CVE-2016-9962

Debian Bug report logs - #850951
CVE-2016-9962

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2016-9962

Date: Wed, 11 Jan 2017 16:21:53 +0100

Source: runc
Severity: grave
Tags: security

Please see:
https://bugzilla.suse.com/show_bug.cgi?id=1012568
https://github.com/docker/docker/compare/v1.12.5...v1.12.6
https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5

Cheers,
        Moritz
			 

Message #14 received at 850951@bugs.debian.org (full text, mbox, reply):

From: Tianon Gravi <tianon@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 850951@bugs.debian.org

Subject: Re: [pkg-go] Bug#850951: CVE-2016-9962

Date: Wed, 25 Jan 2017 21:15:51 -0800

On 11 January 2017 at 07:21, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Please see:
> https://bugzilla.suse.com/show_bug.cgi?id=1012568
> https://github.com/docker/docker/compare/v1.12.5...v1.12.6
> https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5

I've been working on backporting this patch to 0.1.1, and I think the
CVE actually doesn't apply to 0.1.1 (the version currently in
sid/stretch).  The file descriptor being closed in this patch isn't
being opened at all in 0.1.1 ("stateDirFD" doesn't exist yet).

https://github.com/opencontainers/runc/pull/886 is the upstream PR
which introduced this file descriptor, and it was not included in a
release until 1.0.0-rc2.

As a consequence, I think this bug should be closed (and probably the
security tracker updated to reflect the fact that this CVE doesn't
apply to our older version of runc).


♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Message #19 received at 850951@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Tianon Gravi <tianon@debian.org>, 850951@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#850951: [pkg-go] Bug#850951: CVE-2016-9962

Date: Mon, 30 Jan 2017 20:31:27 +0100

Hi Tianon,

On Wed, Jan 25, 2017 at 09:15:51PM -0800, Tianon Gravi wrote:
> On 11 January 2017 at 07:21, Moritz Muehlenhoff <jmm@debian.org> wrote:
> > Please see:
> > https://bugzilla.suse.com/show_bug.cgi?id=1012568
> > https://github.com/docker/docker/compare/v1.12.5...v1.12.6
> > https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5
> 
> I've been working on backporting this patch to 0.1.1, and I think the
> CVE actually doesn't apply to 0.1.1 (the version currently in
> sid/stretch).  The file descriptor being closed in this patch isn't
> being opened at all in 0.1.1 ("stateDirFD" doesn't exist yet).
> 
> https://github.com/opencontainers/runc/pull/886 is the upstream PR
> which introduced this file descriptor, and it was not included in a
> release until 1.0.0-rc2.
> 
> As a consequence, I think this bug should be closed (and probably the
> security tracker updated to reflect the fact that this CVE doesn't
> apply to our older version of runc).

Disclaimer: I'm not too deep into that. I just noticed that
https://bugzilla.novell.com/show_bug.cgi?id=1012568 though seem to
indicate as well 0.1.1 based version are affected. But I cannot tell
more (at the moment).

Regards,
Salvatore

Message #24 received at 850951@bugs.debian.org (full text, mbox, reply):

From: Tianon Gravi <tianon@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 850951@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: [pkg-go] Bug#850951: Bug#850951: CVE-2016-9962

Date: Tue, 31 Jan 2017 20:46:09 -0800

On 30 January 2017 at 11:31, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Disclaimer: I'm not too deep into that. I just noticed that
> https://bugzilla.novell.com/show_bug.cgi?id=1012568 though seem to
> indicate as well 0.1.1 based version are affected. But I cannot tell
> more (at the moment).

Reading more into the vuln itself, I think ignoring the "stateDirFD"
bits of the upstream patch is appropriate (and simply adding the
"PR_SET_DUMPABLE" bit for "runc exec" as in
"libcontainer/nsenter/nsexec.c").

I'm preparing a patch for the package now, but I'm curious what the
implications of an upload will be so close to the freeze -- do we need
to request a freeze exception or a migration adjustment after the
updated package is up?  Should I hold off on uploading?  (would rather
not lose "runc" from stretch)


♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Message #29 received at 850951@bugs.debian.org (full text, mbox, reply):

From: Tianon Gravi <tianon@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 850951@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#850951: CVE-2016-9962

Date: Tue, 31 Jan 2017 20:54:08 -0800

[Message part 1 (text/plain, inline)]

On 31 January 2017 at 20:46, Tianon Gravi <tianon@debian.org> wrote:
> I'm preparing a patch for the package now, but I'm curious what the
> implications of an upload will be so close to the freeze -- do we need
> to request a freeze exception or a migration adjustment after the
> updated package is up?  Should I hold off on uploading?  (would rather
> not lose "runc" from stretch)

CVE fix backported for v0.1.1 is attached (applies cleanly in the
current packaging when added to "debian/patches/series").

