1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1062532: runc: CVE-2024-21626

    From Salvatore Bonaccorso@21:1/5 to All on Thu Feb 1 20:40:01 2024
    Source: runc
    Version: 1.1.10+ds1-1
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for runc.

    CVE-2024-21626[0]:
    | runc is a CLI tool for spawning and running containers on Linux
    | according to the OCI specification. In runc 1.1.11 and earlier, due
    | to an internal file descriptor leak, an attacker could cause a
    | newly-spawned container process (from runc exec) to have a working
    | directory in the host filesystem namespace, allowing for a container
    | escape by giving access to the host filesystem ("attack 2"). The
    | same attack could be used by a malicious image to allow a container
    | process to gain access to the host filesystem through runc run
    | ("attack 1"). Variants of attacks 1 and 2 could be also be used to
    | overwrite semi-arbitrary host binaries, allowing for complete
    | container escapes ("attack 3a" and "attack 3b"). runc 1.1.12
    | includes patches for this issue.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2024-21626
    https://www.cve.org/CVERecord?id=CVE-2024-21626
    [1] https://www.openwall.com/lists/oss-security/2024/01/31/6
    [2] https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Fri Feb 2 21:30:01 2024
    This is a multi-part message in MIME format...

    Your message dated Fri, 2 Feb 2024 21:18:48 +0100
    with message-id <Zb1OKKQTbQfkXC6s@eldamar.lan>
    and subject line Accepted runc 1.1.12+ds1-1 (source) into unstable
    has caused the Debian Bug report #1062532,
    regarding runc: CVE-2024-21626
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1062532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062532
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 1 Feb 2024 19:32:02 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-8.9 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
    T_SCC_BODY_TEXT_LINE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 26; hammy, 150; neutral, 70; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*M:reportbug,
    0.000-+--H*MI:reportbug
    Return-path: <carnil@debian.org>
    Received: from c-82-192-242-114.customer.ggaweb.ch ([82.192.242.114]:60386 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelope-from <carn
  • From Salvatore Bonaccorso@21:1/5 to All on Fri Feb 2 21:30:01 2024
    Source: runc
    Source-Version: 1.1.12+ds1-1
    Control: fixed 1062532 1.0.0~rc93+ds1-5+deb11u3
    Control: fixed 1062532 1.1.5+ds1-1+deb12u1

    This fixes #1062532. Adding as well the fixed version for the pending
    runc update via bullseye-security and bookworm-security.

    ----- Forwarded message from Debian FTP Masters <ftpmaster@ftp-master.debian.org> -----

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Fri, 02 Feb 2024 21:20:26 +0800
    Source: runc
    Architecture: source
    Version: 1.1.12+ds1-1
    Distribution: unstable
    Urgency: medium
    Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org> Changed-By: Shengjing Zhu <zhsj@debian.org>
    Changes:
    runc (1.1.12+ds1-1) unstable; urgency=medium
    .
    * Team upload
    * New upstream version 1.1.12+ds1
    + CVE-2024-21626: several container breakouts due to internally leaked fds Checksums-Sha1:
    5bef8274f96e27dcf68992efe30b8f372807e0ad 2772 runc_1.1.12+ds1-1.dsc
    937c3fe186bca9df98b96c4f1b1354a89092d66c 528632 runc_1.1.12+ds1.orig.tar.xz
    6520a024c7ba75259db6a396e7bd95c245281cdb 14768 runc_1.1.12+ds1-1.debian.tar.xz
    adc4f0be51d402e882acc7bfcab17b2404c26a39 8215 runc_1.1.12+ds1-1_amd64.buildinfo
    Checksums-Sha256:
    848316908f87dc5d286cf381d4bee523c495327cab033b9aa59b154a1d37d2c6 2772 runc_1.1.12+ds1-1.dsc
    ab7ab8842157c9607f450cf1f2cc7dc2a61cc134766c27111d0e113bdd41d6a8 528632 runc_1.1.12+ds1.orig.tar.xz
    367dfbddbc0b6bb3b06ef60dd21d6a006b1b7fdedab882bd861e14889516b419 14768 runc_1.1.12+ds1-1.debian.tar.xz
    ab4810f32b977a6f811a24c206cef248f1e98d21561cfb5e5eb012570a37b4d8 8215 runc_1.1.12+ds1-1_amd64.buildinfo
    Files:
    d2ecde618e10f3096c71dff70088339e 2772 admin optional runc_1.1.12+ds1-1.dsc
    2c788fe39dea435e8db8e5baceba60e0 528632 admin optional runc_1.1.12+ds1.orig.tar.xz
    6056fd3324edcb874b3d1b732cca1d08 14768 admin optional runc_1.1.12+ds1-1.debian.tar.xz
    b981612583fa02cb52aa8ebb427fd757 8215 admin optional runc_1.1.12+ds1-1_amd64.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQEzBAEBCgAdFiEEc793ixFTU9Vien7Zh7Iv85yjO70FAmW87XUACgkQh7Iv85yj O718SQf+J8O0B8ZD224eAg4Q3HpeG5hFFUaVWxRLpvBXfs5XQI1/Rl+SrnElLSRw inX9kZaUK/cIcs5E8gxiYl+o2Hf+qDjdTqziBt/j8HkTk7Gp4z5oFVX5I7JrnaH6 Xw3AeQ8yzPC8d3DPR7p3VMGRJwXrxV/Ox8ZB7Vd7HGB/pC5nzGzGbMaq+LwAy/nH lY1GmdJkjj1cusFhgSs01hbNtZTJCVoBupBF4YdMmA6n/O6t7Rr7ZASks29u4jxo qd1JgFNJJciZ3SZjtY76AFwfg0sWV+OmY5oEVa7qgA1xeoIxPwWnhlYUeSueNmTJ Gxn9fh8uPucRpuqxg7RTfU3Ml9Pr5A==
    =mnTr
    -----END PGP SIGNATURE-----


    ----- End forwarded message -----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Fri Feb 2 21:30:01 2024
    Processing control commands:

    fixed 1062532 1.0.0~rc93+ds1-5+deb11u3
    Bug #1062532 [src:runc] runc: CVE-2024-21626
    The source 'runc' and version '1.0.0~rc93+ds1-5+deb11u3' do not appear to match any binary packages
    Marked as fixed in versions runc/1.0.0~rc93+ds1-5+deb11u3.
    fixed 1062532 1.1.5+ds1-1+deb12u1
    Bug #1062532 [src:runc] runc: CVE-2024-21626
    The source 'runc' and version '1.1.5+ds1-1+deb12u1' do not appear to match any binary packages
    Marked as fixed in versions runc/1.1.5+ds1-1+deb12u1.

    --
    1062532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062532
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)