[lxc-devel] [lxd/master] lxd/containers: Set liblxc env for CVE-2019-5736
stgraber on Github
lxc-bot at linuxcontainers.org
Sat Feb 16 20:23:24 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190216/feb6f5e8/attachment.bin>
-------------- next part --------------
From 8b33db6edff687af84ade3648b147c574829e614 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Sat, 16 Feb 2019 15:14:30 -0500
Subject: [PATCH] lxd/containers: Set liblxc env for CVE-2019-5736
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/container_lxc.go | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 5e8a6089c5..17dbf171fe 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -6068,6 +6068,9 @@ func (c *containerLXC) Exec(command []string, env map[string]string, stdin *os.F
cmd.Stdout = logFile
cmd.Stderr = logFile
+ // Mitigation for CVE-2019-5736
+ cmd.Env = append(os.Environ(), "LXC_MEMFD_REXEC=1")
+
// Setup communication PIPE
rStatus, wStatus, err := shared.Pipe()
defer rStatus.Close()
More information about the lxc-devel
mailing list