From 998eaa7dad3f79f6ff7f3acbdd0dda903533ac62 Mon Sep 17 00:00:00 2001
From: Rolf Neugebauer <rolf.neugebauer@gmail.com>
Date: Sat, 24 Mar 2018 09:19:40 +0000
Subject: [PATCH] pkg: Fix cgo CFLAGS for rngd

Go commit https://github.com/golang/go/issues/23672 introduced a
whitelist ofr flags passed into gcc to prevent arbitrary code
execution (CVE-2018-6574). The x86 rngd code uses two CFLAGS
not on the whitelist. Add them to 'CGO_CFLAGS_ALLOW'.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@gmail.com>
---
 pkg/rngd/Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/rngd/Dockerfile b/pkg/rngd/Dockerfile
index e7fb6abd0..084a2df24 100644
--- a/pkg/rngd/Dockerfile
+++ b/pkg/rngd/Dockerfile
@@ -3,6 +3,9 @@ FROM linuxkit/alpine:96ad1eb5ec262b4cd0eef574cdc0b225b502d9ee AS mirror
 RUN apk add --no-cache go gcc musl-dev linux-headers
 ENV GOPATH=/go PATH=$PATH:/go/bin
 
+# see https://github.com/golang/go/issues/23672
+ENV CGO_CFLAGS_ALLOW=(-mrdrnd|-mrdseed)
+
 COPY cmd/rngd/ /go/src/rngd/
 RUN REQUIRE_CGO=1 go-compile.sh /go/src/rngd