aboutsummaryrefslogtreecommitdiff
path: root/package/docker-containerd
diff options
context:
space:
mode:
authorGravatar Peter Korsgaard <peter@korsgaard.com>2019-02-12 14:15:04 +0100
committerGravatar Peter Korsgaard <peter@korsgaard.com>2019-02-12 20:04:14 +0100
commit6e3f7fbc072c88ab344f2ffa39e402464b566f19 (patch)
tree0952afe3de10b80f5692d649b75491304364543a /package/docker-containerd
parent11c55c94da9a51f0448a1ae869065736993e1787 (diff)
downloadbuildroot-6e3f7fbc072c88ab344f2ffa39e402464b566f19.tar.gz
buildroot-6e3f7fbc072c88ab344f2ffa39e402464b566f19.tar.bz2
package/runc: add upstream security fix for CVE-2019-5736
The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: * Creating a new container using an attacker-controlled image. * Attaching (docker exec) into an existing container which the attacker had previous write access to. For more details, see the advisory: https://www.openwall.com/lists/oss-security/2019/02/11/2 The fix for this issue uses fexecve(3), which isn't available on uClibc, so add a dependency on !uclibc to runc and propagate to the reverse dependencies (containerd/docker-engine). Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/docker-containerd')
-rw-r--r--package/docker-containerd/Config.in5
1 files changed, 3 insertions, 2 deletions
diff --git a/package/docker-containerd/Config.in b/package/docker-containerd/Config.in
index 851345f73e..bdb5dd7b80 100644
--- a/package/docker-containerd/Config.in
+++ b/package/docker-containerd/Config.in
@@ -3,6 +3,7 @@ config BR2_PACKAGE_DOCKER_CONTAINERD
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on !BR2_PACKAGE_TOOLCHAIN_USES_UCLIBC # runc
depends on BR2_USE_MMU # util-linux
select BR2_PACKAGE_RUNC # runtime dependency
select BR2_PACKAGE_UTIL_LINUX # runtime dependency
@@ -27,8 +28,8 @@ config BR2_PACKAGE_DOCKER_CONTAINERD_DRIVER_BTRFS
endif
-comment "docker-containerd needs a toolchain w/ threads"
+comment "docker-containerd needs a glibc or musl toolchain w/ threads"
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
depends on BR2_USE_MMU
- depends on !BR2_TOOLCHAIN_HAS_THREADS
+ depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_TOOLCHAIN_USES_UCLIBC