO691J VEwGwGn9sU5DQJvRIq1nwfmAo0HJciHAcubnhzHYcMEGAgApK7xCtoQF6urMCk4q dsjcQBohzm26/jdw7SbTdJx3Mad3ecGQGX6RSxti1GJBjBZC8JzoaZ0klJ42S9+u q/uNzszM2oyhNjlK/9WUWJshYH4zd43FofKElbJWq5F9NjCdvKwRPXcXSHxXgvhG WQp+s+W3d4WPO/SMRJe6ehLTZcgMyeHKwyqCth7p9kN0bF4UuenZ897NYSlZVOlQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddtuddguddtiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecu fedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukf hfgggtuggjfgesghdtreertdervdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceo lhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuffhomhgrihhnpehgihhthhhusgdrtg homhenucfkphepjeeirdduvdegrddvtddvrddufeejnecurfgrrhgrmhepmhgrihhlfhhr ohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgvnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 948E310315; Tue, 12 Feb 2019 12:56:32 -0500 (EST) Date: Tue, 12 Feb 2019 12:56:31 -0500 From: Leo Famulari To: Danny Milosavljevic Subject: Re: [bug#34446] Runc container escape patches CVE-2019-5736 Message-ID: <20190212175631.GA14638@jasmine.lan> References: <20190211233708.GA2509@jasmine.lan> <20190212011034.1dd00e4c@scratchpost.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: <20190212011034.1dd00e4c@scratchpost.org> User-Agent: Mutt/1.11.2 (2019-01-07) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 34446-done Cc: 34446-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 12, 2019 at 01:10:34AM +0100, Danny Milosavljevic wrote: > as originally released by upstream, Docker looks up auxiliary commands in= PATH, > using a Go function called "LookPath". >=20 > Our package definition patches a lot of the specific LookPath calls to > refer to inputs by absolute path. >=20 > I've booby-trapped the remaining LookPath calls so we won't accidentially > have an internal tool looked up in $PATH. >=20 > If we have not forgotten any LookPath calls, there should have been no re= maining > LookPath calls and it would not have failed the build. Thanks for explaining this :) > > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwor= k/iptables/iptables.go:90:15: undefined: exec.Guix_doesnt_want_LookPath > > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwor= k/iptables/iptables.go:90:45: invalid character U+005C '\' >=20 > Please examine line 90. It probably has a LookPath line with a new argum= ent we > haven't seen before. Okay, they added a lookup for 'iptables-legacy' which is what Debian has renamed iptables. I changed this to just look up 'iptables' since its equivalent on our end and in how the Docker code uses it and pushed as ea7cddaac782b2cdc789a354e172356ed5c183e7. Thanks again for your help! --opJtzjQTFsWo+cga Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxjCM8ACgkQJkb6MLrK fwgv1RAAypYYRJ6tFT0fzoXvyZM+S3Aa8aCe0JXGueqAhfO6J3ab+Git/bEsblel /XW/k7vpAH8MXEckkzMiWQU5gwyMNlcY4wBcfVXTiRAJ5bWVT7jOzL48okJp8REo D7I74OZIIOUAg3SflHzgJhMIO/xG61KHAqbhJDAHzzUc6LYmUMSl8mMxFDcPus3S ZSZxcTtbiYuHaGagStkFxZijuZvhDTk9fI6+8aXns5ubBSFVkoa9P5CCYqIkQFo0 YED7pDq9bUXyD7veS5ud8Q2dbfBgM5pb8mhL/6sb+NrqUmkrOCcf0dirCuWj+mZU a+lwVnyhKVmp1OnA5HrQ5GyKrveiMXjAT05HtqDoEn0ypx14MMnDG0yCB3p/kWIO 9Zbef6+P/2s2pUav5otcQhrtT6ktJ/b+Wh/29rBPBQFVzK3nJKgRAPeHadoCXtdY A88PoO3reXcweMfBuk4UoO7ApmQsRJbeDdMLSlgwvVXJFosryleGCgqLjCQdKTUn yNhcvoOIy2zdWdRkk6w4rlpCmv0UvWcaBdg7Gmb/36fwNlqto4CP6/HXD07PrmEy nPLUbSWhrJcpv7mkE/m1qRgbcSMgjvJnZml5j8ZvXnzJjwHux+e9BH2Y7m1n36aP /nTt1lgYcDxx6NbstL5n69hlqPC4HNCYCa5GM2jTF3I+DEIngzM= =2yDZ -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- ------------=_1549994223-7140-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 11 Feb 2019 23:48:54 +0000 Received: from localhost ([127.0.0.1]:44230 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLJl-0001Nr-Uw for submit@debbugs.gnu.org; Mon, 11 Feb 2019 18:48:54 -0500 Received: from eggs.gnu.org ([209.51.188.92]:47389) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gtLJk-0001Nd-JJ for submit@debbugs.gnu.org; Mon, 11 Feb 2019 18:48:53 -0500 Received: from lists.gnu.org ([209.51.188.17]:39787) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gtLJY-0007ld-Te for submit@debbugs.gnu.org; Mon, 11 Feb 2019 18:48:42 -0500 Received: from eggs.gnu.org ([209.51.188.92]:33196) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gtLJX-0002V9-JT for guix-patches@gnu.org; Mon, 11 Feb 2019 18:48:40 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_05,RCVD_IN_DNSWL_LOW, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gtL8U-0004tV-5t for guix-patches@gnu.org; Mon, 11 Feb 2019 18:37:15 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48875) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gtL8T-0004s6-V3 for guix-patches@gnu.org; Mon, 11 Feb 2019 18:37:14 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 7868E22213; Mon, 11 Feb 2019 18:37:12 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 11 Feb 2019 18:37:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=edka82eIDhdWpCqWsN/1QdrpyI32CW1GF0vtd8e7bK4=; b=hZTDg z6SDxmbSb9r46H57SP1DszB/eOUO4WTcMVpOftIpmQDUCZ7UqbWeKPE8QEuTsaen 9tiuU0fFukfFUF3eX5472Q9z9OlEV/4r3kOVqkUB/adb3ZCGxjUW6n2AlqYcocih aQSRpxqdk5Pi/3QScrgrhOjfmjI5rqN8lQUiRY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=edka82eIDhdWpCqWsN/1QdrpyI32C W1GF0vtd8e7bK4=; b=Y2hSVGKgbaP9XSkvEZT3cFhdkjUWA99XVzgTrn7khxUQe FAJdTPYRNgTBwDeLove4WttPtlHF1+iKSz80VkQ4L3gJlbISn0sEXuhOuGnoAcjs d6B0uhb5wl5dRVrZiDLvS+smXmM6NsyxwjSuMnKGytuJoFsTCDSHTkZVsH7Oe21n QtldRRWri3b2BeLOBsZZbbqpYQoOKoiVuA+YGbLbIklUJQlRgeFQ0+ggKBiRtU5L /m22T+7mo5f7OlRFqlEwBq+nHYaXvD6fn7VjdHHgR+gz5eYCDjEC1DqfAq9FGrSN XuSDPAoMYjPdaqxc+kFyehz6nKnH8/pIYrik476Jg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddttddguddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecunecujfgurhepfffhvffukfggtggufgesghdtreertderjeenucfhrhhomhepnf gvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuffho mhgrihhnpehsvggtlhhishhtshdrohhrghdpghhithhhuhgsrdgtohhmnecukfhppeejie druddvgedrvddtvddrudefjeenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgr mhhulhgrrhhirdhnrghmvgenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 48ABE1031E for ; Mon, 11 Feb 2019 18:37:10 -0500 (EST) Date: Mon, 11 Feb 2019 18:37:08 -0500 From: Leo Famulari To: guix-patches@gnu.org Subject: Runc container escape patches CVE-2019-5736 Message-ID: <20190211233708.GA2509@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4" Content-Disposition: inline User-Agent: Mutt/1.11.2 (2019-01-07) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.111.4.26 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable These patches aim to fix CVE-2019-5736 in runc / Docker: https://seclists.org/oss-sec/2019/q1/119 However, after applying these patches, Docker fails to build as shown below. Runc, docker-cli, and containerd still build. Please help :) ------ phase `setup-environment' succeeded after 0.0 seconds starting phase `build' # WARNING! I don't seem to be running in a Docker container. # The result of this command might be an incorrect build, and will not be # officially supported. # # Try this instead: make all # Removing bundles/ ---> Making bundle: dynbinary (in bundles/dynbinary) Building: bundles/dynbinary-daemon/dockerd-dev # github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables =2Egopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/= iptables/iptables.go:90:15: undefined: exec.Guix_doesnt_want_LookPath =2Egopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/= iptables/iptables.go:90:45: invalid character U+005C '\' Backtrace: 4 (primitive-load "/gnu/store/n5jmx2wksfvcrwlpv2zafd5hany=E2=80= =A6") In ice-9/eval.scm: 191:35 3 (_ _) In srfi/srfi-1.scm: 863:16 2 (every1 # =E2=80=A6) In /gnu/store/rkv7z31csb2xandzhnvm5kc0i78pf0ay-module-import/guix/build/gnu= -build-system.scm: 799:28 1 (_ _) In /gnu/store/rkv7z31csb2xandzhnvm5kc0i78pf0ay-module-import/guix/build/uti= ls.scm: 616:6 0 (invoke _ . _) /gnu/store/rkv7z31csb2xandzhnvm5kc0i78pf0ay-module-import/guix/build/utils.= scm:616:6: In procedure invoke: Throw to key `srfi-34' with args `(#)'. builder for `/gnu/store/ihdm0nlw118mrb8wq127864g9pgrmghk-docker-18.09.2.drv= ' failed with exit code 1 build of /gnu/store/ihdm0nlw118mrb8wq127864g9pgrmghk-docker-18.09.2.drv fai= led View build log at '/var/log/guix/drvs/ih/dm0nlw118mrb8wq127864g9pgrmghk-doc= ker-18.09.2.drv.bz2'. guix build: error: build of `/gnu/store/ihdm0nlw118mrb8wq127864g9pgrmghk-do= cker-18.09.2.drv' failed ------ --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxiByQACgkQJkb6MLrK fwh5lRAA6kThjoAon5DgJ3XZbP5/wulDEPzn+vZ/KFklaCiy3Nk05y8C0J2vbw/q 4vZWhBtXNFnpTJE3KJNyekHRNTHmO4gy1GzYYWF+xBUhCOJfuCYc+NQk8FM6TaEN ChXFSt5EdSNXm2vhjTWsr65Gulzv/fAVrmzTwTnsNgqgSOlIitDKHumCdX+eO0HI SvfXBvopeJXn03isrg//oCMu8IB/bxKOh5SPKKcTekPG9NAkjU/sXOm/uzjqcTZN dL1SpPYbH5LLZKhnbT2ateHDSVVM9n2fFnx9Yn+DcVxGSALKlRE/JUfdwtPY9Eyv ogbiFh94H9hnRsHCz4yeM4SIjxD3bMdg3E6Z/4un1Re5fuF+7NB4mbRRtWozN+5P z7Fs5sIeLR8GsGg2t1nDK1Ztfc27qzhfig+NhRYMHFk6Vn8xEYmDmMnVucONIWoq /rzW7XB47K1pyrOVMV9qWUwQobRG/0vZDl08uAvL8YPBvVMzx5f+FTnUNCuls6qT Sub/CKSsNonc3QCs6aHmwYpIu1MeuZoOLVC07e9JpKtfFF6vsnVGefwpBTqxSImK O36X6zRpPeNQ7mzi+zGb0Pe9NNzoxtWrM7EGpfVAmm07nS7bnRPEkBZo0EDut8d5 sWs23y11ZSikyxlhMOxNeiuO5MvnLAoEJwGy30gNZeaqswTCLYA= =HRWT -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4-- ------------=_1549994223-7140-1--