runc: add patches to fix CVE-2016-9962

8 years ago · 260d97ca25
parent 2b17620d59
commit 260d97ca25
1 changed files with 16 additions and 1 deletions
--- a/pkgs/applications/virtualization/runc/default.nix
+++ b/pkgs/applications/virtualization/runc/default.nix
@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, go-md2man
+{ stdenv, lib, fetchFromGitHub, fetchpatch, go-md2man
 , go, pkgconfig, libapparmor, apparmor-parser, libseccomp }:

 with lib;
@ -14,6 +14,21 @@ stdenv.mkDerivation rec {
    sha256 = "06bxc4g3frh4i1lkzvwdcwmzmr0i52rz4a4pij39s15zaigm79wk";
  };

+  patches = [
+    # Two patches to fix CVE-2016-9962
+    # From https://bugzilla.suse.com/show_bug.cgi?id=1012568
+    (fetchpatch {
+      name = "0001-libcontainer-nsenter-set-init-processes-as-non-dumpa.patch";
+      url = "https://bugzilla.suse.com/attachment.cgi?id=709048&action=diff&context=patch&collapsed=&headers=1&format=raw";
+      sha256 = "1cfsmsyhc45a2929825mdaql0mrhhbrgdm54ly0957j2f46072ck";
+    })
+    (fetchpatch {
+      name = "0002-libcontainer-init-only-pass-stateDirFd-when-creating.patch";
+      url = "https://bugzilla.suse.com/attachment.cgi?id=709049&action=diff&context=patch&collapsed=&headers=1&format=raw";
+      sha256 = "1ykwg1mbvsxsnsrk9a8i4iadma1g0rgdmaj19dvif457hsnn31wl";
+    })
+  ];
+
  outputs = [ "out" "man" ];

  hardeningDisable = ["fortify"];