[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3369-1] runc security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3369-1                [email protected]
https://www.debian.org/lts/security/                      Sylvain Beucler
March 27, 2023                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : runc
Version        : 1.0.0~rc6+dfsg1-3+deb10u2
CVE ID         : CVE-2019-16884 CVE-2019-19921 CVE-2021-30465 CVE-2022-29162 
                 CVE-2023-27561
Debian Bug     : 942026 988768

Multiple vulnerabilities were discovered in runc, the Open Container
Project runtime, which is often used with virtualization environments
such as Docker. Malicious Docker images or OCI bundles could breach
isolation.

CVE-2019-16884

    runc, as used in Docker and other products, allows AppArmor and
    SELinux restriction bypass because libcontainer/rootfs_linux.go
    incorrectly checks mount targets, and thus a malicious Docker
    image can mount over a /proc directory.

CVE-2019-19921

    runc has Incorrect Access Control leading to Escalation of
    Privileges, related to libcontainer/rootfs_linux.go. To exploit
    this, an attacker must be able to spawn two containers with custom
    volume-mount configurations, and be able to run custom
    images. (This vulnerability does not affect Docker due to an
    implementation detail that happens to block the attack.)

CVE-2021-30465

    runc allows a Container Filesystem Breakout via Directory
    Traversal. To exploit the vulnerability, an attacker must be able
    to create multiple containers with a fairly specific mount
    configuration. The problem occurs via a symlink-exchange attack
    that relies on a race condition.

CVE-2022-29162

    `runc exec --cap` created processes with non-empty inheritable
    Linux process capabilities, creating an atypical Linux environment
    and enabling programs with inheritable file capabilities to
    elevate those capabilities to the permitted set during
    execve(2). This bug did not affect the container security sandbox
    as the inheritable set never contained more capabilities than were
    included in the container's bounding set.

CVE-2023-27561

    CVE-2019-19921 was re-introduced by the fix for CVE-2021-30465.

For Debian 10 buster, this problem has been fixed in version
1.0.0~rc6+dfsg1-3+deb10u2.

We recommend that you upgrade your runc packages.

For the detailed security status of runc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/runc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmQhvrcACgkQDTl9HeUl
XjDWmQ/+KWUKllg6DZGI1fk1wl+OY59wlQzmCG72c12R6IMmxI2ZKE5lPkpOpIDy
MqYRay517oXIDMfPvtCrOaMVSuavBJLJ5ABPyREpltAVLjnAVZZESHyBGZv3qxyL
2nhDNtFTAUcrBBIIIFg7Vvwu9gceFp+XVsGBrgbpTW4hRsz7cLbd5ZRJ6SV9D8uH
y79KNwQ6JazgoLePCRlKxs0SxiF7JVT+hVTxWLL5RW88527qSrHT5t4CqDDfEPla
g/bgkUHYWAQBV2eWqmVAW/Ip5/sUE3ib6F0brqri+d0SwoJe3yb2t7t8B7qKIkOs
VbCXNmLNGdpMQc4OiAUmqUvboY/UtGwduH0uCcXxDh1jasXwQTDsQFZ5mCbMwy5X
QnE2X02QnIYScWYgGlsA8FFXGWiClpR1PzvVMTBwdvat0KVlZ63ZMaMpoL2QJItU
lZGEnZd6BKJgpbUDabk7Cyqnivn8Fa86GCs9/pdxEi7TO9+Qd2DdeCnOhrlHEbT/
nDByzycIArsEsDI+TqoGam3AzHpZNnNoFNN+wVRxLWxAUuAcTwbSkIdEZtNoCmVv
fp+sewaSwOQ8p9lbmsfVsEd67LN2DNe5l1I6ZFawJYvfM0Lq8UL2PFmNlXvAuTrT
9GXc106Rh0BiU0It2956PE/gjl+cR3jIgHLz5Rn0oQlplgLVj/k=
=CdXx
-----END PGP SIGNATURE-----
Reply to: