Your message dated Fri, 2 Feb 2024 21:18:48 +0100
with message-id <zb1okkqtbqfkx...@eldamar.lan>
and subject line Accepted runc 1.1.12+ds1-1 (source) into unstable
has caused the Debian Bug report #1062532,
regarding runc: CVE-2024-21626
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1062532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: runc
Version: 1.1.10+ds1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for runc.
CVE-2024-21626[0]:
| runc is a CLI tool for spawning and running containers on Linux
| according to the OCI specification. In runc 1.1.11 and earlier, due
| to an internal file descriptor leak, an attacker could cause a
| newly-spawned container process (from runc exec) to have a working
| directory in the host filesystem namespace, allowing for a container
| escape by giving access to the host filesystem ("attack 2"). The
| same attack could be used by a malicious image to allow a container
| process to gain access to the host filesystem through runc run
| ("attack 1"). Variants of attacks 1 and 2 could be also be used to
| overwrite semi-arbitrary host binaries, allowing for complete
| container escapes ("attack 3a" and "attack 3b"). runc 1.1.12
| includes patches for this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21626
https://www.cve.org/CVERecord?id=CVE-2024-21626
[1] https://www.openwall.com/lists/oss-security/2024/01/31/6
[2]
https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: runc
Source-Version: 1.1.12+ds1-1
Control: fixed 1062532 1.0.0~rc93+ds1-5+deb11u3
Control: fixed 1062532 1.1.5+ds1-1+deb12u1
This fixes #1062532. Adding as well the fixed version for the pending
runc update via bullseye-security and bookworm-security.
----- Forwarded message from Debian FTP Masters
<ftpmas...@ftp-master.debian.org> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 02 Feb 2024 21:20:26 +0800
Source: runc
Architecture: source
Version: 1.1.12+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Shengjing Zhu <z...@debian.org>
Changes:
runc (1.1.12+ds1-1) unstable; urgency=medium
.
* Team upload
* New upstream version 1.1.12+ds1
+ CVE-2024-21626: several container breakouts due to internally leaked fds
Checksums-Sha1:
5bef8274f96e27dcf68992efe30b8f372807e0ad 2772 runc_1.1.12+ds1-1.dsc
937c3fe186bca9df98b96c4f1b1354a89092d66c 528632 runc_1.1.12+ds1.orig.tar.xz
6520a024c7ba75259db6a396e7bd95c245281cdb 14768 runc_1.1.12+ds1-1.debian.tar.xz
adc4f0be51d402e882acc7bfcab17b2404c26a39 8215 runc_1.1.12+ds1-1_amd64.buildinfo
Checksums-Sha256:
848316908f87dc5d286cf381d4bee523c495327cab033b9aa59b154a1d37d2c6 2772
runc_1.1.12+ds1-1.dsc
ab7ab8842157c9607f450cf1f2cc7dc2a61cc134766c27111d0e113bdd41d6a8 528632
runc_1.1.12+ds1.orig.tar.xz
367dfbddbc0b6bb3b06ef60dd21d6a006b1b7fdedab882bd861e14889516b419 14768
runc_1.1.12+ds1-1.debian.tar.xz
ab4810f32b977a6f811a24c206cef248f1e98d21561cfb5e5eb012570a37b4d8 8215
runc_1.1.12+ds1-1_amd64.buildinfo
Files:
d2ecde618e10f3096c71dff70088339e 2772 admin optional runc_1.1.12+ds1-1.dsc
2c788fe39dea435e8db8e5baceba60e0 528632 admin optional
runc_1.1.12+ds1.orig.tar.xz
6056fd3324edcb874b3d1b732cca1d08 14768 admin optional
runc_1.1.12+ds1-1.debian.tar.xz
b981612583fa02cb52aa8ebb427fd757 8215 admin optional
runc_1.1.12+ds1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEc793ixFTU9Vien7Zh7Iv85yjO70FAmW87XUACgkQh7Iv85yj
O718SQf+J8O0B8ZD224eAg4Q3HpeG5hFFUaVWxRLpvBXfs5XQI1/Rl+SrnElLSRw
inX9kZaUK/cIcs5E8gxiYl+o2Hf+qDjdTqziBt/j8HkTk7Gp4z5oFVX5I7JrnaH6
Xw3AeQ8yzPC8d3DPR7p3VMGRJwXrxV/Ox8ZB7Vd7HGB/pC5nzGzGbMaq+LwAy/nH
lY1GmdJkjj1cusFhgSs01hbNtZTJCVoBupBF4YdMmA6n/O6t7Rr7ZASks29u4jxo
qd1JgFNJJciZ3SZjtY76AFwfg0sWV+OmY5oEVa7qgA1xeoIxPwWnhlYUeSueNmTJ
Gxn9fh8uPucRpuqxg7RTfU3Ml9Pr5A==
=mnTr
-----END PGP SIGNATURE-----
----- End forwarded message -----
--- End Message ---
