[pkg-lxc-devel] Bug#923932: lxc: Patch for CVE-2019-5736 breaks program using liblxc
Shengjing Zhu
zhsj at debian.org
Thu Mar 7 11:52:26 GMT 2019
Package: lxc
Version: 1:3.1.0+really3.0.3-4
Severity: important
Dear Maintainer,
1:3.1.0+really3.0.3-4 backports an incomplete patch for CVE-2019-5736.
It causes liblxc unconditionally to rexecute.
For example, any program linking against liblxc, will have a wrong
/proc/self/exe -> "/memfd:liblxc (deleted)"
For more detail:
https://github.com/lxc/lxc/pull/2846
And https://github.com/anbox/anbox/issues/1057#issuecomment-470491485
This was first reported at anbox #923403, and I upload a quick
workaround for anbox before the freeze. Now the lxc author comments
on anbox issue, saying it's lxc bad, and fixed in lxc upstream.
--
Shengjing Zhu
More information about the Pkg-lxc-devel
mailing list