| Summary: | opencontainers-runc new security issue CVE-2019-19921 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | bruno, sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | opencontainers-runc-1.0.0-0.rc9.3.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-02-07 21:39:24 CET
David Walser
2020-02-07 21:39:36 CET
Whiteboard:
(none) =>
MGA7TOO openSUSE has issued an advisory for this on February 14: https://lists.opensuse.org/opensuse-updates/2020-02/msg00066.html Fedora has issued an advisory for this on February 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NWDTSREUDLT3UFYS5SBIVQBS4YRA35A/
David Walser
2020-02-21 17:51:45 CET
Status comment:
(none) =>
Fixed upstream in 1.0.0-rc10 1.0.0-rc10 pushed to cauldron. Status:
NEW =>
ASSIGNED 1.0.0-rc10 pushed to 7 core/updates_testing Assignee:
bruno =>
qa-bugs
Bruno Cornec
2020-02-23 02:14:56 CET
Version:
Cauldron =>
7 Advisory: ======================== Updated opencontainers-runc package fixes security vulnerability: An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization, by adding a symlink to the rootfs that points to a directory on the volume (CVE-2019-19921). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19921 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NWDTSREUDLT3UFYS5SBIVQBS4YRA35A/ ======================== Updated packages in core/updates_testing: ======================== opencontainers-runc-1.0.0-0.rc10.3.1.mga7 from opencontainers-runc-1.0.0-0.rc10.3.1.mga7.src.rpm Severity:
normal =>
major mga7, x86_64 Updated the package. https://blog.alexellis.io/runc-in-30-seconds/ Followed the recipe there and ended up with a directory structure like this: . ├── config.json ├── #report# ├── rootfs │ ├── bin │ │ ├── ash -> /bin/busybox │ │ ├── base64 -> /bin/busybox │ │ ├── bbconfig -> /bin/busybox │ │ ├── busybox [...] │ │ ├── watch -> /bin/busybox │ │ └── zcat -> /bin/busybox │ ├── dev │ │ ├── console │ │ ├── pts │ │ └── shm [...] │ ├── usr │ │ ├── bin │ │ │ ├── [ -> /bin/busybox │ │ │ ├── [[ -> /bin/busybox │ │ │ ├── awk -> /bin/busybox [...] │ ├── spool │ │ └── cron │ │ └── crontabs -> /etc/crontabs │ └── tmp ├── rootfs.tar └── tree.txt 502 directories, 1986 files After the $ runc spec which creates the JSON file, used runc to start a replica of the docker container. Upstream says to invent a name for the container, but: $ sudo runc start node4a_repl ERRO[0000] container "node4a_repl" does not exist container "node4a_repl" does not exist. Whatever the name the result is the same. $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 91e91c49c0e3 mhart/alpine-node:4 "node" 18 seconds ago Exited (0) 17 seconds ago bewildered The recipe: $ docker export bewildered > rootfs.tar $ tar -xf rootfs.tar -C rootfs/ $ ls rootfs bin/ etc/ lib/ media/ proc/ run/ srv/ tmp/ var/ dev/ home/ linuxrc@ mnt/ root/ sbin/ sys/ usr/ $ runc spec $ ls config.json '#report#' report rootfs/ rootfs.tar tree.txt $ sudo runc start Rumpelstiltskin ERRO[0000] container "Rumpelstiltskin" does not exist container "Rumpelstiltskin" does not exist $ docker ps -a 91e91c49c0e3 mhart/alpine-node:4 "node" 10 minutes ago Exited (0) 10 minutes ago bewildered Cannot figure this out. CC:
(none) =>
tarazed25 I think a normal docker test will suffice. OK, thanks David. Part of the recipe involves generating a docker container, which seemed to work. However I shall run through the docker newbie tests. Continuing from comment 6: $ docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. $ docker run -it fedora bash [root@8999f139f043 /]# exit $ docker ps -a 8999f139f043 fedora "bash" 7 minutes ago Exited (0) 58 seconds ago sad_shockley $ docker inspect sad_shockley | grep Created "Created": "2020-02-25T09:48:26.832811714Z", $ docker run -it fedora bash [root@c9b81c581eda /]# dnf install celestia [...] Complete! [root@c9b81c581eda /]# ll /bin/celestia -rwxr-xr-x 1 root root 2873744 Aug 23 2019 /bin/celestia [root@c9b81c581eda /]# rpm -qa | grep celestia celestia-1.6.1-32.fc31.x86_64 [root@c9b81c581eda /]# exit exit $ docker pull fedora:latest latest: Pulling from library/fedora 5c1b9e8d7bf7: Pull complete Digest: sha256:c97879f8bebe49744307ea5c77ffc76c7cc97f3ddec72fb9a394bd4e4519b388 Status: Downloaded newer image for fedora:latest lcl@difda:runc $ docker run -ti fedora:latest /bin/bash [root@92abb944f8e9 /]# ls bin dev home lib64 media opt root sbin sys usr boot etc lib lost+found mnt proc run srv tmp var Ran `docker rm <nameofcontainer>` several times to get rid of the backlog, leaving two containers. Used `docker images` to list local images and removed a few with `docker rmi <image-id>'. Taking David at his word and passing this for 64 bits.
Len Lawrence
2020-02-25 12:04:17 CET
Whiteboard:
(none) =>
MGA7-64-OK
Thomas Backlund
2020-02-26 10:52:29 CET
Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0103.html Status:
ASSIGNED =>
RESOLVED |