├── .dockerignore ├── .gitignore ├── Dockerfile ├── Makefile └── README.md /.dockerignore: -------------------------------------------------------------------------------- 1 | ./dist 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | vendor/pkg 2 | /runc 3 | /runc-* 4 | contrib/cmd/recvtty/recvtty 5 | man/man8 6 | release 7 | dist 8 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.11.4-stretch 2 | 3 | RUN apt-get update && apt-get install -y \ 4 | build-essential \ 5 | curl \ 6 | sudo \ 7 | gawk \ 8 | iptables \ 9 | jq \ 10 | pkg-config \ 11 | libaio-dev \ 12 | libcap-dev \ 13 | libprotobuf-dev \ 14 | libprotobuf-c0-dev \ 15 | libnl-3-dev \ 16 | libnet-dev \ 17 | libseccomp2 \ 18 | libseccomp-dev \ 19 | libapparmor-dev \ 20 | protobuf-c-compiler \ 21 | protobuf-compiler \ 22 | python-minimal \ 23 | uidmap \ 24 | kmod \ 25 | libseccomp-dev \ 26 | --no-install-recommends \ 27 | && apt-get clean 28 | 29 | COPY . /go/src/github.com/opencontainers/runc 30 | WORKDIR /go/src/github.com/opencontainers/runc 31 | ENV TAG build3 32 | RUN for VER in v1.12.6 v1.13.1 v17.03.2 v17.06.2 v17.09.1 v17.12.1 v18.03.1 v18.06.1; do \ 33 | git checkout release-${VER}-${TAG} && \ 34 | for GOARCH in $(go env GOARCH); do \ 35 | export GOARCH && \ 36 | mkdir -p dist && \ 37 | make BUILDTAGS="seccomp selinux apparmor" static && \ 38 | mv runc dist/runc-${VER}-${GOARCH} && \ 39 | make CGO_CFLAGS="-DDISABLE_MEMFD_CREATE=1" BUILDTAGS="seccomp selinux apparmor" static && \ 40 | mv runc dist/runc-${VER}-${GOARCH}-no-memfd_create \ 41 | ; done ; done && \ 42 | cd dist && \ 43 | sha256sum * > sha256sum-${GOARCH}.txt 44 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | release: 2 | docker build -t run-cve . 3 | docker create --name run-cve run-cve 4 | docker cp run-cve:/go/src/github.com/opencontainers/runc/dist . 5 | docker rm -fv run-cve 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | CVE Builds for legacy docker-runc 2 | --------------------------------- 3 | 4 | This repo provides a backport of patches for CVE-2019-5736 for older versions of runc 5 | that were packaged with Docker. 6 | 7 | ## Build and Releases 8 | 9 | Refer to the [releases](https://github.com/rancher/runc-cve/releases) section of this repo for the binaries. In order to build yourself, 10 | or build for different architectures, just run `make` and the binaries will end up in 11 | `./dist`. 12 | 13 | The binaries will be of the form runc-${VERSION}-${ARCHITECTURE} where VERSION is the 14 | associated Docker version, not the version of runc. 15 | 16 | > **Note:** The runc-cve release for Docker 17.03.2 can be used for Docker 17.03.3 as the runc binary between these two Docker releases use the same runc binary. 17 | 18 | ## Installing 19 | 20 | To install, find the runc for you docker version, for example Docker 17.06.2 for amd64 21 | will be runc-v17.06.2-amd64. For Linux 3.x kernels use the binaries that end with **no-memfd_create**. 22 | Then replace the docker-runc on your host with the patched one. 23 | 24 | ```bash 25 | # Figure out where your docker-runc is, typically in /usr/bin/docker-runc 26 | which docker-runc 27 | 28 | # Backup 29 | mv /usr/bin/docker-runc /usr/bin/docker-runc.orig.$(date -Iseconds) 30 | 31 | # Copy file 32 | cp runc-v17.06.2-amd64 /usr/bin/docker-runc 33 | 34 | # Ensure it's executable 35 | chmod +x /usr/bin/docker-runc 36 | 37 | # Test it works 38 | docker-runc -v 39 | docker run -it --rm ubuntu echo OK 40 | ``` 41 | --------------------------------------------------------------------------------