Bug 24253

Summary: opencontainers-runc new security issues fixed upstream (rhbz#1663068, CVE-2019-5736)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: bruno, davidwhodgins, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: opencontainers-runc-1.0.0-0.rc6.1.mga7.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 24289    

Description David Walser 2019-01-28 02:05:19 CET 
Fedora has issued an advisory on January 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SMFQ54VEZPJT4H2C2TBILCPDX2VMAIZ2/

They updated to a git snapshot that apparently fixed the issue.

The RedHat bug links to upstream pull request:
https://bugzilla.redhat.com/show_bug.cgi?id=1663068

Mageia 6 may also be affected.
David Walser 2019-01-28 02:05:33 CET

CC: (none) => bruno
Whiteboard: (none) => MGA6TOO

David Walser 2019-02-01 22:17:07 CET

Blocks: (none) => 24289

Comment 1 David Walser 2019-02-02 23:10:11 CET 
Pull request patch added in opencontainers-runc-1.0.0-0.rc6.2.mga7 in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 Bruno Cornec 2019-02-04 19:28:39 CET 
Fix applied on mga6 and update pushed in updates_testing

Status: NEW => ASSIGNED
Assignee: ngompa13 => qa-bugs

Comment 3 David Walser 2019-02-05 17:08:36 CET 
Advisory:
========================

Updated opencontainers-runc package fixes security vulnerability:

Not using pivot_root(2) leaves the host /proc around in the mount namespace so
that it is possible to mount another /proc without any other submount, even if
/proc in the container is not fully visible. This flaw allows an attacker to
read and modify some parts of the Linux kernel memory (rhbz#1663068).

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SMFQ54VEZPJT4H2C2TBILCPDX2VMAIZ2/
========================

Updated packages in core/updates_testing:
========================
opencontainers-runc-1.0.0rc5-3.1.mga6

from opencontainers-runc-1.0.0rc5-3.1.mga6.src.rpm
Comment 4 Len Lawrence 2019-02-11 17:42:56 CET 
Had a quick look at this and read a little about OCI and EBNF and other things and came to the conclusion that the subject is too advanced for a QA tester with no background in container philosophy.  From what I can gather the runc command, among other things, can create a container from a "bundle" which is some kind of collection of files on disk bound together by a configuration file which follows OCI specifications.  This would include docker containers, particularly as runC was a gift from the Docker project.  pivot-root is a parameter which jails the running container process within its rootfs.

As I have no idea how to test it we shall have to be satisfied with a clean update.

Yes, that went OK.

$ runc help
gives usage, basic commands and cli options.
$ runc help <command>
provides information on individual commands.
$ runc --version
runc version 1.0.0-rc5
spec: 1.0.0

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 5 David Walser 2019-02-12 00:33:52 CET 
Upstream has issued an advisory today (February 11):
https://www.openwall.com/lists/oss-security/2019/02/11/2

Advisory:
========================

Updated opencontainers-runc package fixes security vulnerabilities:

Not using pivot_root(2) leaves the host /proc around in the mount namespace so
that it is possible to mount another /proc without any other submount, even if
/proc in the container is not fully visible. This flaw allows an attacker to
read and modify some parts of the Linux kernel memory (rhbz#1663068).

runc through 1.0-rc6 allows attackers to overwrite the host runc binary (and
consequently obtain host root access) by leveraging the ability to execute a
command as root within one of these types of containers: a new container with
an attacker-controlled image, or an existing container, to which the attacker
previously had write access, that can be attached with docker exec. This
occurs because of file-descriptor mishandling, related to /proc/self/exe
(CVE-2019-5736).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SMFQ54VEZPJT4H2C2TBILCPDX2VMAIZ2/
https://www.openwall.com/lists/oss-security/2019/02/11/2
========================

Updated packages in core/updates_testing:
========================
opencontainers-runc-1.0.0rc5-3.1.mga6

from opencontainers-runc-1.0.0rc5-3.1.mga6.src.rpm

Summary: opencontainers-runc new security issue fixed upstream => opencontainers-runc new security issues fixed upstream (rhbz#1663068, CVE-2019-5736)
Severity: normal => critical
Whiteboard: MGA6-64-OK => (none)

Comment 6 Dave Hodgins 2019-02-13 04:36:58 CET 
Due to the extreme criticality of this security bug, validating based on
the update installing cleanly.

Specifying the srpm opencontainers-runc-1.0.0rc5-3.2.mga6, not rc5-3.1
in the advisory for svn.

Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Mageia Robot 2019-02-13 12:10:32 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0068.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED