Debian Bug report logs -
#922050
runc: CVE-2019-5736
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 11 Feb 2019 15:18:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions runc/0.1.1+dfsg1-2, runc/1.0.0~rc6+dfsg1-1
Fixed in versions runc/1.0.0~rc6+dfsg1-2, runc/0.1.1+dfsg1-2+deb9u1
Done: Shengjing Zhu <zhsj@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#922050; Package src:runc.
(Mon, 11 Feb 2019 15:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>.
(Mon, 11 Feb 2019 15:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: runc
Version: 1.0.0~rc6+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for runc.
CVE-2019-5736[0]:
runc container breakout
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5736
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
[1] https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
[2] https://www.openwall.com/lists/oss-security/2019/02/11/2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#922050; Package src:runc.
(Mon, 11 Feb 2019 18:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>.
(Mon, 11 Feb 2019 18:51:08 GMT) (full text, mbox, link).
Message #10 received at 922050@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
Attached is a debdiff against version 1.0.0~rc6+dfsg1-1 in sid/buster.
I'm happy to upload this if it'd be helpful.
noah
[runc-debdiff.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Noah Meyerhans <noahm@debian.org>
to 922050-submit@bugs.debian.org.
(Mon, 11 Feb 2019 18:51:08 GMT) (full text, mbox, link).
Marked as found in versions runc/0.1.1+dfsg1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 12 Feb 2019 06:00:02 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#922050.
(Tue, 12 Feb 2019 15:54:08 GMT) (full text, mbox, link).
Message #17 received at 922050-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #922050 in runc reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/go-team/packages/runc/commit/01aaa0581c720e56f50aba9c00328d782ea9e9ca
------------------------------------------------------------------------
Apply upstream patch addressing CVE-2019-5736 (Closes: #922050)
Thanks Noah Meyerhans!
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/922050
Added tag(s) pending.
Request was from Shengjing Zhu <noreply@salsa.debian.org>
to 922050-submitter@bugs.debian.org.
(Tue, 12 Feb 2019 15:54:08 GMT) (full text, mbox, link).
Reply sent
to Shengjing Zhu <zhsj@debian.org>:
You have taken responsibility.
(Tue, 12 Feb 2019 16:09:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 12 Feb 2019 16:09:05 GMT) (full text, mbox, link).
Message #24 received at 922050-close@bugs.debian.org (full text, mbox, reply):
Source: runc
Source-Version: 1.0.0~rc6+dfsg1-2
We believe that the bug you reported is fixed in the latest version of
runc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 922050@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Shengjing Zhu <zhsj@debian.org> (supplier of updated runc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Feb 2019 23:45:09 +0800
Source: runc
Architecture: source
Version: 1.0.0~rc6+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Shengjing Zhu <zhsj@debian.org>
Closes: 922050
Changes:
runc (1.0.0~rc6+dfsg1-2) unstable; urgency=medium
.
* Team upload.
* Apply upstream patch addressing CVE-2019-5736 (Closes: #922050)
Thanks Noah Meyerhans!
Checksums-Sha1:
d12bd0a0de956ae1a7ab96c0a1ee9aafd44af09c 2460 runc_1.0.0~rc6+dfsg1-2.dsc
b5f68ea4e338f71e7a8f0e05982ec0e3cb5944e8 10308 runc_1.0.0~rc6+dfsg1-2.debian.tar.xz
126bfdb3620363d1c325ad2417c1a6cacd3195df 7886 runc_1.0.0~rc6+dfsg1-2_amd64.buildinfo
Checksums-Sha256:
8607734e77432594f427e10bfcc082fd782e38d5afafab4f9d0f9f415a272082 2460 runc_1.0.0~rc6+dfsg1-2.dsc
da194164edb66bd865f0472e9b4588c8214ef12371307c1452d0ecf3a6becb00 10308 runc_1.0.0~rc6+dfsg1-2.debian.tar.xz
3b69ecf4a26882639f480e92286146966a27ce19e715fdfc8b5577b26bd668d2 7886 runc_1.0.0~rc6+dfsg1-2_amd64.buildinfo
Files:
b8de374a7e03ba461239f9d0f79889a1 2460 devel optional runc_1.0.0~rc6+dfsg1-2.dsc
839908f20673d0c7de21f6cab450a7ee 10308 devel optional runc_1.0.0~rc6+dfsg1-2.debian.tar.xz
9db1e3091431d02e118e1c9d08ffadf3 7886 devel optional runc_1.0.0~rc6+dfsg1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQE+BAEBCgAoFiEE85F2DZP0aJKsSKyHONAPABi+PjUFAlxi6r4KHGlAemhzai5t
ZQAKCRA40A8AGL4+NeDmB/4wziwjsq06khXWe7iItTRFfZaOXax/0IcJbzh/rUjv
KXYXsZX4ODT2n2QZYuwiIVBgpLcFWhTmlLP/rSYnP8B8OkpGXGessi2U8f948F6o
/GMmbOxJEoZ94uhFRXY3IvRxx2heOdCy4SgwcbZSY0TVO1XzXlsbnHYMrlRhqxE2
n0/H3+c4xPB5BWtSnsflPEiafoI8uIcAsIeCnz7E3Gc3VL/ItXtJttvQlLigYVkF
rDCIG4DpGbmwTaJk2IW2HBYCsxQZVs6cyTNCd66ZT5kqmqvxL7Dv3rxrD46uW0G8
GC56pJrfqmFBI3tN+lfkKy+147P2QbSyoX/P2lc6lVYy
=xKjg
-----END PGP SIGNATURE-----
Reply sent
to Shengjing Zhu <zhsj@debian.org>:
You have taken responsibility.
(Mon, 15 Apr 2019 08:03:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 15 Apr 2019 08:03:05 GMT) (full text, mbox, link).
Message #29 received at 922050-close@bugs.debian.org (full text, mbox, reply):
Source: runc
Source-Version: 0.1.1+dfsg1-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
runc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 922050@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Shengjing Zhu <zhsj@debian.org> (supplier of updated runc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 19 Mar 2019 00:50:07 +0800
Source: runc
Binary: runc golang-github-opencontainers-runc-dev
Architecture: source
Version: 0.1.1+dfsg1-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Shengjing Zhu <zhsj@debian.org>
Description:
golang-github-opencontainers-runc-dev - Open Container Project - develpoment files
runc - Open Container Project - runtime
Closes: 922050
Changes:
runc (0.1.1+dfsg1-2+deb9u1) stretch; urgency=medium
.
* Team upload.
* Add patch to address CVE-2019-5736 (Closes: #922050)
Checksums-Sha1:
111197aadeec1841611882ce2534b698d1e8886a 2276 runc_0.1.1+dfsg1-2+deb9u1.dsc
3d83d5e1531af9a1e6b80efa214b9f59059a21c0 11380 runc_0.1.1+dfsg1-2+deb9u1.debian.tar.xz
bcab03775a5aeed93a101f767f80024d7ed19dfc 8274 runc_0.1.1+dfsg1-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
408033402b78140618842f52bb921228946823bfa9a17daf63908ea44a77bc33 2276 runc_0.1.1+dfsg1-2+deb9u1.dsc
07d7e810466b25196a3a0c1bf4d4c7661dc95eb225d251646873440dc70118fe 11380 runc_0.1.1+dfsg1-2+deb9u1.debian.tar.xz
0bb0ca1944b887d37c21b1f8852564ca211510f56635f867e19afe72031cb6a1 8274 runc_0.1.1+dfsg1-2+deb9u1_amd64.buildinfo
Files:
51c59877e0a45a9e1e9a74e7eb50f2a3 2276 devel extra runc_0.1.1+dfsg1-2+deb9u1.dsc
39085bd827deb73cc1f3fef6ded47e65 11380 devel extra runc_0.1.1+dfsg1-2+deb9u1.debian.tar.xz
00a8a765a6122edffdb953a50a98934b 8274 devel extra runc_0.1.1+dfsg1-2+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFEBAEBCgAuFiEE85F2DZP0aJKsSKyHONAPABi+PjUFAlyy84YQHHpoc2pAZGVi
aWFuLm9yZwAKCRA40A8AGL4+NQX5B/0btthlL6Ba+uKq+2HG4l/55R1AEaekrl8T
1bAd8eu3hzu3hE5KV+2I7O1krUwVlR5BOt1rDgn3m7F5yEZHKyuYF9JWbKrYS1PK
BcHUgcSEF5kh9jUtW0RY5XN1ipENgrcA6AmiiFRn9w66WQdPyyAERVqOKgcJnHq1
YMFCWx/myTmLtyYv+kHa+YBO0OFk+7zs7UbsaNyji09rj/ioQOmAm7HlDsg5pc8P
cSF5Avab4VmVHQqRAtw5gB5zvhG7XzTJJ4L1lhAvMgZSHV/q8oUcQIZ2L/FqJqti
S1+seF0pg4M9FNB0/xwzKKBHOaeaC5T1NcsBrg5xrdCuqjdMTozT
=QX4f
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 14 May 2019 07:27:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:29:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon