Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

runc: CVE-2019-16884

Related Vulnerabilities: CVE-2019-16884  

Source

Debian Bug report logs - #942026
runc: CVE-2019-16884

version graph

Package: runc; Maintainer for runc is Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>; Source for runc is src:runc (PTS, buildd, popcon).

Affects: docker.io

Reported by: Shengjing Zhu <zhsj@debian.org>

Date: Wed, 9 Oct 2019 08:45:02 UTC

Severity: grave

Tags: security, upstream

Fixed in version runc/1.0.0~rc9+dfsg1-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Forwarded to https://github.com/opencontainers/runc/issues/2128

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, zhsj@debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#942026; Package runc. (Wed, 09 Oct 2019 08:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Shengjing Zhu <zhsj@debian.org>:
New Bug report received and forwarded. Copy sent to zhsj@debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>. (Wed, 09 Oct 2019 08:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Shengjing Zhu <zhsj@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: runc: CVE-2019-16884
Date: Wed, 09 Oct 2019 16:41:50 +0800
Package: runc
Severity: grave
Tags: security upstream
Justification: user security hole
Control: affects -1 docker.io
Control: clone -1 -2
Control: retitle -2 golang-github-opencontainers-selinux-dev: CVE-2019-16884

https://github.com/opencontainers/runc/issues/2128
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other
products, allows AppArmor restriction bypass because
libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus
a malicious Docker image can mount over a /proc directory.

This looks should be fixed by following commits

https://github.com/opencontainers/runc/commit/d463f6485b809b5ea738f84e05ff5b456058a184
https://github.com/opencontainers/runc/commit/331692baa7afdf6c186f8667cb0e6362ea0802b3

https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da

So we need first fix golang-github-opencontainers-selinux-dev, then
runc. Finnally rebuild all reverse build depends(Mostly docker.io)

Added indication that 942026 affects docker.io Request was from Shengjing Zhu <zhsj@debian.org> to submit@bugs.debian.org. (Wed, 09 Oct 2019 08:45:04 GMT) (full text, mbox, link).

Bug 942026 cloned as bug 942027 Request was from Shengjing Zhu <zhsj@debian.org> to submit@bugs.debian.org. (Wed, 09 Oct 2019 08:45:05 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/opencontainers/runc/issues/2128'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 09 Oct 2019 18:57:03 GMT) (full text, mbox, link).

Marked as fixed in versions runc/1.0.0~rc9+dfsg1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 10 Oct 2019 04:30:04 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 10 Oct 2019 04:30:04 GMT) (full text, mbox, link).

Notification sent to Shengjing Zhu <zhsj@debian.org>:
Bug acknowledged by developer. (Thu, 10 Oct 2019 04:30:06 GMT) (full text, mbox, link).

Message sent on to Shengjing Zhu <zhsj@debian.org>:
Bug#942026. (Thu, 10 Oct 2019 04:30:12 GMT) (full text, mbox, link).

Message #20 received at 942026-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 942026-submitter@bugs.debian.org
Subject: closing 942026
Date: Thu, 10 Oct 2019 06:26:11 +0200
close 942026 1.0.0~rc9+dfsg1-1
thanks

Closing manually as the new version upload to unstable did not contain the bug
closer.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Oct 10 16:47:12 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started