Re: CVE-2019-5736: runc container breakout exploit code

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2019-5736: runc container breakout exploit code

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Aleksa Sarai &lt;cyphar () cyphar com&gt;

Date: Wed, 13 Feb 2019 20:56:48 +1100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 2019-02-13, EJ Campbell &lt;ejc3 () verizonmedia com&gt; wrote:
While fixing docker / runc is clearly the right fix, would using chattr -i
on runc be a quick mitigation for the issue? I believe that will prevent
the file from being overwritten by the exploit and Etienne Stalmans
verified that it helped:
 https://twitter.com/_staaldraad/status/1095354945073754112

The privileged user in the container could just un-set the immutable
bit using "/proc/self/fd/..." and then open it for writing. A read-only
filesystem would work much better.

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
&lt;https://www.cyphar.com/&gt;
Attachment:
signature.asc
Description: 

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)

Re: CVE-2019-5736: runc container breakout exploit code EJ Campbell (Feb 13)

Re: CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)

Re: CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
Re: CVE-2019-5736: runc container breakout exploit code EJ Campbell (Feb 13)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->