GNU bug report logs -
#34446
Runc container escape patches CVE-2019-5736
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Mon, 11 Feb 2019 23:49:01 UTC
Severity: normal
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
Message #25 received at 34446-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Feb 12, 2019 at 01:10:34AM +0100, Danny Milosavljevic wrote:
> as originally released by upstream, Docker looks up auxiliary commands in PATH,
> using a Go function called "LookPath".
>
> Our package definition patches a lot of the specific LookPath calls to
> refer to inputs by absolute path.
>
> I've booby-trapped the remaining LookPath calls so we won't accidentially
> have an internal tool looked up in $PATH.
>
> If we have not forgotten any LookPath calls, there should have been no remaining
> LookPath calls and it would not have failed the build.
Thanks for explaining this :)
> > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables/iptables.go:90:15: undefined: exec.Guix_doesnt_want_LookPath
> > .gopath/src/github.com/docker/docker/vendor/github.com/docker/libnetwork/iptables/iptables.go:90:45: invalid character U+005C '\'
>
> Please examine line 90. It probably has a LookPath line with a new argument we
> haven't seen before.
Okay, they added a lookup for 'iptables-legacy' which is what Debian has
renamed iptables. I changed this to just look up 'iptables' since its
equivalent on our end and in how the Docker code uses it and pushed as
ea7cddaac782b2cdc789a354e172356ed5c183e7.
Thanks again for your help!
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 96 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.