This repository has been archived by the owner on Oct 13, 2023. It is now read-only.
[19.03] Update containerd to v1.2.11, runc v1.0.0-rc9 #428
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
full diff: opencontainers/runc@3e425f8...v1.0.0-rc9 - opencontainers/runc#1951 Add SCMP_ACT_LOG as a valid Seccomp action - opencontainers/runc#2130 *: verify operations on /proc/... are on procfs This is an additional mitigation for CVE-2019-16884. The primary problem is that Docker can be coerced into bind-mounting a file system on top of /proc (resulting in label-related writes to /proc no longer happening). While we are working on mitigations against permitting the mounts, this helps avoid our code from being tricked into writing to non-procfs files. This is not a perfect solution (after all, there might be a bind-mount of a different procfs file over the target) but in order to exploit that you would need to be able to tweak a config.json pretty specifically (which thankfully Docker doesn't allow). Specifically this stops AppArmor from not labeling a process silently due to /proc/self/attr/... being incorrectly set, and stops any accidental fd leaks because /proc/self/fd/... is not real. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: containerd/containerd@v1.2.10...v1.2.11 The eleventh patch release for containerd 1.2 includes an updated runc with an additional fix for CVE-2019-16884 and a Golang update. Notable Updates ----------------------- - Update the runc vendor to v1.0.0-rc9 which includes an additional mitigation for CVE-2019-16884. More details on the runc CVE in opencontainers/runc#2128, and the additional mitigations in opencontainers/runc#2130. - Add local-fs.target to service file to fix corrupt image after unexpected host reboot. Reported in containerd/containerd#3671, and fixed by containerd/containerd#3746. - Update Golang runtime to 1.12.13, which includes security fixes to the crypto/dsa package made in Go 1.12.11 (CVE-2019-17596), and fixes to the go command, runtime, syscall and net packages (Go 1.12.12). CRI fixes: ----------------------- - Fix shim delete error code to avoid unnecessary retries in the CRI plugin. Discovered in containerd/cri#1309, and fixed by containerd/containerd#3732 and containerd/containerd#3739. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
error info: |
tonistiigi
approved these changes
Jan 16, 2020
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[19.03] Update to runc v1.0.0-rc9
full diff: opencontainers/runc@3e425f8...v1.0.0-rc9
Add SCMP_ACT_LOG as a valid Seccomp action opencontainers/runc#1951 Add SCMP_ACT_LOG as a valid Seccomp action
*: verify operations on /proc/... are on procfs opencontainers/runc#2130 *: verify operations on /proc/... are on procfs
This is an additional mitigation for CVE-2019-16884. The primary problem
is that Docker can be coerced into bind-mounting a file system on top of
/proc (resulting in label-related writes to /proc no longer happening).
While we are working on mitigations against permitting the mounts, this
helps avoid our code from being tricked into writing to non-procfs
files. This is not a perfect solution (after all, there might be a
bind-mount of a different procfs file over the target) but in order to
exploit that you would need to be able to tweak a config.json pretty
specifically (which thankfully Docker doesn't allow).
Specifically this stops AppArmor from not labeling a process silently
due to /proc/self/attr/... being incorrectly set, and stops any
accidental fd leaks because /proc/self/fd/... is not real.
[19.03] Update containerd binary to v1.2.11
full diff: containerd/containerd@v1.2.10...v1.2.11
The eleventh patch release for containerd 1.2 includes an updated runc with
an additional fix for CVE-2019-16884 and a Golang update.
Notable Updates
for CVE-2019-16884.
More details on the runc CVE in AppArmor can be bypassed by a malicious image that specifies a volume at /proc opencontainers/runc#2128, and the additional
mitigations in *: verify operations on /proc/... are on procfs opencontainers/runc#2130.
reboot. Reported in Unable to recover corrupt image after unexpected host reboot containerd/containerd#3671, and fixed by [release/1.2] Add local-fs.target to service file containerd/containerd#3746.
package made in Go 1.12.11 (CVE-2019-17596), and fixes to the go command, runtime,
syscall and net packages (Go 1.12.12).
CRI fixes:
in Update containerd to a6a0c8b6e36415a151d93d096c1c0af9e0bd7977. containerd/cri#1309, and fixed by [release/1.2] Fix shim delete error code. containerd/containerd#3732 and [release/1.2] backport: Fix delete error code on the containerd daemon side. containerd/containerd#3739.