Back to runc PTS page

Accepted runc 1.0.0~rc6+dfsg1-3+deb10u1 (source) into oldstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 25 Mar 2023 16:47:22 +0100
Source: runc
Architecture: source
Version: 1.0.0~rc6+dfsg1-3+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 942026 988768
Changes:
 runc (1.0.0~rc6+dfsg1-3+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2019-16884: runc, as used in Docker and other products, allows
     AppArmor and SELinux restriction bypass because
     libcontainer/rootfs_linux.go incorrectly checks mount targets, and
     thus a malicious Docker image can mount over a /proc
     directory. (Closes: #942026)
   * CVE-2019-19921: runc has Incorrect Access Control leading to
     Escalation of Privileges, related to libcontainer/rootfs_linux.go. To
     exploit this, an attacker must be able to spawn two containers with
     custom volume-mount configurations, and be able to run custom
     images. (This vulnerability does not affect Docker due to an
     implementation detail that happens to block the attack.)
   * CVE-2021-30465: runc allows a Container Filesystem Breakout via
     Directory Traversal. To exploit the vulnerability, an attacker must be
     able to create multiple containers with a fairly specific mount
     configuration. The problem occurs via a symlink-exchange attack that
     relies on a race condition. (Closes: #988768)
   * CVE-2022-29162: `runc exec --cap` created processes with non-empty
     inheritable Linux process capabilities, creating an atypical Linux
     environment and enabling programs with inheritable file capabilities
     to elevate those capabilities to the permitted set during
     execve(2). This bug did not affect the container security sandbox as
     the inheritable set never contained more capabilities than were
     included in the container's bounding set.
   * CVE-2023-27561: CVE-2019-19921 was re-introduced by the fix for
     CVE-2021-30465.
Checksums-Sha1:
 5f51683793c04924de913216b6b6de375aec7cd3 2825 runc_1.0.0~rc6+dfsg1-3+deb10u1.dsc
 74938608cf6912bbc837a2bf0036bc5e5aa16682 23516 runc_1.0.0~rc6+dfsg1-3+deb10u1.debian.tar.xz
 993aa04099de3bbba134227e437504e16b81da21 7876 runc_1.0.0~rc6+dfsg1-3+deb10u1_source.buildinfo
Checksums-Sha256:
 ee5e3c99803c77bf323df01afb0dcc7138b1313482d97d4a12b4f2b59048867f 2825 runc_1.0.0~rc6+dfsg1-3+deb10u1.dsc
 5b77f022dc760517c1cd3f5185a7c21df7e622d67c4bd30ee3041f310cebc315 23516 runc_1.0.0~rc6+dfsg1-3+deb10u1.debian.tar.xz
 0323ef5da1b3891d3c1050de718549963e4c4d0c3e93ecf98a4f1f96625788b8 7876 runc_1.0.0~rc6+dfsg1-3+deb10u1_source.buildinfo
Files:
 48bf6d34d6bbf4f20e852d2c8a024bb0 2825 devel optional runc_1.0.0~rc6+dfsg1-3+deb10u1.dsc
 30f15ebb090d2f2f8a997f64c402e72a 23516 devel optional runc_1.0.0~rc6+dfsg1-3+deb10u1.debian.tar.xz
 012c125c0577f45ad8c6efb0383d69a4 7876 devel optional runc_1.0.0~rc6+dfsg1-3+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmQhWvIACgkQDTl9HeUl
XjA5/A/+Pp62LDS8BKNKwK78YM1qFkfbKPPpJMPZTuiSKa2T3Rb7E+6M/KvaNNz4
oveFixlBdtVhQA2Fwd+c8hmT4I1acresKVd4YOx+l1zsGF13qAnrrFWuRd2XTlm5
KSGwcbaTIEd5pjD5x5v7WMYvZaXKpHVBRW2V/RoHYJH1QwaB6DrNu1sKc1xsHc2+
xnHpAdileVeJ1QUbOPf+TgtKXeVmySGSY/1MqoW+ZazraSVa/MsI4/Dxsicw1nhj
fPBo8cpquowvU3aqA+dkd4o7cQBz5bLgb81A3xgR353f7WLqXgePVXL0UyLin2nY
IIUm8QHITS/9DHXPtJEGIMF4CjFW84P5SmDi/qjdDRi5gjdRBhOz9QWEMVWslXXo
QnS1cHOklGKAW9KaL9Tn3ljDUp7Ri1TKricl9aNlfUp70BbaAcK7fJCRp+ZQq7Nk
d+0okInNjTywM1//tM6VVBxdu6mXmNvhAKTHSU1pok4zkZdowXhSZVarmLQdnR46
vBHe91HZcKMwPL6sXLVp6Z1LfRf1Kf7Hz7C6hUp9wqPVSabmZcXX9AxFjDK3FVjc
c6+BiO5IUAm5e7AxhcmlrLxD6TsLlpI1FNWTrV+eKXWTpEvODYo8zak6HYNn5+cP
Dcq3CEXDc/MLEbTQGR95RN7/Ar1FfbOYi1LQpbIJ+k/+oA6POKk=
=AVDT
-----END PGP SIGNATURE-----