Happy to do the actual upload if I can get some guidance on how to
make sure it's done properly WRT freeze (or just as happy to leave it
to someone else).  O:)


♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

[cve-2016-9962.patch (text/x-patch, attachment)]

Message #32 received at 850951@bugs.debian.org (full text, mbox, reply):

From: pkg-go-maintainers@lists.alioth.debian.org

To: 850951@bugs.debian.org, 850951-submitter@bugs.debian.org

Subject: Pending fixes for bugs in the runc package

Date: Wed, 01 Feb 2017 15:15:48 +0000

tag 850951 + pending
thanks

Some bugs in the runc package are closed in revision
7986e9a8e1cd21b09a11cf2e90296feeafa5cbcc in branch 'master' by Tianon
Gravi

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-go/packages/runc.git/commit/?id=7986e9a

Commit message:

    Backport patch for CVE-2016-9962 (Closes: #850951)

Message #42 received at 850951-close@bugs.debian.org (full text, mbox, reply):

From: Tianon Gravi <tianon@debian.org>

To: 850951-close@bugs.debian.org

Subject: Bug#850951: fixed in runc 0.1.1+dfsg1-2

Date: Wed, 01 Feb 2017 15:34:09 +0000

Source: runc
Source-Version: 0.1.1+dfsg1-2

We believe that the bug you reported is fixed in the latest version of
runc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 850951@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tianon Gravi <tianon@debian.org> (supplier of updated runc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 01 Feb 2017 07:17:54 -0800
Source: runc
Binary: runc golang-github-opencontainers-runc-dev
Architecture: source
Version: 0.1.1+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Tianon Gravi <tianon@debian.org>
Description:
 golang-github-opencontainers-runc-dev - Open Container Project - develpoment files
 runc       - Open Container Project - runtime
Closes: 850951
Changes:
 runc (0.1.1+dfsg1-2) unstable; urgency=medium
 .
   * Team upload.
   * Backport patch for CVE-2016-9962 (Closes: #850951)
Checksums-Sha1:
 990e4a22e90f52a0efcf6a40de55a70489d7e310 2595 runc_0.1.1+dfsg1-2.dsc
 ab3f7a427402946e859d4d2d0f878d292d2b245b 6492 runc_0.1.1+dfsg1-2.debian.tar.xz
Checksums-Sha256:
 45731ab940eef67f9fbe51f6fdf04b7d15f5a7d39a61f4494bd6553375db5e2b 2595 runc_0.1.1+dfsg1-2.dsc
 6306635726db0fcd427efa40183d0f61059a92ff9e6100fd341b91e25afb6adb 6492 runc_0.1.1+dfsg1-2.debian.tar.xz
Files:
 ca798138c960e7ab61d52c069c52c1ce 2595 devel extra runc_0.1.1+dfsg1-2.dsc
 3f79f71f54115729a7dbabe9950dee71 6492 devel extra runc_0.1.1+dfsg1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEtC9oGQB/APiONk/UA2qcJb81fdQFAliR/HMSHHRpYW5vbkBk
ZWJpYW4ub3JnAAoJEANqnCW/NX3UzF8P/24Hi2m4QAIW4mlCnobbq1LtUGnv3l5p
kXKaTu6An8NlJzUL3QfaHto2bK2rWBaKyNhY76cAUxj30OPHJq0/YernJEvcMAZx
NeXDA1as1YaiUK7LRuMudr/MiskSXtguJ7O0eKA6HOr3glhO5D4CLLjjoDbM0ba6
BVW9JyFrX0KMdLrPVsA5ghaqaLe3DRapTl6jmo8e0vfgi6amtyans8kxsqZ/hZTY
jk+9amulHnVJPYNzn+BgC0R/nuesfcNWQS81nACb8bNfJ4TUHK7FvSl9dLTLeTMo
iTVxPmCSn2lNAPKcfCAi3Wn3T+P8R7Vl0lnnmp7Hqdrc2K+PuncvrRuvCT78YthB
M8qabsVw/VxyZrNB8YDIntWBnnGxIgFOnId0RsN7MuxqVtMbF/n9uKvCijpl6T/W
plGtGNMi4j5hE9O40dpYR3+syRRnb15eVjBFETJqsk/LxCMUN26jzFfH3tOss9t0
HTDpGa0i3V9t6Jex+Pj1XLo1cEcpw38zDm3Dg097bnHa/P7fuxCKQCv25vC4NxMz
/Tgcxrwc6mv3Ry6oiY38CPoOA4l7Q5pcUphQWPjGu/a70oq4a3dL4OfSQpQduK7Y
w1Wf9oprYMvO4pA9ABsfjgmxN7IPIWepWIBWWzitu8QOpdNx5QLEMTICbes+qr1Y
jTeoZZXWmy3e
=iSxj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.