6e3f7fbc07
The vulnerability allows a malicious container to (with minimal user
interaction) overwrite the host runc binary and thus gain root-level
code execution on the host. The level of user interaction is being able
to run any command (it doesn't matter if the command is not
attacker-controlled) as root within a container in either of these
contexts:
* Creating a new container using an attacker-controlled image.
* Attaching (docker exec) into an existing container which the
attacker had previous write access to.
For more details, see the advisory:
https://www.openwall.com/lists/oss-security/2019/02/11/2
The fix for this issue uses fexecve(3), which isn't available on uClibc, so
add a dependency on !uclibc to runc and propagate to the reverse
dependencies (containerd/docker-engine).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
17 lines
602 B
Plaintext
17 lines
602 B
Plaintext
config BR2_PACKAGE_RUNC
|
|
bool "runc"
|
|
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
|
|
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
|
|
depends on BR2_TOOLCHAIN_HAS_THREADS
|
|
depends on !BR2_TOOLCHAIN_USES_UCLIBC # no fexecve
|
|
help
|
|
runC is a CLI tool for spawning and running containers
|
|
according to the OCP specification.
|
|
|
|
https://github.com/opencontainers/runc
|
|
|
|
comment "runc needs a glibc or musl toolchain toolchain w/ threads"
|
|
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS && \
|
|
BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
|
|
depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_TOOLCHAN_USES_UCLIBC
|